Update to 2.5.8
This commit is contained in:
starlet-dx
parent
3ce8fbda20
commit
8cfc33ef0f
@ -1,98 +0,0 @@
|
|||||||
From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Sommerseth <davids@openvpn.net>
|
|
||||||
Date: Sun, 13 Mar 2022 20:31:53 +0100
|
|
||||||
Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
|
|
||||||
|
|
||||||
The plug-in API in OpenVPN 2.x is not designed for running multiple
|
|
||||||
deferred authentication processes in parallel. The authentication
|
|
||||||
results of such configurations are not to be trusted. For now we bail
|
|
||||||
out when this is discovered with an error in the log.
|
|
||||||
|
|
||||||
CVE: 2022-0547
|
|
||||||
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
||||||
|
|
||||||
Acked-by: Antonio Quartulli <antonio@openvpn.net>
|
|
||||||
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
|
|
||||||
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
|
|
||||||
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
||||||
(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
|
|
||||||
---
|
|
||||||
doc/man-sections/plugin-options.rst | 9 ++++++++
|
|
||||||
src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++---
|
|
||||||
2 files changed, 39 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst
|
|
||||||
index 51c574fe6..9266429ea 100644
|
|
||||||
--- a/doc/man-sections/plugin-options.rst
|
|
||||||
+++ b/doc/man-sections/plugin-options.rst
|
|
||||||
@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
|
|
||||||
(such as tls-verify, auth-user-pass-verify, or client-connect), then
|
|
||||||
every module and script must return success (:code:`0`) in order for the
|
|
||||||
connection to be authenticated.
|
|
||||||
+
|
|
||||||
+ **WARNING**:
|
|
||||||
+ Plug-ins may do deferred execution, meaning the plug-in will
|
|
||||||
+ return the control back to the main OpenVPN process and provide
|
|
||||||
+ the plug-in result later on via a different thread or process.
|
|
||||||
+ OpenVPN does **NOT** support multiple authentication plug-ins
|
|
||||||
+ **where more than one plugin** tries to do deferred authentication.
|
|
||||||
+ If this behaviour is detected, OpenVPN will shut down upon first
|
|
||||||
+ authentication.
|
|
||||||
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
|
|
||||||
index e8f8830d0..ed5d7c067 100644
|
|
||||||
--- a/src/openvpn/plugin.c
|
|
||||||
+++ b/src/openvpn/plugin.c
|
|
||||||
@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl,
|
|
||||||
const int n = plugin_n(pl);
|
|
||||||
bool success = false;
|
|
||||||
bool error = false;
|
|
||||||
- bool deferred = false;
|
|
||||||
+ bool deferred_auth_done = false;
|
|
||||||
|
|
||||||
setenv_del(es, "script_type");
|
|
||||||
envp = make_env_array(es, false, &gc);
|
|
||||||
@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl,
|
|
||||||
break;
|
|
||||||
|
|
||||||
case OPENVPN_PLUGIN_FUNC_DEFERRED:
|
|
||||||
- deferred = true;
|
|
||||||
+ if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
|
|
||||||
+ && deferred_auth_done)
|
|
||||||
+ {
|
|
||||||
+ /*
|
|
||||||
+ * Do not allow deferred auth if a deferred auth has
|
|
||||||
+ * already been started. This should allow a single
|
|
||||||
+ * deferred auth call to happen, with one or more
|
|
||||||
+ * auth calls with an instant authentication result.
|
|
||||||
+ *
|
|
||||||
+ * The plug-in API is not designed for multiple
|
|
||||||
+ * deferred authentications to happen, as the
|
|
||||||
+ * auth_control_file file will be shared across all
|
|
||||||
+ * the plug-ins.
|
|
||||||
+ *
|
|
||||||
+ * Since this is considered a critical configuration
|
|
||||||
+ * error, we bail out and exit the OpenVPN process.
