On Mon, Aug 16, 2010 at 04:34:54PM +0300, Pasi Kärkkäinen wrote:
> On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote:
> >
> > Hello,
> >
> > When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed this
> > error:
> > http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg
> >
> > ie. the installer cannot overwrite the existing files from openvpn 2.1.1
> > installation.
> > I get that error for the following files:
> >
> > C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
> > C:\Program Files (x86)\OpenVPN\bin\libeay32.dll
> >
> > And after finishing the installation windows "Program Combatibility
> > Assistant" pops up,
> > and asks if the program installed correctly, or if I wanted to "Reinstall
> > using recommended settings".
> >
> > http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg
> >
> > I chose it installed OK and then rebooted the machine.
> >
> > After reboot I noticed the TAP network device is missing from Windows,
> > and thus openvpn connections cannot be started..
> >
> > Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work
> > either..
> >
>
> And here's a screenshot of the failing tapinstall.exe:
> http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg
>
Any tips how to troubleshoot this?
-- Pasi
>
> >
> >
> > On Sun, Aug 15, 2010 at 04:27:06PM -0600, James Yonan wrote:
> > > 2010.08.09 -- Version 2.1.2
> > >
> > > * Windows security issue:
> > >Fixed potential local privilege escalation vulnerability in
> > >Windows service. The Windows service did not properly quote the
> > >executable filename passed to CreateService. A local attacker
> > >with write access to the root directory C:\ could create an
> > >executable that would be run with the same privilege level as
> > >the OpenVPN Windows service. However, since non-Administrative
> > >users normally lack write permission on C:\, this vulnerability
> > >is generally not exploitable except on older versions of Windows
> > >(such as Win2K) where the default permissions on C:\ would allow
> > >any user to create files there.
> > >Credit: Scott Laurie, MWR InfoSecurity
> > >
> > > * Added Python-based based alternative build system for Windows using
> > >Visual Studio 2008 (in win directory).
> > >
> > > * When aborting in a non-graceful way, try to execute do_close_tun in
> > >init.c prior to daemon exit to ensure that the tun/tap interface is
> > >closed and any added routes are deleted.
> > >
> > > * Fixed an issue where AUTH_FAILED was not being properly delivered
> > >to the client when a bad password is given for mid-session reauth,
> > >causing the connection to fail without an error indication.
> > >
> > > * Don't advance to the next connection profile on AUTH_FAILED errors.
> > >
> > > * Fixed an issue in the Management Interface that could cause
> > >a process hang with 100% CPU utilization in --management-client
> > >mode if the management interface client disconnected at the
> > >point where credentials are queried.
> > >
> > > * Fixed an issue where if reneg-sec was set to 0 on the client,
> > >so that the server-side value would take precedence,
> > >the auth_deferred_expire_window function would incorrectly
> > >return a window period of 0 seconds. In this case, the
> > >correct window period should be the handshake window
> > >period.
> > >
> > > * Modified ">PASSWORD:Verification Failed" management interface
> > >notification to include a client reason string:
> > >
> > > >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
> > >
> > > * Enable exponential backoff in reliability layer
> > >retransmits.
> > >
> > > * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
> > >socket is created rather than waiting until after connect/listen.
> > >
> > > * Management interface performance optimizations:
> > >
> > >1. Added env-filter MI command to perform filtering on env vars
> > > passed through as a part of --management-client-auth
> > >
> > >2. man_write will now try to aggregate output into larger blocks
> > > (up to 1024 bytes) for more efficient i/o
> > >
> > > * Fixed minor issue in Windows TAP driver DEBUG builds
> > >where non-null-terminated unicode strings were being
> > >printed incorrectly.
> > >
> > > * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
> > >was not being compiled in.
> > >
> > > * Proxy improvements:
> > >
> > >Improved the ability of http-auth "auto" flag to dynamically detect
> > >the auth method required by the proxy.
> > >
> > >Added http-auth "auto-nct" flag to reject weak proxy auth methods.
> > >
> > >Added HTTP proxy digest authentication method.
> > >
> > >Removed extraneous openvpn_sleep calls from proxy.c.
> > >
> > > *