Menu ▾ ▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 | Jan | Feb | Mar | Apr (24) | May (14) | Jun (29) | Jul (33) | Aug (3) | Sep (8) | Oct (18) | Nov (1) | Dec (10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 | Jan (3) | Feb (33) | Mar (7) | Apr (28) | May (30) | Jun (5) | Jul (10) | Aug (7) | Sep (32) | Oct (41) | Nov (20) | Dec (10) |
| 2004 | Jan (24) | Feb (18) | Mar (57) | Apr (40) | May (55) | Jun (48) | Jul (77) | Aug (15) | Sep (56) | Oct (80) | Nov (74) | Dec (52) |
| 2005 | Jan (38) | Feb (42) | Mar (39) | Apr (56) | May (79) | Jun (73) | Jul (16) | Aug (23) | Sep (68) | Oct (77) | Nov (52) | Dec (27) |
| 2006 | Jan (27) | Feb (18) | Mar (51) | Apr (62) | May (28) | Jun (50) | Jul (36) | Aug (33) | Sep (47) | Oct (50) | Nov (77) | Dec (13) |
| 2007 | Jan (15) | Feb (8) | Mar (14) | Apr (18) | May (25) | Jun (16) | Jul (16) | Aug (19) | Sep (32) | Oct (17) | Nov (5) | Dec (5) |
| 2008 | Jan (64) | Feb (25) | Mar (25) | Apr (6) | May (28) | Jun (20) | Jul (10) | Aug (27) | Sep (28) | Oct (59) | Nov (37) | Dec (43) |
| 2009 | Jan (40) | Feb (25) | Mar (12) | Apr (57) | May (46) | Jun (29) | Jul (39) | Aug (10) | Sep (20) | Oct (42) | Nov (50) | Dec (57) |
| 2010 | Jan (82) | Feb (165) | Mar (256) | Apr (260) | May (36) | Jun (87) | Jul (53) | Aug (89) | Sep (107) | Oct (51) | Nov (88) | Dec (117) |
| 2011 | Jan (69) | Feb (60) | Mar (113) | Apr (71) | May (67) | Jun (90) | Jul (88) | Aug (90) | Sep (48) | Oct (64) | Nov (69) | Dec (118) |
| 2012 | Jan (49) | Feb (528) | Mar (351) | Apr (190) | May (238) | Jun (193) | Jul (104) | Aug (100) | Sep (57) | Oct (41) | Nov (47) | Dec (51) |
| 2013 | Jan (94) | Feb (57) | Mar (96) | Apr (105) | May (77) | Jun (102) | Jul (27) | Aug (81) | Sep (32) | Oct (53) | Nov (127) | Dec (65) |
| 2014 | Jan (113) | Feb (59) | Mar (104) | Apr (259) | May (70) | Jun (70) | Jul (146) | Aug (45) | Sep (58) | Oct (149) | Nov (77) | Dec (83) |
| 2015 | Jan (53) | Feb (66) | Mar (86) | Apr (50) | May (135) | Jun (76) | Jul (151) | Aug (83) | Sep (97) | Oct (262) | Nov (245) | Dec (231) |
| 2016 | Jan (131) | Feb (233) | Mar (97) | Apr (138) | May (221) | Jun (254) | Jul (92) | Aug (248) | Sep (168) | Oct (275) | Nov (477) | Dec (445) |
| 2017 | Jan (218) | Feb (217) | Mar (146) | Apr (172) | May (216) | Jun (252) | Jul (164) | Aug (192) | Sep (190) | Oct (143) | Nov (255) | Dec (182) |
| 2018 | Jan (295) | Feb (164) | Mar (113) | Apr (147) | May (64) | Jun (262) | Jul (184) | Aug (90) | Sep (69) | Oct (364) | Nov (102) | Dec (101) |
| 2019 | Jan (119) | Feb (64) | Mar (64) | Apr (102) | May (57) | Jun (154) | Jul (84) | Aug (81) | Sep (76) | Oct (102) | Nov (233) | Dec (89) |
| 2020 | Jan (38) | Feb (170) | Mar (155) | Apr (172) | May (120) | Jun (223) | Jul (461) | Aug (227) | Sep (268) | Oct (113) | Nov (56) | Dec (124) |
| 2021 | Jan (121) | Feb (48) | Mar (334) | Apr (345) | May (207) | Jun (136) | Jul (71) | Aug (112) | Sep (122) | Oct (173) | Nov (184) | Dec (223) |
