Re: [PATCH] openvpn: Update to version 2.5.4

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 8452 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 10 Nov 2021, at 11:09, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> - Update from 2.5.0 to 2.5.4
> - Update rootfile
> - Tested new version in vm testbed. Openvpn server successfully started.
>   Client connections working with 2.5.0 also successfully worked with 2.5.4
> - Changelog
>   Overview of changes in 2.5.4
>    Bugfixes
>     - fix prompting for password on windows console if stderr redirection
>       is in use - this breaks 2.5.x on Win11/ARM, and might also break
>       on Win11/adm64 when released.
>     - fix setting MAC address on TAP adapters (--lladdr) to use sitnl
>       (was overlooked, and still used "ifconfig" calls)
>     - various improvements for man page building (rst2man/rst2html etc)
>     - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
>       at least one platform strictly checking this)
>     - fix minor memory leak under certain conditions in add_route() and
>       add_route_ipv6()
>    User-visible Changes
>     - documentation improvements
>     - copyright updates where needed
>     - better error reporting when win32 console access fails
>    New features
>     - also build man page on Windows builds
>   Overview of changes in 2.5.3
>    Bugfixes
>     - CVE-2121-3606
>       see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>       OpenVPN windows builds could possibly load OpenSSL Config files from
>       world writeable locations, thus posing a security risk to OpenVPN.
>       As a fix, disable OpenSSL config loading completely on Windows.
>     - disable connect-retry backoff for p2p (--secret) instances
>       (Trac #1010, #1384)
>     - fix build with mbedtls w/o SSL renegotiation support
>     - Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
>     - MSI installers: properly schedule reboot in the end of installation
>     - fix small memory leak in free_key_ctx for auth_token
>    User-visible Changes
>     - update copyright messages in files and --version output
>    New features
>     - add --auth-token-user option (for --auth-token deployments without
>       --auth-user-pass in client config)
>     - improve MSVC building for Windows
>     - official MSI installers will now contain arm64 drivers and binaries
>       (x86, amd64, arm64)
>   Overview of changes in 2.5.2
>    Bugfixes
>     - CVE-2020-15078
>       see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>       This bug allows - under very specific circumstances - to trick a
>       server using delayed authentication (plugin or management) into
>       returning a PUSH_REPLY before the AUTH_FAILED message, which can
>       possibly be used to gather information about a VPN setup.
>       In combination with "--auth-gen-token" or an user-specific token auth
>       solution it can be possible to get access to a VPN with an
>       otherwise-invalid account.
>     - restore pushed "ping" settings correctly on a SIGUSR1 restart
>     - avoid generating unecessary mbed debug messages - this is actually
>       a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
>       ED curves - mbedTLS crashes on preparing debug infos that we do not
>       actually need unless running with "--verb 8"
>     - do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
>     - fix Linux/SITNL default route lookup in case of multiple routing tables
>       with more than one default route present (always use "main table" for now)
>     - Fix CRL file handling in combination with chroot
>    User-visible Changes
>     - OpenVPN will now refuse to start if CRL file is not present at startup
>       time.  At "reload time" absense of the CRL file is still OK (and the
>       in memory copy is used) but at startup it is now considered an error.
>    New features
>     - printing of the TLS ciphers negotiated has been extended, especially
>       displaying TLS 1.3 and EC certificates more correctly.
>   Overview of changes in 2.5.1
>    New features
>     - "echo msg" support, to enable the server to pushed messages that are
>       then displayed by the client-side GUI.  See doc/gui-notes.txt and
>       doc/management-notes.txt.
>       Supported by the Windows GUI shipped in 2.5.1, not yet supported by
>       Tunnelblick and the Android GUI.
>    User-visible Changes
>     - make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers
>       to set the "openvpn packet filter", and returns a failure when requested
>       to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized
>       structure members.  Since PF is going away in 2.6.0, this is just turning
>       the crash into a well-defined program abort, and no further effort has
>       been spent in rewriting the PF plugin error handling (see trac #1377).
>    Documentation
>     - rework sample-plugins/defer/simple.c - this is an extensive rewrite
>       of the plugin to bring code quality to acceptable standards and add
>       documentation on the various plugin API aspects.  Since it's just
>       example code, filed under "Documentation", not under "Bugfix".
>     - various man page improvements.
>     - clarify ``--block-ipv6`` intent and direction
>    Bugfixes
>     - fix installation of openvpn.8 manpage on systems without docutils.
>     - Windows: fix DNS search list setup for domains with "-" chars.
>     - Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
>     - Windows: Skip DHCP renew with Wintun adapter (Wintun does not support
>       DHCP, so this was just causing an - harmless - error and needless delay).
>     - Windows: Remove 1 second delay before running netsh - speeds up
>       interface init for wintun setups not using the interactive service.
>     - Windows: Fix too early argv freeing when registering DNS - this would
>       cause a client side crash on Windows if ``register-dns`` is used,
>       and the interactive service is not used.
>     - Android: Zero initialise msghdr prior to calling sendmesg.
>     - Fix line number reporting on config file errors after <inline> segments
>       (see Trac #1325).
>     - Fix port-share option with TLS-Crypt v2.
>     - tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise
>       dropping privs on the server would fail.
>     - tls-crypt-v2: fix server memory leak (about 600 bytes per connecting
>       client with tls-crypt-v2)
>     - rework handling of server-pushed ``--auth-token`` in combination with
>       ``--auth-nocache`` on reconnection / TLS renegotiation events.  This
>       used to "forget" to update new incoming token after a reconnection event
>       (leading to failure to reauth some time later) and now works in all
>       tested cases.
> 
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/openvpn | 5 +++++
> lfs/openvpn                     | 4 ++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index 41ccc885e..6c3457d01 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -18,7 +18,12 @@ usr/sbin/openvpn
> #usr/share/doc/openvpn/README.auth-pam
> #usr/share/doc/openvpn/README.down-root
> #usr/share/doc/openvpn/README.mbedtls
> +#usr/share/doc/openvpn/gui-notes.txt
> #usr/share/doc/openvpn/management-notes.txt
> +#usr/share/doc/openvpn/openvpn-examples.5.html
> +#usr/share/doc/openvpn/openvpn.8.html
> +#usr/share/man/man5/openvpn-examples.5
> +#usr/share/man/man8/openvpn.8
> var/ipfire/ovpn/ca
> var/ipfire/ovpn/caconfig
> var/ipfire/ovpn/ccd
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 81ccc52bf..82e819bfe 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 2.5.0
> +VER        = 2.5.4
> 
> THISAPP    = openvpn-$(VER)
> DL_FILE    = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = ba426e2217833b522810d6c06f7cc8f7
> +$(DL_FILE)_MD5 = 336be3b2388cdc65dd8c81f22b1c2836
> 
> install : $(TARGET)
> 
> -- 
> 2.33.1
>