From patchwork Sat Sep 7 17:29:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8082 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X1Kpn5Hpzz3wdh for ; Sat, 7 Sep 2024 17:29:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X1Kpm05CRz10b; Sat, 7 Sep 2024 17:29:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X1Kpl5YbCz33wQ; Sat, 7 Sep 2024 17:29:35 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X1Kph0rfjz303Q for ; Sat, 7 Sep 2024 17:29:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4X1Kpf62xyz65; Sat, 7 Sep 2024 17:29:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1725730171; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=3icJLeKDuXmMMKk5ulnfaAkL6eN/a1GCU2uyx1j0iCs=; b=HXBOi+gdp2gUcQbJWXku61zR9BNbKv9smK8GFiLcTGadi2OmdEsr6ZbTcsN71Qr1m7O3y2 61ScPONlN4iLq67uZuFNfxBb0yb29QVtvxt7FqGSkeWcsLxfy+dkNloBoG4QTQMF9wAi3o I+XxxQvXi+FkwbqmZ3M3A5r3b4NzRQ1yQg9fbaIe/Ez7xmB1MN1rjV8BY7rwicIBgiz/r5 /h+3v9pcX80DA+2xp6lpo3wxo3XrGptVkodro2Q+zS6x0A8vosKZcP5ANqgs0EB+LcmVg1 0BDqaEUnkD3WNDHUtE4I0/Y1wpxf9ylbdCayGjocm9hoRFndysvx0/pVf+ojJg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1725730171; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=3icJLeKDuXmMMKk5ulnfaAkL6eN/a1GCU2uyx1j0iCs=; b=J2wx98QHWB7Hjq51p2IbZcCN/Y9smF1DCBc6BfT/3ySIqwcTZKxSU5wKopW4Jiy9W/LtXC dg00KBRK2WupdtBQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] openvpn: Update to version 2.5.10 Date: Sat, 7 Sep 2024 19:29:27 +0200 Message-ID: <20240907172927.3439533-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: WRBFMZCITOX5UPFTRINLKIKQ4W74XLEF X-Message-ID-Hash: WRBFMZCITOX5UPFTRINLKIKQ4W74XLEF X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 2.5.9 to 2.5.10 - Update of rootfile not required - 3 CVE Fixes in this version but all are for Windows installations. - Changelog 2.5.10 Security fixes - CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. Reported-by: Vladimir Tokarev - CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. Reported-by: Vladimir Tokarev - CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev User visible changes - License amendment: all NEW commits fall under a modified license that explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see COPYING for details. Existing code in the release/2.5 branch will not been relicensed (only in release/2.6 and later branches). Signed-off-by: Adolf Belka --- lfs/openvpn | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/openvpn b/lfs/openvpn index b686cc930..807019f0a 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 2.5.9 +VER = 2.5.10 THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e5110ebb9149121c11de45f085f66d30a89fb674ad96c5792d83b16dc29c95215a91e682adb3c800b91ed4d88d6d24b5bcae0799cdb855a284832f0668ffcb82 +$(DL_FILE)_BLAKE2 = 7f4ae82162e2e48e66df2da8008f45a2db53a22483730808b873948f1dc13a2e5582c79e4469f9d794f8b0f87f08d627e8d1bd070b088ea33444af31779f5479 install : $(TARGET)