| 2022 | Jan (197) | Feb (206) | Mar (156) | Apr (212) | May (192) | Jun (170) | Jul (143) | Aug (380) | Sep (182) | Oct (148) | Nov (128) | Dec (269) |
| 2023 | Jan (248) | Feb (196) | Mar (264) | Apr (36) | May (123) | Jun (66) | Jul (120) | Aug (48) | Sep (157) | Oct (198) | Nov (300) | Dec (273) |
| 2024 | Jan (271) | Feb (147) | Mar (207) | Apr (78) | May (107) | Jun (168) | Jul (151) | Aug (51) | Sep (438) | Oct (221) | Nov (302) | Dec (357) |
| 2025 | Jan (451) | Feb (219) | Mar (326) | Apr (232) | May (306) | Jun (181) | Jul (452) | Aug (282) | Sep (620) | Oct (793) | Nov (682) | Dec |
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| | 1 | 2 | 3 | 4 | 5 | 6 |
| 7 (1) | 8 | 9 | 10 (1) | 11 | 12 | 13 |
| 14 | 15 | 16 (4) | 17 (3) | 18 (1) | 19 | 20 (1) |
| 21 | 22 (1) | 23 | 24 (3) | 25 (2) | 26 | 27 (1) |
| 28 | 29 (1) | 30 | 31 (4) | | | |
| From: James Y. <ji...@yo...> - 2005-08-24 20:12:52 |
Due to several requests, I've put together a set of isolated patches which fix the individual security issues addressed by OpenVPN 2.0.1, and which can be applied to any major version of OpenVPN going back to 1.3.2. Out of the 4 patches, only CAN-2005-2531 is relevant for the 1.x branch. These patches will individually apply the specific security fixes released in OpenVPN 2.0.1 to an OpenVPN 2.0 or 1.x tree. Patches are available in: http://openvpn.net/patch/2.0.1-security-patches/ ----------------------------------------- openvpn-2.0-sslerrqfix.patch openvpn-1.6.0-sslerrqfix.patch (also applicable to 1.5.0) openvpn-1.4.3-sslerrqfix.patch (also applicable to 1.3.2) * Security Fix -- DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2531). Affects OpenVPN 1.x and 2.0. ----------------------------------------- openvpn-2.0-sslerrqfix.patch * Security Fix -- DoS attack against server by authenticated client. This bug presents a potential DoS attack vector against the server which can only be initiated by a connected and authenticated client. If the client sends a packet which fails to decrypt on the server, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2532). Affects OpenVPN 2.0 only, 1.x is unaffected. ----------------------------------------- openvpn-2.0-iroutequota.patch * Security Fix -- DoS attack against server by authenticated client. A malicious client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its internal routing table. A --max-routes-per-client directive has been added (default=256) to limit the maximum number of routes in OpenVPN's internal routing table which can be associated with a given client (CAN-2005-2533). Affects OpenVPN 2.0 only, 1.x is unaffected. ----------------------------------------- openvpn-2.0-assert-mtcp411.patch * Security Fix -- DoS attack against server by authenticated client. If two or more client machines try to connect to the server at the same time via TCP, using the same client certificate, and when --duplicate-cn is not enabled on the server, a race condition can crash the server with "Assertion failed at mtcp.c:411" (CAN-2005-2534). Affects OpenVPN 2.0 only, 1.x is unaffected. ----------------------------------------- James |
