10694 – OpenVPN update to 2.3.6 fixes critical denial of service vulnerability

Bug 10694 - OpenVPN update to 2.3.6 fixes critical denial of service vulnerability

Summary: OpenVPN update to 2.3.6 fixes critical denial of service vulnerability

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	openvpn (show other bugs)
Version:	2
Hardware:	all Linux

Importance:	- Unknown - Major Usability
Assignee:	Michael Tremer
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-02 10:15 UTC by Erik Kapfer
Modified:	2015-11-01 01:38 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Kapfer 2014-12-02 10:15:37 UTC

OpenVPN serves a new version 2.3.6 which fixes a critical denial of service vulnerability. The official announcement are here --> https://forums.openvpn.net/topic17625.html located.

Since IPFires OpenVPN version is currently 2.3.4, this update includes also the 2.3.5 update, the changelog can be overviewed in here --> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.5 .

Greetings,

UE

Comment 1 Erik Kapfer 2014-12-02 10:28:08 UTC

The commit are located in here --> http://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=7c7042c938b9f6c8f646a568110d46e87349ff84 .

Greetings,

Erik

Comment 2 Michael Tremer 2014-12-02 15:36:01 UTC

Thanks.

I merged that and added the rootfile to include this patch in the next update.

Comment 3 Erik Kapfer 2014-12-02 16:43:07 UTC

Hi Michael,
great. 

I currently test the new 2.3.6 version in WLAN environment 

[root@ipfire ~]# openvpn --version
OpenVPN 2.3.6 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  1 2014
library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

until now without problems.

I used the old OpenVPN ROOTFILE thats why i didn´t added it to the commit, the only change i made was in the commited LFS file.

I used the *.xz version from here --> https://openvpn.net/index.php/open-source/downloads.html

Greetings,

Erik

Comment 4 Michael Tremer 2015-11-01 01:38:54 UTC

This was shipped ages ago.