From patchwork Thu Apr 30 18:36:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9780 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g62vY1DRWz3x5B for ; Thu, 30 Apr 2026 18:36:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4g62vX4xxvz7Mm for ; Thu, 30 Apr 2026 18:36:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g62vW4lhpz33rg for ; Thu, 30 Apr 2026 18:36:55 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g62vS6npkz3356 for ; Thu, 30 Apr 2026 18:36:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4g62vS16Bzz5vQ; Thu, 30 Apr 2026 18:36:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1777574212; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zS/6ydfooXpBLBwzAXQ0a6AzQI6bAGkZyXvFEIBIiDs=; b=OYGCmRkP7bTJ9ZlxUh66z2XZ+1te/oyxGu3n2O2lQMCNleVxHRaqcC5NOFIByzxzAhne8j HyDLwK1cwLj+w+J18r7OQb8obzC/MznNzLIYNoeyrI0z37ODlHSDGsn7hYp/PE1yNQ8vxJ pi4px0y0j2KA+h20OnGPKC0CXE0ypirJjsFfiWtT/8O0fKHMwMU1p7Q5+/uD54lLgAU3+G pTt1OrJutIQtU7qogkaZ1bW0JVQ1Iiqsea/SkLPqX1xsuTKjvYdLxPDG+io/TFYFV54GYZ z2BH+wOtw+h40T4zb8VjQaY7RzkLlIwSxEHCHvNt9w/KJaEecndkB2fqZnoLjA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1777574212; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zS/6ydfooXpBLBwzAXQ0a6AzQI6bAGkZyXvFEIBIiDs=; b=kU2byjEsr4eiaLUQUbxqq5SxfGGgnVuzhVjF82gQ2qQoBHpdysQSao9JL74/X5eeNWydGP 0d+Nycj26ycljRBA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] openvpn: Update to version 2.7.3 Date: Thu, 30 Apr 2026 20:36:47 +0200 Message-ID: <20260430183648.2774994-4-adolf.belka@ipfire.org> In-Reply-To: <20260430183648.2774994-1-adolf.belka@ipfire.org> References: <20260430183648.2774994-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 2.7.1 to 2.7.3 - No change to rootfile - 2 CVE fixes in 2.7.2. These have also been applied to 2.6.20 on the 2.6 branch - Changelog 2.7.3 bugfixes in combination with --management-query-passwords, setups using --auth-user-pass file or inline auth-user-pass would no longer use the configured passwords and prompt on the management interface instead (OpenVPN GUI would then provide an empty user/password prompt) (Github: OpenVPN/openpvn#1021). 2.7.2 Security fixes fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances (CVE-2026-40215) (Bug found by XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com)) fix server ASSERT() on receiving a suitably malformed packet with a valid tls-crypt-v2 key (CVE-2026-35058) (Bug found by XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com) and independently by Emma Reuter of Cisco ASIG (TALOS-2026-2381)) Bugfixes when using a config file with inlined username and no password, fix prompting for the password from management interface. Windows: fix DNSSEC flag handling - this got never applied due to a bad comparison being always false. Windows: fix deinstallation progress bar on adapter deletion. New features management interface: permit input of very long passwords in base64-encoded multiline format. Signal support to management clients via "management version 6". Documentation improve documentation and error messages related to old and new Linux DCO modules remove some references to pre-2.3 OpenVPN improve manpage for --learn-address config User-visible Changes improve error messages on --verify-x509-name failures improve error logging when overlong username or passwords can not be written to TLS buffer Long-term code maintenance fully support OpenSSL 4.0 now, without "deprecated API" warnings (multiple small changes to adapt to 3.5 -> 4.0 API changes) add unit tests for certificate detail printing add unit tests for "empty password on inline credentials" handling Signed-off-by: Adolf Belka --- lfs/openvpn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openvpn b/lfs/openvpn index 80eb94032..c1d0f69b6 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,7 +24,7 @@ include Config -VER = 2.7.1 +VER = 2.7.3 THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a5f598a4f2366c3134578af6bf08750c3d4269ab036f1b49b44799174bca01dc4d79c8ddfce2b5948f186a7729cd96e428b74dda4a685bf44323aaa188739405 +$(DL_FILE)_BLAKE2 = ef569507072af64cab3d2458f3f1ec86478975c4df9a33320b3e96df63d1e8ecbec9bc1b12344c58bdd2c9c734b065100a71f1d7954f324a325f39d220b914cc install : $(TARGET)