| From: dehua z. <deh...@sj...> - 2005-08-24 11:59:51 |
SGkNCg0KCUkgYnVpbGQgdGhlIHNvdXJjZSBjb2RlcyBvZiBPcGVuVlBOIG9uIFdpbmRvdyBYUCwg dGhlIGx6byBpcyBpbiBIOlx2cG4tYnVpbGRcbHpvLTEuMDguIFRoZSBpbmNsdWRlIGRpcmVjdG9y eSB1bmRlciBsem8tMS4wOCBjb250YWlucyBsem8uaCxsem9jb25mLmgsbHpvdXRpbC5oIGx6bzEu aCwgLi4uIFRoZSBsaWIgZGlyZWN0b3J5IHVuZGVyIGx6by0xLjA4IGNvbnRhaW5zIGxpYmx6by5h IGFuZCBsaWJsaXoubGEuIChwbGVhc2Ugc2VlIHRoZSBhdHRhY2htZW50KQ0KDQoJU28gSSBzZXQg IkxaTyA9IC9oL3Zwbi1idWlsZC9sem8tMS4wOCIsIkxJQl9ESVJTID0gLUwke09QRU5TU0x9L2xp Yi9NaW5HVyAgLUwke0xaT30vbGliIiwiSU5DTFVERV9ESVJTID0gLUkke09QRU5TU0x9L2luY2x1 ZGUgLUkke0xaT30vaW5jbHVkZSIgaW4gdGhlIG1ha2VmaWxlLnczMi4gTm90ZSB0aGUgb3BlbnNz bCBpcyBvayB3aGVuIGJ1aWxkaW5nLg0KCXdoZW4gSSBidWlsZCB0aGUgY29kZXMgd2l0aCAnbWFr ZSAtZiBtYWtlZmlsZS53MzInLCBJIGZhY2UgdGhlIGZvbGxvd2luZyBlcnJvcnM6DQoNCg0KLyot LS0tLS0tLS0tLS0tLS0tLS0tIHRoZSBtYWtpbmcgcHJvY2Vzc2VzIGFuZCB0aGUgZXJyb3MtLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSovDQpIOlx2cG5cc291cmNlY29kZVx3aW5kb3dzXG9w ZW52cG4tMi4wPm1ha2UgLWYgbWFrZWZpbGUudzMyICAgICAgICAgICAgICAgICAgICAgIA0KZ2Nj IC1nIC1PMiAtV2FsbCAtV25vLXVudXNlZC1mdW5jdGlvbiAtV25vLXVudXNlZC12YXJpYWJsZSAt bW5vLWN5Z3dpbiAtbyBvcGVudnBuLmV4ZSBiYXNlNjQubyAgYnVmZmVyLm8gY3J5cHRvLm8gY3J5 cHRvYXBpLm8gZXJyb3IubyBldmVudC5vIGZkbWlzYy5vIGZvcndhcmQubyBmcmFnbWVudC5vIGdy ZW1saW4ubyBoZWxwZXIubyBpbml0Lm8gaW50ZXJ2YWwubyBsaXN0Lm8gbHpvLm8gbWFuYWdlLm8g bWJ1Zi5vIG1pc2MubyBtcm91dGUubyBtc3MubyBtdGNwLm8gbXR1Lm8gbXVkcC5vIG11bHRpLm8g bnRsbS5vIG9jYy5vIG9wZW52cG4ubyBvcHRpb25zLm8gb3RpbWUubyBwYWNrZXRfaWQubyBwZXJm Lm8gcGluZy5vIHBsdWdpbi5vIHBvb2wubyBwcm90by5vIHByb3h5Lm8gcHVzaC5vIHJlbGlhYmxl Lm8gcm91dGUubyBzY2hlZHVsZS5vIHNlc3Npb25faWQubyBzaGFwZXIubyBzaWcubyBzb2NrZXQu byBzb2Nrcy5vIHNzbC5vIHN0YXR1cy5vIHRocmVhZC5vIHR1bi5vIHdpbjMyLm8gLUwvaC92cG4t YnVpbGQvT3BlblNTTC9saWIvTWluR1cgLUwvaC92cG4tYnVpbGQvbHpvLTEuMDgvbGliIC1sc3Ns MzIgLWxlYXkzMiAtbGx6byAtbGNyeXB0MzIgLWx3czJfMzIgLWxnZGkzMiAtbGlwaGxwYXBpIC1s d2lubW0gICAgICANCmx6by5vKC50ZXh0KzB4YmQpOiBJbiBmdW5jdGlvbiBgbHpvX2NvbXByZXNz X2luaXQnOiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSDovdnBuL3NvdXJjZWNvZGUvd2lu ZG93cy9vcGVudnBuLTIuMC9sem8uYzoxMTI6IHVuZGVmaW5lZCByZWZlcmVuY2UgdG8gYF9fbHpv X2luaXQyJyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIGx6by5vKC50ZXh0KzB4Y2MpOkg6L3Zwbi9zb3VyY2Vj b2RlL3dpbmRvd3Mvb3BlbnZwbi0yLjAvbHpvLmM6MTE0OiB1bmRlZmluZWQgcmVmZXJlbmNlIHRv IGBsem9fbWFsbG9jJw0KbHpvLm8oLnRleHQrMHgxNjQpOiBJbiBmdW5jdGlvbiBgbHpvX2NvbXBy ZXNzX3VuaW5pdCc6ICAgICAgICAgICAgICAgICAgICAgICAgICAgSDovdnBuL3NvdXJjZWNvZGUv d2luZG93cy9vcGVudnBuLTIuMC9sem8uYzoxMjQ6IHVuZGVmaW5lZCByZWZlcmVuY2UgdG8gYGx6 b19mcmVlJyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIGx6by5vKC50ZXh0KzB4MmJjKTogSW4gZnVuY3Rp