From patchwork Sat Nov 22 19:45:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9302 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4dDMxh3FcXz3wq1 for ; Sat, 22 Nov 2025 19:45:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4dDMxg5Qqlz3wp for ; Sat, 22 Nov 2025 19:45:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dDMxg4fWgz30HD for ; Sat, 22 Nov 2025 19:45:11 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dDMxd0jp5z2xTY for ; Sat, 22 Nov 2025 19:45:09 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dDMxb2pCkz1TY; Sat, 22 Nov 2025 19:45:07 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1763840707; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=MyeQApSBlGDSiiHhgL55rZln1fY10Uoow+eB1zLkH8c=; b=1wM2Vw+RH+4IZrME3BXKvKJA+vaZZUJMx7NK76zwD6VS82gN3NmgStDouayZE8snqF2ikH xbMSTz7pnYTBY2CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1763840707; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=MyeQApSBlGDSiiHhgL55rZln1fY10Uoow+eB1zLkH8c=; b=fLsH/dvb61rB1tIO7UHRVrb6yDFdfaCSqLFOqquQJBMWE/RHJfz1l7e5tjEhcoRRlqCXK/ LZjY9KvAsCy4GKNtzb9bRu3n4T31avuV8A62+oXukE3wnL0dHeHlksgb933yNf3svWvU0+ Oj/wrP69vOvjIT+HEkX2WTRx1kEHJJkcq/ksYbrtK/ZTMdvp76emDLlWVg6gwvNcDOsLlM gYe/2h+0OmWczzDwyIN3JXDg1PGN5aBZ4FkVlgCBF187jf09GoezJTPFJ0NsCCvMHG6CpB LbLsZ0cGdkIvBQsU1LG9gLY5hVG24jND9em+XBqbKbcuHZb+PhqAndIVDU/qAQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] openvpn: Update to version 2.6.16 Date: Sat, 22 Nov 2025 20:45:04 +0100 Message-ID: <20251122194504.2951584-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 2.6.15 to 2.6.16 - No change to rootfile - Changelog 2.6.16 Security fixes: CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion on receiving spoofed TLS handshake packets in the OpenVPN server inefficient. Bug fixes: fix invalid pointer creation in tls_pre_decrypt() - technically this is a memory over-read issue, in practice, the compilers optimize it away so no negative effects could be observed. Windows: in the interactive service, fix the "undo DNS config" handling. Windows: in the interactive service, disallow using of "stdin" for the config file, unless the caller is authorized OpenVPN Administrator Windows: in the interactive service, change all netsh calls to use interface index and not interface name - sidesteps all possible attack avenues with special characters in interface names. Windows: in the interactive service, improve error handling in some "unlikely to happen" paths. auth plugin/script handling: properly check for errors in creation on $auth_failed_reason_file (arf). for incoming TCP connections, close-on-exec option was applied to the wrong socket fd, leaking socket FDs to child processes. sitnl: set close-on-exec flag on netlink socket ssl_mbedtls: fix missing perf_pop() call (optional performance profiling) Windows MSI changes since 2.6.15-I001: Built against OpenSSL 3.6.0 Included openvpn-gui updated to 11.58.0.0 Check the return value of GetProp() Make config path check similar to that in interactive service Escape the type id of password message received from openvpn Add a message source for event logging Check correct management daemon path when OpenVPN3 is enabled Fix OpenVPN3 radio button label size when OVPN3 is enabled Use GetTempPath() for debug file in plap as well Migrate all saved plain usernames to encrypted format Included win-dco driver updated to 2.8.0 Signed-off-by: Adolf Belka --- lfs/openvpn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openvpn b/lfs/openvpn index 152e25f63..9252c44f8 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,7 +24,7 @@ include Config -VER = 2.6.15 +VER = 2.6.16 THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = d77f8d67bffeb7cdd6fe9b3892add3b62001d7e01d5f9b0703f57a5a5a19c58a9dfb5e86b6ba1acad743c39af1d965b2180d6a5fabd32d40cddf4b13f3d91b46 +$(DL_FILE)_BLAKE2 = d4219d5974ecb0d73b865f436ed5a57874dee7295446a10d47354024564a25098ea2210f3356f3938fd24fb99c2310797bb70936ad5423eafad7cbacc94c71c5 install : $(TARGET)