From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: CVE issue flagged in OpenVPN Date: Mon, 08 Nov 2021 14:59:24 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3350761617957404071==" List-Id: --===============3350761617957404071== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hallo all, I had thought, from checks I had made, that there were no security related is= sues with OpenVPN after the release of 2.5.0 that is currently in IPFire. However it has been highlighted in the forum that there is CVE-2020-15078. I = have had a look at this and very specific conditions have to be in place for = this to be feasible. So I believe that for the majority of IPFire users this will not be an issue = but it could occur if someone is also using one of the OpenVPN plug-ins that = are highlighted in the wiki and is also using "--auth-gen-token" or a user-sp= ecific token auth solution. While the above is unlikely it is not impossible. A fix for this CVE was put = into 2.5.2 I have looked through this release and 2.5.1 to see if there are any changes = that might cause a problem for people using earlier features. I don't believe= so from first glance but I am not 100% sure. I would want to very thoroughly= test it to be sure there would be no unexpected impact. Therefore what I am doing is an update that leaves the 2.5.0 source file bein= g used but where I will apply the patches from the commits in 2.5.2 that fix = this CVE. This will give us a quick fix to the CVE in IPFire so even any small chance i= s closed and then I will look more closely at the later/latest versions and b= uild them and test them to see if I can find any issue, similarly to how Erik= and I tested out that 2.5.0 would not break anything. This way we can take t= ime to make sure everything is really working as expected. If there is any disagreement to my outlined approach above, please let me kno= w. PS:- I have also found why I missed the the existence of the CVE. I was only = reading the headlines of the changes from 2.4 to 2.5.4 and the CVE's were onl= y mentioned in the detailed change notes from the involved versions. I know b= etter now how to keep a correct eye on the changes. Regards, Adolf. --===============3350761617957404071==--