Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

Hi, Emmanuel Deloget writes: > Hi David, > > On Wed, Jun 21, 2017 at 11:06 PM, David Sommerseth < > open...@sf.lists.topphemmelig.net> wrote: > > ​​ > > >> But for reasons unknown to me, those tarballs got re-created somewhere >> later in the release chain. The contents of all

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> On 22 Jun 2017, at 7:06 am, David Sommerseth > wrote: > > - What can be done with Cloudflare to fully ensure their caches are > truly purged when we ask for it? As Jonathan noticed, their caches > are tightly connected to the web browser and have a

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

Hi David, On Wed, Jun 21, 2017 at 11:06 PM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: ​​ > But for reasons unknown to me, those tarballs got re-created somewhere > later in the release chain. The contents of all tarballs are > essentially the same, but due to the "nice"

[Openvpn-devel] [PATCH v2] Move adjust_power_of_2() to integer.h

From: Steffan Karger misc.c is a mess of incoherent functions, and is therefore included by virtually all our source files. That makes testing harder than it should be. As a first step of cleaning up misc.c, move adjust_power_of_2() to integer.h, which is a more

[Openvpn-devel] [PATCH] Fix typo in extract_x509_extension() debug message

This message should use the external name, not the internal one. Signed-off-by: Steffan Karger --- src/openvpn/ssl_verify_openssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index

Re: [Openvpn-devel] [PATCH] Move adjust_power_of_2() to integer.h

Hi, On 21-06-17 22:17, Antonio Quartulli wrote: > However, now that adjust_power_of_2() has been moved to integer.h, shouldn't > this file be included by every .c where the function is used? Or do we have > some > other rule about header files inclusion? > > Personally I prefer when every .c

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On 21/06/17 12:47, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > can be downloaded from here: > > > > OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In > the

Re: [Openvpn-devel] [PATCH applied] Re: travis-ci: added gcc and clang openssl-1.1.0 builds

The following have to be cherry-picked (just tested, works without fuzz): 56e6bd8967d72c4374389dfd5cf32f5e3b86242c 81ba70b39b78d7677aabab957421264800028f53 aeac1139a34321a7f770ca20bfef886a21a89fe9 -Steffan On 21-06-17 21:57, Gert Doering wrote: > Your patch has been applied to the master

Re: [Openvpn-devel] [PATCH] OpenSSL: remove pre-1.1 function from the OpenSSL compat interface

Hi, On 19-06-17 17:35, log...@free.fr wrote: > From: Emmanuel Deloget > > HMAC_CTX_init() has been removed from OpenSSL 1.1. Both this function > and function HMAC_CTX_cleanup() has been replaced by HMAC_CTX_reset(). > > Commit aba98e9050eb54d72d921e70bcd422cb892b9c6c

Re: [Openvpn-devel] [PATCH] Move adjust_power_of_2() to integer.h

On Mon, Jun 19, 2017 at 01:47:33PM +0200, Steffan Karger wrote: > misc.c it a mess of incoherent functions, and is therefore included by little typ0 here: s/it/is/ > virtually all our source files. That makes testing harder than it should > be. As a first step of cleaning up misc.c, move

[Openvpn-devel] [PATCH applied] Re: travis-ci: added gcc and clang openssl-1.1.0 builds

Your patch has been applied to the master branch. I tried to apply it to release/2.4 as well, but it seems some prior patch to the .travis/ stuff never made it, so this patch does not apply. As I'm a bit lazy today - could you backport all the travis stuff that is missing from 2.4 to release/2.4

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 12:48 PM, Matthias Andree wrote: > > Am 21.06.2017 um 16:33 schrieb Samuli Seppänen: > > On 21/06/2017 17:06, Simon Matter wrote: > >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > >>> wrote: > The OpenVPN community

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 7:48 AM, Jonathan K. Bullard wrote: > On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > > can be downloaded from here: > > > >

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

Am 21.06.2017 um 18:02 schrieb Gert Doering: > Hi, > > On Wed, Jun 21, 2017 at 05:58:18PM +0200, David Sommerseth wrote: >> Hmmm ... not a bad idea. But do we really need tar.gz at all these >> days? Why not just make autotools generate tar.xz by default and be >> done with it? > "distcheck"

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

Am 21.06.2017 um 16:33 schrieb Samuli Seppänen: > On 21/06/2017 17:06, Simon Matter wrote: >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen >>> wrote: The OpenVPN community project team is proud to release OpenVPN 2.4.3. It can be downloaded from here:

