Bugzilla – Bug 106258
VUL-0: OpenVPN 2.0.1 has been released with important security fixes
Last modified: 2009-10-13 20:54:55 UTC
OpenVPN 2.0.1 has been released with important security fixes. Please investigate and use 2.0.1 ASAP. Thank you very much!
2005.08.16 -- Version 2.0.1 * Security Fix -- DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2531). * Security Fix -- DoS attack against server by authenticated client. This bug presents a potential DoS attack vector against the server which can only be initiated by a connected and authenticated client. If the client sends a packet which fails to decrypt on the server, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2532). * Security Fix -- DoS attack against server by authenticated client. A malicious client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its internal routing table. A --max-routes-per-client directive has been added (default=256) to limit the maximum number of routes in OpenVPN's internal routing table which can be associated with a given client (CAN-2005-2533). * Security Fix -- DoS attack against server by authenticated client. If two or more client machines try to connect to the server at the same time via TCP, using the same client certificate, and when --duplicate-cn is not enabled on the server, a race condition can crash the server with "Assertion failed at mtcp.c:411" (CAN-2005-2534). * Fixed server bug where under certain circumstances, the client instance object deletion function would try to delete iroutes which had never been added in the first place, triggering "Assertion failed at mroute.c:349". * Added --auth-retry option to prevent auth errors from being fatal on the client side, and to permit username/password requeries in case of error. Also controllable via new "auth-retry" management interface command. See man page for more info. * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' would fail to build. * Implement "make check" to perform loopback tests (Matthias Andree).
Andreas, okay to update for 10.0?
Ok with my - Juergen, ok with you as well?
Ah, package name is 'openvpn', not 'OpenVPN'. It is listed and the update is fully covered. Go ahead.
Good, thanks
Date: Wed, 24 Aug 2005 10:45:32 -0600 (MDT) From: James Yonan <jim@yonan.net> To: "Dr. Peter Poeml" <poeml@suse.de> Subject: Re: backporting openvpn 2.0.1 security fixes for 1.x X-Spam-Status: No, hits=-2.1 tagged_above=-20.0 required=5.0 tests=BAYES_40, MY_LINUX Peter, The security patches in 2.0.1 deal with issues in server mode only. Since 1.x doesn't have a server mode, they aren't really applicable. While I haven't broken out the individual patches for the security fixes, for the most part they are represented by the delta between 2.0.1-rc7 and 2.0.1. I would encourage you, if possible, to upgrade to a full 2.0.1, as the changes from 2.0 to 2.0.1 are very conservative and only represent bug fixes. Having said that, I will keep in mind for the future to try to keep security-related fixes as individual patches. James On Wed, 24 Aug 2005, Dr. Peter Poeml wrote: > James, > > I am maintainer of the OpenVPN package which ships with SUSE Linux. > To provide fixed packages for our users I am struggling to backport the > four recent fixes to 1.3.2, 1.4.2, 1.5.0, 1.6, and 2.0. I have difficulties > to identify the needed changes because the 4 fixes were checked into CVS > as one blob, and also together with other, unrelated changes. > > I have considered a version upgrade (upgrading all those old openvpn > versions to 2.0.1 in the released products), but it is not really > feasible/user-friendly because of the change of the default port and > other bits which require adaptation of the configuration. A connection > would not be functional after an update (even though interoperability > between 2.0 and 1.x seems to be no problem in my limited experience). > > Before I carry on trying to backport the patches, I wanted to ask you > whether you might have something available already? Looking > > Thanks, > Peter > > -- > SUSE LINUX Products GmbH Thought is limitation. > Research & Development Free your mind. >
Date: Wed, 24 Aug 2005 14:12:26 -0600 (MDT) From: James Yonan <jim@yonan.net> To: "Dr. Peter Poeml" <poeml@suse.de> Cc: R P Herrold <herrold@caosity.org>, openvpn-users@lists.sourceforge.net, openvpn-devel@lists.sourceforge.net Subject: OpenVPN 2.0.1 security fixes available as individual & backported patches X-Spam-Status: No, hits=-2.6 tagged_above=-20.0 required=5.0 tests=BAYES_00 Due to several requests, I've put together a set of isolated patches which fix the individual security issues addressed by OpenVPN 2.0.1, and which can be applied to any major version of OpenVPN going back to 1.3.2. Out of the 4 patches, only CAN-2005-2531 is relevant for the 1.x branch. These patches will individually apply the specific security fixes released in OpenVPN 2.0.1 to an OpenVPN 2.0 or 1.x tree. Patches are available in: http://openvpn.net/patch/2.0.1-security-patches/ ----------------------------------------- openvpn-2.0-sslerrqfix.patch openvpn-1.6.0-sslerrqfix.patch (also applicable to 1.5.0) openvpn-1.4.3-sslerrqfix.patch (also applicable to 1.3.2) * Security Fix -- DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2531). Affects OpenVPN 1.x and 2.0. ----------------------------------------- openvpn-2.0-sslerrqfix.patch * Security Fix -- DoS attack against server by authenticated client. This bug presents a potential DoS attack vector against the server which can only be initiated by a connected and authenticated client. If the client sends a packet which fails to decrypt on the server, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2532). Affects OpenVPN 2.0 only, 1.x is unaffected. ----------------------------------------- openvpn-2.0-iroutequota.patch * Security Fix -- DoS attack against server by authenticated client. A malicious client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its internal routing table. A --max-routes-per-client directive has been added (default=256) to limit the maximum number of routes in OpenVPN's internal routing table which can be associated with a given client (CAN-2005-2533). Affects OpenVPN 2.0 only, 1.x is unaffected. ----------------------------------------- openvpn-2.0-assert-mtcp411.patch * Security Fix -- DoS attack against server by authenticated client. If two or more client machines try to connect to the server at the same time via TCP, using the same client certificate, and when --duplicate-cn is not enabled on the server, a race condition can crash the server with "Assertion failed at mtcp.c:411" (CAN-2005-2534). Affects OpenVPN 2.0 only, 1.x is unaffected. ----------------------------------------- James
Don't know if it's possible, but of course for 10.0 I'd prefer to see 2.0.2, just released: Changes since 2.0.1: * Fixed regression bug in Win32 installer, introduced in 2.0.1, which incorrectly set OpenVPN service to autostart. * Don't package source code zip file in Windows installer in order to reduce the size of the installer. The source zip file can always be downloaded separately if needed. * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD version of get_default_gateway. Allocated socket for route manipulation is never freed so number of mbufs continuously grow and exhaust system resources after a while (Jaroslav Klaus). * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects. * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
Only the change * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects. sounds relevant for us. Any idea how important this is? If this is just a regular bug fix (for a bug which always existed), there is no point in squeezing it in at this point in time.
Fixed packages for 9.0, 9.1, 9.2 and 9.3 have been submitted to autobuild now. Passing on to security-team now.
Would going to 2.0.2 for 10.0 be that much harder than going with 2.0.1?
SM-Tracker-2159
Jon, what is the Changelog for 2.0.2?
it's in comment #9
Ah, thanks. No problems with crypto here. 2.0.2 is fine.
I personally have tested only 2.0.1. Andreas, do you want this 2.0.2 update? As I wrote above, I don't think it it critical, but since we just went to 2.0.1 I wouldn't oppose to going to 2.0.2 too much either.
Ok to go to 2.0.2, please submit.
package submitted. reassigning again to security-team for further processing of the updates
packages released
CVE-2005-2534: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)