Re: [Openvpn-devel] [PATCH v2] Always release dhcp address in close_tun()

[Selva Nair]

Hi,

On Tue, Jan 3, 2017 at 3:38 PM,  wrote:

> v2: Mark --dhcp-release as obsolete in mapage and option parser, and
> remove the unused dhcp_release varaible.
>

Request typo fix at commit time:
 mapage -> man page and varaible -> variable

Sorry for the extra work..

Thanks,

Selva
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of today's (Wednesday, 4th January 2016) community meeting

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 4th Jan 2016
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



SUMMARY

cron2, danhunsaker, dazo, mattock, plaisthos, selvanair and valdikss 
participated in this meeting.


--

Went through quite a few Trac tickets. Some them were ready to be closed 
as fixed.


--

Discussed OpenVPN 2.4.1 release schedule. Decided to have another look 
in a meeting ~ two weeks from now.


--

Discussed broken MacOS X builds (Travis and Buildbot). Mattock will look 
into this:




--

Discussed future meeting schedules. Mattock will set up a Doodle poll to 
figure out what options we have.


--

Discussed the VLAN patchset:



It was agreed that this would be a good feature for OpenVPN 2.5. The 
review was estimated to take a few full days. It was also noted that the 
review effort can't be easily shared to several people, so someone will 
have to do most of it.


--

Discussed OpenVPN release schedule. OpenVPN 2.4 took quite a lot of time 
to get out, and this was seen as a problem. However, there was 
disagreement on what kind of release cycle we should aim for.


The problem is that going through alphas/beta/rcs is quite 
time-consuming, so having releases too often eats valuable developer 
time that could be used to fix issues and improve things.


On the other hand having too few releases means that most people won't 
use the code that we have developed, as evidenced by all the bug reports 
that cropped up very shortly after 2.4.0 release.


Decided to continue this discussion later.

--

Discussed moving a few of mattock's OpenVPN projects under OpenVPN 
organization in GitHub:





It was agreed that it makes sense.

---

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(21:01:08) mattock: ready for 
https://community.openvpn.net/openvpn/wiki/Topics-2017-01-04 ?
(21:01:10) vpnHelper: Title: Topics-2017-01-04 – OpenVPN Community (at 
community.openvpn.net)
(21:01:19) cron2: rumble!
(21:01:30) mattock: who else is here today?
(21:06:02) mattock: hmm
(21:06:21) mattock: perhaps we should start and see if someone joins / wakes up
(21:06:57) ***cron2 misses the agenda item "meeting schedule"
(21:07:03) ***dazo is here
(21:07:09) mattock: hi dazo
(21:07:17) dazo: hey :)
(21:07:18) mattock: cron2: yeah, that one is still missing, adding that
(21:08:02) mattock: done
(21:08:09) mattock: so Trac tickets first?
(21:08:49) dazo: which query should we look at ... so we're looking at the same 
things
(21:09:28) cron2: someone could just bring up trac tickets and then we look at 
it
(21:10:11) mattock: here's a basic query without Access Server / OpenVPN 
Connect tickets
(21:10:15) mattock: 
https://community.openvpn.net/openvpn/query?status=accepted=assigned=new=reopened=!Access+Server=!OpenVPN+Connect=id=summary=status=type=priority=milestone=component=priority
(21:10:19) vpnHelper: Title: Custom Query – OpenVPN Community (at 
community.openvpn.net)
(21:11:41) dazo: #647 ...
(21:11:49) dazo: but that's strictly 2.3
(21:13:21) cron2: well, it's "old 2.3 to something new, and can we make it 
easier to see what went wrong"
(21:14:15) dazo: hmm ... I wonder if we can close it ... "The patch I mentioned 
above has been applied" ... commit 29b65ffd
(21:14:30) dazo: git tag --contains 29b65ffd  ... lists 2.3.9+
(21:15:06) cron2: the remaining bit here is not the code but add a reasonable 
warning (to see what went wrong)
(21:15:33) cron2: let me mull about that some more
(21:15:41) mattock: ok
(21:15:47) dazo: okay, so we can downgrade it from critical to minor, and 
comment it has been partially resolved
(21:15:53) mattock: +1
(21:16:06) mattock: I'm looking if this one could be closed: 
https://community.openvpn.net/openvpn/ticket/788
(21:16:07) vpnHelper: Title: #788 (EASYRSA_KEY_SIZE, EASYRSA_DIGEST in vars is 
ignored) – OpenVPN Community (at community.openvpn.net)
(21:16:30) ***dazo ignores tickets not related to core OpenVPN now :)
(21:17:43) cron2: mattock: I think we can close that
(21:17:45) mattock: ok, so #788 is still valid
(21:17:51) mattock: looking at the GitHub report
(21:17:55) cron2: oh?
(21:18:16) mattock: yeah, there is some messiness in how easyrsa3 handles the 
defaults from the vars file
(21:18:43) mattock: ecrist is aware of the issue, and can hopefully have a look 
at some point
(21:19:20) dazo: cron2: #812 can be closed?
(21:19:29) dazo: the md_ctx_update() 