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

Hi, On Wed, Jun 21, 2017 at 05:58:18PM +0200, David Sommerseth wrote: > Hmmm ... not a bad idea. But do we really need tar.gz at all these > days? Why not just make autotools generate tar.xz by default and be > done with it? "distcheck" tends to just do .tar.gz - can you make it still do the

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On 21/06/17 17:49, Gert Doering wrote: > Hi, > > On Wed, Jun 21, 2017 at 05:25:32PM +0200, Simon Matter wrote: >>> .gz is built with "make distcheck", .xz right after from the same >>> tree with "make dist-xz". >>> >>> What differs? >> >> The check sum of both extracted tarballs, not really their

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

Hi, On Wed, Jun 21, 2017 at 05:25:32PM +0200, Simon Matter wrote: > > .gz is built with "make distcheck", .xz right after from the same > > tree with "make dist-xz". > > > > What differs? > > The check sum of both extracted tarballs, not really their content. Ah. Yeah, that's one of the

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> Hi, > > On Wed, Jun 21, 2017 at 04:18:41PM +0200, Simon Matter wrote: >> An additional source of confusion seems that the tarball of the .gz and >> .xz files don't match. Maybe this could easily be fixed in the build >> process. > > .gz is built with "make distcheck", .xz right after from the

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

Hi, On Wed, Jun 21, 2017 at 04:18:41PM +0200, Simon Matter wrote: > An additional source of confusion seems that the tarball of the .gz and > .xz files don't match. Maybe this could easily be fixed in the build > process. .gz is built with "make distcheck", .xz right after from the same tree

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

>>> I believe it is Cloudflare playing tricks on us again. >>> >>> Attached are the proper signature files and below a list of the SHA256 >>> checksums: >>> >>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571 >>> openvpn-2.4.3.tar.xz >>> >>> This is based on the files I've already

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On 21/06/2017 17:42, Simon Matter wrote: >> On 21/06/17 13:48, Jonathan K. Bullard wrote: >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen >>> wrote: The OpenVPN community project team is proud to release OpenVPN 2.4.3. It can be downloaded from here:

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> On 21/06/17 13:48, Jonathan K. Bullard wrote: >> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen >> wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. >>> It >>> can be downloaded from here: >>> >>>

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On 21/06/2017 17:06, Simon Matter wrote: >> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen >> wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It >>> can be downloaded from here: >>> >>>

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen >> wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. >>> It >>> can be downloaded from here: >>> >>> >> >> Hi. Thanks for this release.

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > wrote: >> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It >> can be downloaded from here: >> >> > > Hi. Thanks for this release. > >

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

On 21/06/17 15:11, Jonathan K. Bullard wrote: > And I tried using a VPN : ) to download from London, hoping to get a > different CloudFlare server, but get the same (bad) .targ.gz and/or > .tar.gz.asc as my original downloads. > > Should swupdates.openvpn.net be publicly accessible? It doesn't >

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

On 21/06/2017 16:11, Jonathan K. Bullard wrote: > On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth > wrote: >> On 21/06/17 14:30, David Sommerseth wrote: >>> On 21/06/17 13:48, Jonathan K. Bullard wrote: On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth wrote: > On 21/06/17 14:30, David Sommerseth wrote: >> On 21/06/17 13:48, Jonathan K. Bullard wrote: >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: The OpenVPN community

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

On 21/06/17 14:30, David Sommerseth wrote: > On 21/06/17 13:48, Jonathan K. Bullard wrote: >> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It >>> can be downloaded from here: >>> >>>

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On 21/06/17 13:48, Jonathan K. Bullard wrote: > On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: >> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It >> can be downloaded from here: >> >> >

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > can be downloaded from here: > > Hi. Thanks for this release. Verifying the PGP

[Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

The OpenVPN community project team is proud to release OpenVPN 2.4.3. It can be downloaded from here: OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In the process several vulnerabilities were found, some of which

[Openvpn-devel] OpenVPN 2.3.17 released (with security fixes)

The OpenVPN community project team is proud to release OpenVPN 2.3.17. It can be downloaded from here: OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In the process several vulnerabilities were found, some of which

[Openvpn-devel] NTLM.c security fix / CVE-2017-7520

Hi, most patches that went into the tree today came to me by git-send-email, so I could re-send them to the list after embargo, and message-id:s referenced in the code match between mailing list, git tree, and in-reply-to in the ACK mail. One patch came as a patch attached to a longer mail that

[Openvpn-devel] [PATCH] openssl and mbedtls x509 fixes (CVE-2017-7521 & -7522)

Hi, This patch set contains the five commits that fix the X509 issues found by Guido in both our mbedtls and openssl code. It is based on the current master branch. Compared to the previously sent patches, patch 4/5 ('Restrict --x509-alt-username extension types') was changed to include more

