CVE issue flagged in OpenVPN

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1920 bytes --]

Hallo all,

I had thought, from checks I had made, that there were no security related issues with OpenVPN after the release of 2.5.0 that is currently in IPFire.

However it has been highlighted in the forum that there is CVE-2020-15078. I have had a look at this and very specific conditions have to be in place for this to be feasible.

So I believe that for the majority of IPFire users this will not be an issue but it could occur if someone is also using one of the OpenVPN plug-ins that are highlighted in the wiki and is also using "--auth-gen-token" or a user-specific token auth solution.

While the above is unlikely it is not impossible. A fix for this CVE was put into 2.5.2

I have looked through this release and 2.5.1 to see if there are any changes that might cause a problem for people using earlier features. I don't believe so from first glance but I am not 100% sure. I would want to very thoroughly test it to be sure there would be no unexpected impact.

Therefore what I am doing is an update that leaves the 2.5.0 source file being used but where I will apply the patches from the commits in 2.5.2 that fix this CVE.

This will give us a quick fix to the CVE in IPFire so even any small chance is closed and then I will look more closely at the later/latest versions and build them and test them to see if I can find any issue, similarly to how Erik and I tested out that 2.5.0 would not break anything. This way we can take time to make sure everything is really working as expected.


If there is any disagreement to my outlined approach above, please let me know.

PS:- I have also found why I missed the the existence of the CVE. I was only reading the headlines of the changes from 2.4 to 2.5.4 and the CVE's were only mentioned in the detailed change notes from the involved versions. I know better now how to keep a correct eye on the changes.

Regards,

Adolf.