|
|
||||||
+ */
|
|
||||||
+ error = true;
|
|
||||||
+ msg(M_FATAL,
|
|
||||||
+ "Exiting due to multiple authentication plug-ins "
|
|
||||||
+ "performing deferred authentication. Only one "
|
|
||||||
+ "authentication plug-in doing deferred auth is "
|
|
||||||
+ "allowed. Ignoring the result and stopping now, "
|
|
||||||
+ "the current authentication result is not to be "
|
|
||||||
+ "trusted.");
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ deferred_auth_done = true;
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
|
||||||
@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl,
|
|
||||||
{
|
|
||||||
return OPENVPN_PLUGIN_FUNC_ERROR;
|
|
||||||
}
|
|
||||||
- else if (deferred)
|
|
||||||
+ else if (deferred_auth_done)
|
|
||||||
{
|
|
||||||
return OPENVPN_PLUGIN_FUNC_DEFERRED;
|
|
||||||
}
|
|
||||||
9
openvpn-2.4-change-tmpfiles-permissions.patch
Normal file
9
openvpn-2.4-change-tmpfiles-permissions.patch
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf
|
||||||
|
index bb79671e..9258f5c6 100644
|
||||||
|
--- a/distro/systemd/tmpfiles-openvpn.conf
|
||||||
|
+++ b/distro/systemd/tmpfiles-openvpn.conf
|
||||||
|
@@ -1,2 +1,2 @@
|
||||||
|
-d /run/openvpn-client 0710 root root -
|
||||||
|
-d /run/openvpn-server 0710 root root -
|
||||||
|
+d /run/openvpn-client 0750 root openvpn -
|
||||||
|
+d /run/openvpn-server 0750 root openvpn -
|
||||||
Binary file not shown.
BIN
openvpn-2.5.8.tar.xz
Normal file
BIN
openvpn-2.5.8.tar.xz
Normal file
Binary file not shown.
15
openvpn.spec
15
openvpn.spec
@ -1,14 +1,14 @@
|
|||||||
Name: openvpn
|
Name: openvpn
|
||||||
Version: 2.5.5
|
Version: 2.5.8
|
||||||
Release: 2
|
Release: 1
|
||||||
Summary: A full-featured open source SSL VPN solution
|
Summary: A full-featured open source SSL VPN solution
|
||||||
License: GPL-2.0-or-later and OpenSSL and SSLeay
|
License: GPL-2.0-or-later and OpenSSL and SSLeay
|
||||||
URL: https://community.openvpn.net/openvpn
|
URL: https://community.openvpn.net/openvpn
|
||||||
Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
|
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
|
||||||
# https://github.com/OpenVPN/openvpn/commit/af3e382
|
Patch0: openvpn-2.4-change-tmpfiles-permissions.patch
|
||||||
Patch0: CVE-2022-0547.patch
|
|
||||||
BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
|
BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
|
||||||
BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
|
BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
|
||||||
|
BuildRequires: libselinux-devel
|
||||||
|
|
||||||
Requires: iproute
|
Requires: iproute
|
||||||
Requires(pre): /usr/sbin/useradd
|
Requires(pre): /usr/sbin/useradd
|
||||||
@ -123,6 +123,9 @@ fi
|
|||||||
%{_mandir}/man5/openvpn-examples.5.gz
|
%{_mandir}/man5/openvpn-examples.5.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 02 2023 yaoxin <yaoxin30@h-partners.com> - 2.5.8-1
|
||||||
|
- Update to 2.5.8
|
||||||
|
|
||||||
* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.5.5-2
|
* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.5.5-2
|
||||||
- Fix CVE-2022-0547
|
- Fix CVE-2022-0547
|
||||||
|
|
||||||
@ -138,7 +141,7 @@ fi
|
|||||||
* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-4
|
* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-4
|
||||||
- fix CVE-2020-11810
|
- fix CVE-2020-11810
|
||||||
|
|
||||||
* Tue Mar 16 2020 daiqianwen <daiqianwen@huawei.com> 2.4.8-3
|
* Mon Mar 16 2020 daiqianwen <daiqianwen@huawei.com> 2.4.8-3
|
||||||
- modify systemd post preun postun
|
- modify systemd post preun postun
|
||||||
|
|
||||||
* Mon Nov 11 2019 guanyalong <guanyalong@huawei.com> 2.4.8-2
|
* Mon Nov 11 2019 guanyalong <guanyalong@huawei.com> 2.4.8-2
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user