[Openvpn-devel] [PATCH 1/5] mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)

asn1_buf_to_c_string() returned a literal string if the input ASN.1 string contained a NUL character, while the caller expects a mutable string. The caller will attempt to change this string, which allows a client to crash a server by sending a certificate with an embedded NUL character. (The

[Openvpn-devel] [PATCH 4/5] Restrict --x509-alt-username extension types

The code never supported all extension types. Make this explicit by only allowing subjectAltName and issuerAltName (for which the current code does work). Using unsupported extension fields would most likely cause OpenVPN to crash as soon as a client connects. This does not have a real-world

[Openvpn-devel] [PATCH 2/5] mbedtls: require C-string compatible types for --x509-username-field

In the --x509-username-field extenstion, we handle the subject string as if it is a C string. Make this assumption explicit and reject incomatible ASN.1 string types. Signed-off-by: Steffan Karger --- src/openvpn/ssl_verify_mbedtls.c | 8 1 file changed, 8

[Openvpn-devel] [PATCH 5/5] Fix potential double-free in --x509-alt-username (CVE-2017-7521)

We didn't check the return value of ASN1_STRING_to_UTF8() in extract_x509_extension(). Ignoring such a failure could result in buf being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused remotely if the peer can make the local process run out of memory. The problem can only be

[Openvpn-devel] [PATCH 3/5] Fix remote-triggerable memory leaks (CVE-2017-7521)

Several of our OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a

[Openvpn-devel] [PATCH applied] Re: Fix remotely-triggerable ASSERT() on malformed IPv6 packet.

Patch has been applied to the master, release/2.4 and release/2.3 branch. commit c3f47077a7756de5929094569421a95aa66f2022 (master) commit ed28cde3d8bf3f1459b2f42f0e27d64801009f92 (release/2.4) commit fc61d1bda112ffc669dbde961fab19f60b3c7439 (release/2.3) Author: Gert Doering Date: Tue Jun 13

[Openvpn-devel] [PATCH v2] Fix remotely-triggerable ASSERT() on malformed IPv6 packet.

Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(), and change the ASSERT() check in mss_fixup_dowork() into a simple "return" (= the TCP header will simply not be inspected further). CVE-2017-7508 has been assigned due to the serious nature of the bug: it can be used to remotely

[Openvpn-devel] [PATCH applied] Re: Fix potential double-free in --x509-alt-username (CVE-2017-7521)

Your patch has been applied to the master, release/2.4 and release/2.3 branch. commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b (master) commit 040084067119dd5a9e15eb3bcfc0079debaa3777 (release/2.4) commit 1dde0cd6e5e6a0f2f45ec9969b7ff1b6537514ad (release/2.3) Author: Steffan Karger Date: Mon

[Openvpn-devel] [PATCH applied] Re: Restrict --x509-alt-username extension types

Your patch has been applied to the master, release/2.4 and release/2.3 branch. commit d2a19185fd78030ce4a1bba6c9f83e0dac9e15a6 (master) commit b72472baa5f228acf211542a7511f6960479f4c8 (release/2.4) commit a6dbec1cb481d6f0237372a7dec059f1c572b7b7 (release/2.3) Author: Steffan Karger Date: Mon

[Openvpn-devel] [PATCH applied] Re: Fix remote-triggerable memory leaks (CVE-2017-7521)

Your patch has been applied to the master, release/2.4 and release/2.3 branch. commit 2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d (master) commit 2341f716198fa90193e040b3fdb16959a47c6c27 (release/2.4) commit 84e1775961de1c9d2ab32159fc03f758591f5238 (release/2.3) Author: Steffan Karger Date: Mon

[Openvpn-devel] [PATCH applied] Re: mbedtls: require C-string compatible types for --x509-username-field

Your patch has been applied to the master and release/2.4 branch. commit 0007b2dbd12a83be3e4aeabc20550a5e16faf214 (master) commit 20f1a472031f0e8ad207ed96acc46ddf51616b5e (release/2.4) Author: Steffan Karger Date: Mon Jun 19 11:28:37 2017 +0200 mbedtls: require C-string compatible types

[Openvpn-devel] [PATCH applied] Re: mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)

Your patch has been applied to the master and release/2.4 branch. commit 426392940c7060300a10077c389f5156c790c2f6 (master) commit 67edada0beaf5ce6e47f13526b9f678dad4fc126 (release/2.4) Author: Steffan Karger Date: Mon Jun 19 11:28:36 2017 +0200 mbedtls: fix --x509-track