projects / feed / packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5ffdf33)
openvpn: update to 2.6.8
authorIvan Pavlov <AuthorReflex@gmail.com>
Mon, 13 Nov 2023 09:26:27 +0000 (12:26 +0300)
committerRosen Penev <rosenp@gmail.com>
Sun, 19 Nov 2023 20:24:11 +0000 (12:24 -0800)
This is a bugfix release containing security fixes.

Security Fixes (included in 2.6.7):

CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer
after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer.
All configurations using TLS (e.g. not using --secret) are affected by this issue.

CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration
in some circumstances, leading to a division by zero when --fragment is used.
On platforms where division by zero is fatal, this will cause an OpenVPN crash.

For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.8/Changes.rst

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
net/openvpn/Makefile patch | blob | history
net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch patch | blob | history
net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch patch | blob | history
net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch patch | blob | history
net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch patch | blob | history

diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile
index 8f79f2b10b861c797a608c686b0772c1250c6c24..903af60d23b18a040c5094020497a03313c6b8a8 100644 (file)
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.6.6
+PKG_VERSION:=2.6.8
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
        https://build.openvpn.net/downloads/releases/ \
        https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_HASH:=3b074f392818b31aa529b84f76e8b5e4ad03fca764924f46d906bceaaf421034
+PKG_HASH:=5ede1565c8a6d880100f7f235317a7ee9eea83d5052db5547f13a9e76af7805d
 
 PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
 
diff --git a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index c54277006d067044bba9d131ffb8dcc9f839664a..6ac30df594743d1db6d2793830c70c0c91bb0835 100644 (file)
--- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1535,7 +1535,7 @@ const char *
+@@ -1533,7 +1533,7 @@ const char *
  get_ssl_library_version(void)
  {
      static char mbedtls_version[30];
diff --git a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch b/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
index 0a45ea49e535a000bab28e2f611f4de8402ba46b..e5b103bc59d460ec76e7210d02f6e2c04dc4501d 100644 (file)
--- a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
+++ b/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
-@@ -51,7 +51,7 @@
+@@ -49,7 +49,7 @@
  #include <openssl/rand.h>
  #include <openssl/ssl.h>
  
@@ -9,8 +9,8 @@
  #include <openssl/kdf.h>
  #endif
  #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-@@ -1436,7 +1436,7 @@ engine_load_key(const char *file, SSL_CT
- #endif /* if HAVE_OPENSSL_ENGINE */
+@@ -1374,7 +1374,7 @@ memcmp_constant_time(const void *a, cons
+     return CRYPTO_memcmp(a, b, size);
  }
  
 -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
diff --git a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch b/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
index f0e7361f2565b27285cd669a90bc1b19bcd5ce11..50834b3bb77c0e59078b0622631534041f8630b2 100644 (file)
--- a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
+++ b/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -1351,7 +1351,7 @@ err:
+@@ -1347,7 +1347,7 @@ err:
      return 0;
  }
  
@@ -9,7 +9,7 @@
  
  /* called when EC_KEY is destroyed */
  static void
-@@ -1512,7 +1512,7 @@ tls_ctx_use_management_external_key(stru
+@@ -1508,7 +1508,7 @@ tls_ctx_use_management_external_key(stru
              goto cleanup;
          }
      }
diff --git a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
index 30e1822a1ce2a2e583cea60a2c83a9c477753592..690521ee649d73219a70bbd05a11c4797b62fe39 100644 (file)
--- a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
+++ b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_verify_openssl.c
 +++ b/src/openvpn/ssl_verify_openssl.c
-@@ -269,6 +269,9 @@ backend_x509_get_username(char *common_n
+@@ -267,6 +267,9 @@ backend_x509_get_username(char *common_n
              return FAILURE;
          }
      }
Mirror of packages feed