Re: [Openvpn-devel] [PATCH applied] build: Ensure Changes.rst is shipped and installed as a doc file

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Your patch has been applied to the following branches

commit 7fb22ea0bc483b5a128bcc23ce9a156c8fadac3a  (master)
commit b83ff52a594ce1e8ff2d63533819206f67aa5dea  (release/2.4)
Author: David Sommerseth
Date:   Tue Dec 27 11:52:24 2016 +0100

 build: Ensure Changes.rst is shipped and installed as a doc file

 Signed-off-by: David Sommerseth 
 Acked-by: Arne Schwabe 
 Message-Id: <1482835944-563-1-git-send-email-dav...@openvpn.net>
 URL: 
http://www.mail-archive.com/search?l=mid=1482835944-563-1-git-send-email-dav...@openvpn.net


- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJYbVU6AAoJEIbPlEyWcf3yso0P/3aBPhw8VHem0tBJLno/A2HY
gsQrHPeo8/61M1mZQXK2PeY7+yeULBCTJMi0XI9Y2RDF/bGWlOKxKgMNTZVB74N2
0z8ioTS4+jfqIRj4bze3kF26d3AP4P3s4eRNyA9eaXtNJuDnWTEG5hcY//RvXdn6
PqrHXXO5ftbCl/U4tYFDyCu/LYJVr5kSUqlQGBoo6YvRyo3S5lZSM+0ityhW/0TO
S8XGksApajBK2NWqsEN4wvoeOYE25pR4F5GufkZf3YQlVWw2wZ46nGkUpzt6nEim
gXHFz2GzgcO/ha+b630UCVczY4Vc/iNJbzCBSZImNoPN5G7lV4PMX7f/L5U78f7K
p1e2DGmtMAPkJ6p1AHvwOMRj89sbgipK3RXa6SFkvw4bKJzj+FmdzBpbrcGPj+sN
FemlFYk6Fsr0uH1Iw0LkA9oQdW8Xtri+IlOreyVKGek6gCVsjh/7B2xEdwYECRzl
0u8w9ByAFeP3cZSSRbeadQO2Nks4cup1vVXP2fUVaw1B+p7A1bQF/zLNRiGUKC+V
wVojPR+dDQRacVaSQTv3VrDylA9dIUzwIEa730IwzTp8WzNRc6/gYrnRsJ8Ar2nq
RqB12MJxC8BFEjwj0syIqrUlkwiiDQs+rVW9N3+A09TMndZsSS3aaVbid09eXaaP
6ha2woOMkOKqWdfzNq9P
=yyKq
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

[Gert Doering]

Sorry for the delay, this got lost in the pre-2.4 craziness.

Your patch has been applied to the release/2.3 branch.

Thanks!

commit ab1302d47b0f2b2ac9272b9fbb90ef0bd7b7cc35
Author: Julien Muchembled
Date:   Fri Dec 16 17:32:18 2016 +0100

 Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

 Signed-off-by: Julien Muchembled 
 Acked-by: Steffan Karger 
 Message-Id: <20161216163218.25449-1...@nexedi.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13591.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Preparing 2.4-beta1 upload to Debian (Experimental)

[Alberto Gonzalez Iniesta]

Thanks Arne!

I'll fix this in the next upload.


