Re: [Openvpn-devel] Summary of the community meeting (Wed, 18th Apr 2018)

2018-04-24 Thread Gert Doering 
Hi,

On Tue, Apr 24, 2018 at 11:33:19AM +0200, Simon Matter wrote:
> I'm just wondering what happened to the proposed 2.4.6 release? Will it
> come anytime soon?

Windows driver signing did not work as planned.

Right now it looks like "release will happen today", stay tuned :-)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Summary of the community meeting (Wed, 18th Apr 2018)

2018-04-24 Thread Simon Matter 
Hi,

I'm just wondering what happened to the proposed 2.4.6 release? Will it
come anytime soon?

Regards,
Simon

> Hi,
>
> Here's the summary of the IRC meeting.
> ---
>
> COMMUNITY MEETING
>
> Place: #openvpn-meeting on irc.freenode.net
> Date: Wednesday 18th Apr 2018
> Time: 11:30 CET (10:30 UTC)
>
> Planned meeting topics for this meeting were here:
>
> 
>
> The next meeting has not been scheduled yet.
>
> Your local meeting time is easy to check from services such as
>
> 
>
> SUMMARY
>
> cron2, dazo, mattock, ordex, plaisthos and syzzer participated in
> this meeting.
>
> --
>
> Discussed upcoming OpenVPN 2.4.6 release. It will contain what
> release/2.4 has now, plus one security fix which is under embargo. The
> tree will be pushed to buildbot tomorrow afternoon after which the
> release machinery starts for good.
>
> The 2.4.6 release will include an updated tap-windows6 driver with a
> small security fix. The fix will not get a CVE as exploitation requires
> local admin privileges and is not remotely exploitable. It was agreed
> that we should update PRODUCT_VERSION in tap-windows6 from 9,0,0,21 to
> 9,22,1,601. This means it will be in-line with the real version
> (9.22.1). The old, confusing PRODUCT_VERSION string seems to be just
> historic baggage brought over from tap-windows (i.e. the old NDIS 5
> driver).
>
> --
>
> Discussed unit testing the netlink code and in particular the msg()
> function. Noted that we have mock_msg.c already which does minimal
> logging, which renders it more suitable for unit testing.
>
> --
>
> Discussed the location of the next hackathon. One possibility is Lviv,
> Ukraine, where OpenVPN Inc. has a rather large team. It is easily
> accessible for EU citizens as no visa is required.
>
> ---
>
> Full chatlog attached.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
> http://sdm.link/slashdot___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (Wed, 18th Apr 2018)

2018-04-18 Thread Samuli Seppänen 
Hi,

Here's the summary of the IRC meeting.
---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 18th Apr 2018
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, ordex, plaisthos and syzzer participated in
this meeting.

--

Discussed upcoming OpenVPN 2.4.6 release. It will contain what
release/2.4 has now, plus one security fix which is under embargo. The
tree will be pushed to buildbot tomorrow afternoon after which the
release machinery starts for good.

The 2.4.6 release will include an updated tap-windows6 driver with a
small security fix. The fix will not get a CVE as exploitation requires
local admin privileges and is not remotely exploitable. It was agreed
that we should update PRODUCT_VERSION in tap-windows6 from 9,0,0,21 to
9,22,1,601. This means it will be in-line with the real version
(9.22.1). The old, confusing PRODUCT_VERSION string seems to be just
historic baggage brought over from tap-windows (i.e. the old NDIS 5 driver).

--

Discussed unit testing the netlink code and in particular the msg()
function. Noted that we have mock_msg.c already which does minimal
logging, which renders it more suitable for unit testing.

--

Discussed the location of the next hackathon. One possibility is Lviv,
Ukraine, where OpenVPN Inc. has a rather large team. It is easily
accessible for EU citizens as no visa is required.

---

Full chatlog attached.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


(12:34:48) mattock: ok let's start
(12:34:58) mattock: 2.4.6
(12:35:16) cron2: there's two aspects to it
(12:35:45) cron2: one is "openvpn", and that is fairly easily summarized: "what 
we have in tree right now, plus the CVE fix (iservice), plus the version number 
bump"
(12:36:06) ***cron2 will get the tree ready tomorrow afternoon and push to 
mattock's repo on build.openvpn.net
(12:36:18) cron2: and when the release is out, push to all other repos
(12:36:32) cron2: ok?
(12:36:58) mattock: sounds good
(12:37:09) dazo: makes sense ... but do we need a CVE for tap-windows6?  I 
don't think so, but long time since I paid attention to the details here
(12:37:34) cron2: dazo: it's "if you have admin privileges already, you might 
be able to get your system to bluescreen"
(12:37:55) cron2: so while this is an annoying issue that must be fixed, nobody 
argued for CVE yet
(12:38:33) cron2: so, second half, tap-windows6 - what I see here right now is 
a few different issues
(12:38:48) cron2: - the overread patch (v4 on security@ list)
(12:38:55) cron2: - the version number bumping
(12:38:58) dazo: can this bluescreen (read: DoS) be triggered by a remote 
attacker?
(12:39:01) cron2: - SHA2 signing
(12:39:18) cron2: dazo: no, because it has to be a link-local packet, which is 
validated before entering that code
(12:39:29) cron2: and fe80:: stuff is never forwarded from one interface to a 
different one
(12:40:22) dazo: okay ... so it would in worst case be a local DoS *if* the 
attacker has admin privileges - is that correct?
(12:40:32) cron2: this is how we currently read it
(12:41:09) cron2: it's overreading a kernel buffer by a few bytes, so depending 
on kernel memory layout, it might have no effects at all, or bluescreen
(12:41:49) dazo: okay ... technically, it could be a CVE  but, I would say 
we can skip it this time ... if a local attacker has admin privileges, that is 
far more a severe issue
(12:42:05) mattock: +1
(12:42:10) cron2: +1
(12:42:23) mattock: regarding version number bump in tap-windows6
(12:42:44) mattock: I suggest setting PRODUCT_VERSION to 9,22,1,601
(12:42:53) mattock: right now it is 9,0,0,21
(12:42:56) mattock: which is confusing
(12:43:10) mattock: that shows up in the file properties dialog
(12:43:11) dazo: I know nothing about driver versioning  but the change 
sounds fine to me if this is the right approach
(12:43:12) cron2: that would have been my suggestion as well - and then build 
another test installer, to see if things still work or magically fail
(12:43:19) ordex: (+1 for no-CVE :P, sorry for the delay)
(12:43:32) mattock: yeah, I will do another round of smoke-testing for the new 
tap-windows6 build
(12:43:37) cron2: dazo: we have no idea why things are the way they are, this 
is all "from the old age"
(12:43:47) mattock: probably leftovers from tap-windows
(12:43:49) dazo: :)
(12:43:58) mattock: for no good reason is my hunch
(12:44:05) cron2: mattock: I would suggest to merge the v4 patch "for good", so 
people testing this can be sure "this is what we have in master + the version 
bump test"
(12:44:10) syzzer: yeah, number sound very much like 'copied from tap-windows'
(12:44:33) syzzer: and the tap-windows thing feels