b24gYGx6b19jb21wcmVzcyc6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSDovdnBu L3NvdXJjZWNvZGUvd2luZG93cy9vcGVudnBuLTIuMC9sem8uYzoxNTU6IHVuZGVmaW5lZCByZWZl cmVuY2UgdG8gYGx6bzF4XzFfMTVfY29tcHJlc3MnICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGx6by5vKC50ZXh0KzB4Njlh KTogSW4gZnVuY3Rpb24gYGx6b19kZWNvbXByZXNzJzogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgSDovdnBuL3NvdXJjZWNvZGUvd2luZG93cy9vcGVudnBuLTIuMC9sem8uYzoyMDk6IHVu ZGVmaW5lZCByZWZlcmVuY2UgdG8gYGx6bzF4X2RlY29tcHJlc3Nfc2FmZScgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIA0KY29sbGVjdDI6IGxkIHJldHVybmVkIDEgZXhpdCBzdGF0dXMN Cm1ha2U6ICoqKiBbZHluYW1pY10gRXJyb3IgMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICANCi8qLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIHRoZSBtYWtp bmcgcHJvY2Vzc2VzIGVuZC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSovDQoNCg0K SGFzIEFueW9uZSAgZmFjZWQgdGhlc2UgcHJvYmxlbXMgd2l0aCBNaW5HVy9NU1lTIGluIHdpbmRv d3MgcGxhdGZvcm0sIG9yIElmIGFueW9uZSBoYXMgdGhlIGx6byBsaWIgdGhhdCBjYW4gbWFrZSBz dWNjZXNzZnVsbHkgaW4gd2luZG93cyBwbGF0Zm9ybSwgcGxlYXNlIHNlbmQgaXQgdG8gbWUoZGVo dWE5OTlAc2p0dS5lZHUuY24pLCB0aGFua3MgYSBsb3QhDQqhoaGhoaGhoaGhoaGhoaGhDQqhoaGh oaGhoaGhoaGhoaGhICAgICAgICAgICAgICAgICAgIGRld2FyZA0KDQoNCg== |
| From: James Y. <ji...@yo...> - 2005-08-24 09:40:12 |
On Wed, 17 Aug 2005, Johnny C. Lam wrote: > On Wed, Aug 17, 2005 at 06:52:50AM -0600, James Yonan wrote: > > On Tue, 16 Aug 2005, Johnny Lam wrote: > > > > > James Yonan wrote: > > > > > > > > * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 > > > > > > I am maintaining OpenVPN in the NetBSD Packages Collection and was in > > > the process of updating our package to 2.0.1 when I noticed that the > > > pkitool script uses bash. If I provide them, will patches be accepted > > > into the OpenVPN sources to use Bourne shell syntax instead so as to > > > relax the requirement on bash? > > > > Yes, that's probably okay. Hopefully we can get bash/sh portability > > without complexifying the code too much. > > I've attached a patch that does the following things: > > (1) Bourne shell fix: function foo {...} -> foo() {...} > > (2) Bourne shell fix: avoid use of bash's substring selection > ${foo:M:N} by replacing with an equivalent options-processing > loop. > > (3) Solaris /bin/sh fix: don't set and export in one command; > rather, export all the variables after setting them. > > (4) Solaris /bin/sh fix: "if ! cmd ; then ... fi" isn't understood, > so change it to "if cmd; then :; else ... fi". > > (5) Don't require GNU grep -- -E isn't needed since we're matching > a basic RE, and -q can be avoided by attaching stdout to > /dev/null. > > (6) Use GREP and OPENSSL variables instead of "grep" and "openssl" > so that it's easier to hard-code the full paths to the two > utilities in the pkitool script by setting them at the top of > the script. > > I've tested this script on both NetBSD 2.0.2 and Solaris 8. Thanks, I've merged your patch with 2.0.2-rc1. James |