On Wed, Jan 04, 2017 at 07:21:07PM +0100, Arne Schwabe wrote:
> Am 21.11.16 um 10:10 schrieb Alberto Gonzalez Iniesta:
> > Hi,
> > 
> > I'm preparing an upload to Debian Experimental of 2.4-beta1 in order to
> > get the maximum exposition as possible. In the meantime I'd like to know
> > your opinion on the following patch that I've been applying to Debian's
> > package for some years:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=367716;filename=openvpn_367716.diff;msg=10
> > Fixing this:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=367716
> > 
> > Thanks,
> > 
> > Alberto
> > 
> 
> One thing I noticed. Debian still includes a "route_default_nil.patch".
> That patch changes the man page to the command line help which is wrong.
> 
> The correct thing is to change the command line (patch attached).
> 
> Arne

> From a88d8ba3e81ca34fc2675805a273cd85875c8973 Mon Sep 17 00:00:00 2001
> From: Arne Schwabe 
> Date: Wed, 4 Jan 2017 19:18:46 +0100
> Subject: [PATCH] Change command help to match man page and implementation
> 
> ---
>  src/openvpn/options.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index bfedb6a..80143e6 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -198,7 +198,7 @@ static const char usage_message[] =
>  "  is established.  Multiple routes can be specified.\n"
>  "  netmask default: 255.255.255.255\n"
>  "  gateway default: taken from --route-gateway or 
> --ifconfig\n"
> -"  Specify default by leaving blank or setting to 
> \"nil\".\n"
> +"  Specify default by leaving blank or setting to 
> \"default\".\n"
>  "--route-ipv6 network/bits [gateway] [metric] :\n"
>  "  Add IPv6 route to routing table after connection\n"
>  "  is established.  Multiple routes can be specified.\n"


-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Preparing 2.4-beta1 upload to Debian (Experimental)

[Arne Schwabe]

Am 21.11.16 um 10:10 schrieb Alberto Gonzalez Iniesta:
> Hi,
> 
> I'm preparing an upload to Debian Experimental of 2.4-beta1 in order to
> get the maximum exposition as possible. In the meantime I'd like to know
> your opinion on the following patch that I've been applying to Debian's
> package for some years:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=367716;filename=openvpn_367716.diff;msg=10
> Fixing this:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=367716
> 
> Thanks,
> 
> Alberto
> 

One thing I noticed. Debian still includes a "route_default_nil.patch".
That patch changes the man page to the command line help which is wrong.

The correct thing is to change the command line (patch attached).

Arne
From a88d8ba3e81ca34fc2675805a273cd85875c8973 Mon Sep 17 00:00:00 2001
From: Arne Schwabe 
Date: Wed, 4 Jan 2017 19:18:46 +0100
Subject: [PATCH] Change command help to match man page and implementation

---
 src/openvpn/options.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index bfedb6a..80143e6 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -198,7 +198,7 @@ static const char usage_message[] =
 "  is established.  Multiple routes can be specified.\n"
 "  netmask default: 255.255.255.255\n"
 "  gateway default: taken from --route-gateway or 
--ifconfig\n"
-"  Specify default by leaving blank or setting to 
\"nil\".\n"
+"  Specify default by leaving blank or setting to 
\"default\".\n"
 "--route-ipv6 network/bits [gateway] [metric] :\n"
 "  Add IPv6 route to routing table after connection\n"
 "  is established.  Multiple routes can be specified.\n"
-- 
2.10.1 (Apple Git-78)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] fuzz testing by google ?

[Hubert Kario]

On Wednesday, 7 December 2016 13:04:30 CET Gert Doering wrote:
> Hi,
> 
> On Wed, Dec 07, 2016 at 04:51:36PM +0500,  ?? wrote:
> > it used to crash on simple tcp connect (after immediate disconnect), it
> > was
> > reproducible to running login/password authentication mode
> > 
> > it might have been caught by fuzz testing.
> 
> I should point out that this was not a "crash" but an "openvpn detects
> invalid input and ASSERT()s out -> well-defined program exit".
> 
> Not exactly *friendly* behaviour (and stupid, in this case), but not
> a *crash*.
> 
> But that's exactly why fuzzing openvpn is hard: we detect bad stuff, and
> in doubt, we ASSERT() - which is well-defined behaviour, not "crashing
> randomly, possibly in a way that can be exploited to get access to
> security critical bits"

It still results in a denial of service. Yes, far less severe than private key 
leak or remote code execution, but a severe vulnerability none the less.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel