Age | Commit message (Collapse) | Author | |
---|---|---|---|
2021-04-28 | CVE-2020-15078: Authentication bypass with deferred authentication | Bernhard Schmidt | |
Overview OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. Detailed description This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. Pre-Dependency: CVE-2020-15078-0.patch: https://github.com/OpenVPN/openvpn/commit/14511010 CVE-Fix: CVE-2020-15078-1.patch: https://github.com/OpenVPN/openvpn/commit/3aca477a CVE-2020-15078-2.patch: https://github.com/OpenVPN/openvpn/commit/3d18e308 CVE-2020-15078-3.patch: https://github.com/OpenVPN/openvpn/commit/f7b3bf06 Closes: #987380 | |||
2021-02-24 | Changelog for 2.5.1-1debian/2.5.1-1 | Bernhard Schmidt | |
2020-10-28 | Changelog for 2.5.0-1debian/2.5.0-1 | Bernhard Schmidt | |
2020-10-20 | Changelog for 2.5~rc3-1debian/2.5_rc3-1 | Bernhard Schmidt | |
2020-09-30 | Changelog for 2.5~rc2-1 | Bernhard Schmidt | |
2020-09-30 | Downgrade debhelper-compat to 12 for easier backports | Bernhard Schmidt | |
2020-09-01 | Changelog for 2.5~beta3-1debian/2.5_beta3-1 | Bernhard Schmidt | |
2020-09-01 | Revert "d/gbp.conf for experimental 2.5 branch" | Bernhard Schmidt | |
This reverts commit d3986a312f5fbcfd0e78e6b147eef419fb4e5f54. | |||
2020-09-01 | Drop reload support from systemd unit files (LP: #1868127) | Lucas Kanashiro | |
The current reload implementation (sending a SIGHUP signal to the process) fails, and the difference between reload and restart is not clear. Systemd does not require an implementation for reload. | |||
2020-09-01 | Add two DEP-8 test cases for the server side | Lucas Kanashiro | |
Two scenarios are tested, server setup using: a static key and a CA. | |||
2020-08-16 | Changelog for 2.5~beta1-3debian/2.5_beta1-3 | Bernhard Schmidt | |
2020-08-16 | Disable iproute2 support in favour of the new netlink based default | Bernhard Schmidt | |
Thanks: Fabio Pedretti | |||
2020-08-16 | Changelog for 2.5~beta1-2debian/2.5_beta1-2 | Bernhard Schmidt | |
2020-08-16 | Set Build-Conflicts: systemctl, see Bug#959828 | Bernhard Schmidt | |
2020-08-15 | Changelog for 2.5~beta1-1debian/2.5_beta1-1 | Bernhard Schmidt | |
2020-08-15 | Add python3-docutils to build-depends for manpage generation | Bernhard Schmidt | |
2020-08-15 | Adjust patches for new major upstream version | Bernhard Schmidt | |
2020-08-15 | d/gbp.conf for experimental 2.5 branch | Bernhard Schmidt | |
2020-08-15 | d/copyright: Remove duplicatedebian/2.4.9-3 | Bernhard Schmidt | |
2020-05-02 | d/changelog: Change distribution to unstable, Change date and time | Jörg Frings-Fürst | |
2020-05-02 | d/copyright: Add year 2020 to Bernhard Schmidt | Jörg Frings-Fürst | |
2020-05-02 | Add hint to reboot if openvpn is running; Add new chapter into debian/NEWS | Jörg Frings-Fürst | |
2020-05-02 | d/postinst: Remove now useless code for version less than 2.3.2-6 | Jörg Frings-Fürst | |
2020-05-02 | Remove restart from debian/postinst; Migrate to debhelper 13 | Jörg Frings-Fürst | |
2020-05-02 | Fix the bug (Device or resource busy) that occurs during the update | Jörg Frings-Fürst | |
2020-04-21 | Update changelogdebian/2.4.9-2 | Bernhard Schmidt | |
2020-04-21 | Changelog for 2.4.9-2 | Bernhard Schmidt | |
2020-04-21 | Enable Salsa CI | Bernhard Schmidt | |
2020-04-21 | Use DEB_HOST_MULTIARCH for libraries | Bernhard Schmidt | |
Closes: #958315 | |||
2020-04-21 | Cherry-Pick upstream patch to fix ssl_do_config error with invalid OpenSSL ↵ | Bernhard Schmidt | |
system configuration Closes: #958296 | |||
2020-04-19 | Changelog for 2.4.9-1debian/2.4.9-1 | Bernhard Schmidt | |
2020-04-19 | Fix spelling error | Bernhard Schmidt | |
2020-04-14 | d/control: Add Rules-Requires-Root: No | Jörg Frings-Fürst | |
2020-04-14 | Add symlinks for plugins into /usr/lib/openvpn/; Switch to debhelper-compat; ↵ | Jörg Frings-Fürst | |
Refresh d/copyright | |||
2020-04-13 | Declare compliance with Debian Policy 4.5.0 | Jörg Frings-Fürst | |
2020-04-13 | Add libp11-kit-dev to Build-Depends | Jörg Frings-Fürst | |
2020-04-10 | Refresh d/p/openvpn-pkcs11warn.patch: Remove d/p/fix-pkcs11-helper-hang.patch | Jörg Frings-Fürst | |
2019-02-20 | Changelog for 2.4.7-1debian/2.4.7-1 | Bernhard Schmidt | |
2019-02-20 | Merge branch 'sdeziel-guest/openvpn-suggests-openvpn-systemd-resolved' | Bernhard Schmidt | |
2019-02-20 | openvpn@.service: Bump LimitNPROC to 100 | Bernhard Schmidt | |
This generally seems to be the wrong knob to protect against runaway forks (as it does not limit per instance, but per user systemwide), but a general mediation is still under discussion. Meanwhile bump the limit for the Debian unit to 100. Upstream openvpn-client@.service and openvpn-server@.service still use 10 See Bug#861923 for discussion. | |||
2019-02-20 | Avoid hangs when spawhning child processes by not setting pkcs11-helper ↵ | Hilko Bengen | |
"safe fork mode" (Closes: #772812, #900805, #907452) | |||
2019-02-20 | Add CAP_AUDIT_WRITE for auth_pam | Bernhard Schmidt | |
Same change has been done upstream in 2.4.7 Closes: #868806 | |||
2019-02-20 | adjust kfreebsd_support.patch for new upstream version | Bernhard Schmidt | |
2018-11-26 | d/control: suggests openvpn-systemd-resolved | Simon Deziel | |
2018-08-04 | Reverted to justified commit | Jörg Frings-Fürst | |
2018-08-04 | d/openvpn-generator: Use service file from /etc/systemd/system if exists | Jörg Frings-Fürst | |
2018-07-30 | d/changelog: Change date/timedebian/2.4.6-1 | Jörg Frings-Fürst | |
2018-07-30 | Remove essential package coreutils from Suggests | Jörg Frings-Fürst | |
2018-07-30 | d/update-resolv-conf: Add syslog message if used without binary resolvconf | Jörg Frings-Fürst | |
2018-07-30 | New README.source to explain the branching model used | Jörg Frings-Fürst | |