From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: CVE issue flagged in OpenVPN Date: Mon, 08 Nov 2021 16:25:38 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1628599078228343472==" List-Id: --===============1628599078228343472== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, Thank you for raising this. > On 8 Nov 2021, at 13:59, Adolf Belka wrote: >=20 > Hallo all, >=20 > I had thought, from checks I had made, that there were no security related = issues with OpenVPN after the release of 2.5.0 that is currently in IPFire. >=20 > However it has been highlighted in the forum that there is CVE-2020-15078. = I have had a look at this and very specific conditions have to be in place fo= r this to be feasible. IPFire systems should not be vulnerable in any configuration because we do no= t use the affected feature. However, we should of course still upgrade to a f= ixed version. > So I believe that for the majority of IPFire users this will not be an issu= e but it could occur if someone is also using one of the OpenVPN plug-ins tha= t are highlighted in the wiki and is also using "--auth-gen-token" or a user-= specific token auth solution. >=20 > While the above is unlikely it is not impossible. A fix for this CVE was pu= t into 2.5.2 >=20 > I have looked through this release and 2.5.1 to see if there are any change= s that might cause a problem for people using earlier features. I don't belie= ve so from first glance but I am not 100% sure. I would want to very thorough= ly test it to be sure there would be no unexpected impact. >=20 > Therefore what I am doing is an update that leaves the 2.5.0 source file be= ing used but where I will apply the patches from the commits in 2.5.2 that fi= x this CVE. We could in theory cherry-pick just the fix for the vulnerability, but on the= other hand I do not see anything that has DEPRECATION WARNING in big letters. Also 2.5.4 is out already: https://github.com/OpenVPN/openvpn/releases/tag/v2= .5.4 > This will give us a quick fix to the CVE in IPFire so even any small chance= is closed and then I will look more closely at the later/latest versions and= build them and test them to see if I can find any issue, similarly to how Er= ik and I tested out that 2.5.0 would not break anything. This way we can take= time to make sure everything is really working as expected. >=20 >=20 > If there is any disagreement to my outlined approach above, please let me k= now. >=20 > PS:- I have also found why I missed the the existence of the CVE. I was onl= y reading the headlines of the changes from 2.4 to 2.5.4 and the CVE's were o= nly mentioned in the detailed change notes from the involved versions. I know= better now how to keep a correct eye on the changes. Usually this should be at least referred to at the top (=E2=80=9CIncludes sec= urity fixes=E2=80=9D), or there should be a separate security advisory. I would suggest trying to upgrade to 2.5.4 and see whether that introduces an= y new regressions. The minor versions should not introduce any change in beha= viour. However, we are facing a lot of change with 2.6: https://community.openvpn.ne= t/openvpn/wiki/DeprecatedOptions Best, -Michael >=20 > Regards, >=20 > Adolf. >=20 --===============1628599078228343472==--