From: <ope...@li...> - 2017-05-11 14:12:59
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "OpenVPN main development repository". The branch, release/2.4 has been updated via 85161685f42f2d8c69604e0825e75fe1287e57bd (commit) via 3c28855760c389d15384238d0e089132da98949b (commit) via 591a4e574c43cb9e820950f15dcaabda261def78 (commit) via 66b99a0753352c5cc43e11e39835b6423112df98 (commit) from 9444506e45df86e6c8fbabfbf4a97c538cd971f4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 85161685f42f2d8c69604e0825e75fe1287e57bd Author: David Sommerseth <da...@op...> Date: Thu May 11 02:41:34 2017 +0200 Preparing v2.4.2 release Signed-off-by: David Sommerseth <da...@op...> commit 3c28855760c389d15384238d0e089132da98949b Author: ValdikSS <ia...@va...> Date: Wed May 10 21:47:53 2017 +0300 Set a low interface metric for tap adapter when block-outside-dns is in use Windows 10 before Creators Update used to resolve DNS using all available adapters and IP addresses in parallel. Now it still resolves addresses using all available adapters but in a round-robin way, beginning with random adapter. This behaviour introduces significant delay when block-outside-dns is in use. Fortunately, setting low metric for the TAP interface solves this issue, making Windows always pick TAP adapter first and disable round-robin. Signed-off-by: ValdikSS <ia...@va...> Acked-by: Selva Nair <sel...@gm...> Message-Id: <201...@gm...> URL: https://www.mail-archive.com/ope...@li.../msg14624.html Signed-off-by: David Sommerseth <da...@op...> (cherry picked from commit 27aa87283f6e766507287649aa5a63f1f5172645) commit 591a4e574c43cb9e820950f15dcaabda261def78 Author: Steffan Karger <ste...@fo...> Date: Tue May 9 21:30:09 2017 +0200 Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) Previously, if a mode was selected where packet ids are not allowed to roll over, but renegotiation does not succeed for some reason (e.g. no password entered in time, certificate expired or a malicious peer that refuses the renegotiaion on purpose) we would continue to use the old keys. Until the packet ID would roll over and we would ASSERT() out. Given that this can be triggered on purpose by an authenticated peer, this is a fix for an authenticated remote DoS vulnerability. An attack is rather inefficient though; a peer would need to get us to send 2^32 packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in (20+8+1+4+16)*2^32 bytes, or approx. 196 GB). This is a fix for finding 5.2 from the OSTIF / Quarkslab audit. CVE: 2017-7479 Signed-off-by: Steffan Karger <ste...@fo...> Acked-by: Gert Doering <ge...@gr...> Acked-by: David Sommerseth <da...@op...> Message-Id: <149...@fo...> URL: http://www.mail-archive.com/search?l=mid&q=149...@fo... Signed-off-by: David Sommerseth <da...@op...> (cherry picked from commit e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8) commit 66b99a0753352c5cc43e11e39835b6423112df98 Author: Steffan Karger <ste...@fo...> Date: Tue May 9 21:30:08 2017 +0200 Don't assert out on receiving too-large control packets (CVE-2017-7478) Commit 3c1b19e0 changed the maximum size of accepted control channel packets. This was needed for crypto negotiation (which is needed for a nice transition to a new default cipher), but exposed a DoS vulnerability. The vulnerability was found during the OpenVPN 2.4 code audit by Quarkslab (commisioned by OSTIF). To fix the issue, we should not ASSERT() on external input (in this case the received packet size), but instead gracefully error out and drop the invalid packet. CVE: 2017-7478 Signed-off-by: Steffan Karger <ste...@fo...> Acked-by: David Sommerseth <da...@op...> Message-Id: <149...@fo...> URL: http://www.mail-archive.com/search?l=mid&q=149...@fo... Signed-off-by: David Sommerseth <da...@op...> (cherry picked from commit 5774cf4c25e1d8bf4e544702db8f157f111c9d93) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 29 ++++++++++++ Changes.rst | 12 +++++ src/openvpn/block_dns.c | 78 +++++++++++++++++++++++++++++++ src/openvpn/block_dns.h | 30 ++++++++++++ src/openvpn/crypto.c | 25 ++++++---- src/openvpn/init.c | 4 +- src/openvpn/packet_id.c | 22 ++++++--- src/openvpn/packet_id.h | 1 + src/openvpn/ssl.c | 7 ++- src/openvpn/tls_crypt.c | 6 ++- src/openvpn/win32.c | 39 +++++++++++++++- src/openvpn/win32.h | 2 +- src/openvpnserv/interactive.c | 70 +++++++++++++++++++++++++-- tests/unit_tests/openvpn/test_packet_id.c | 11 ++++- version.m4 | 4 +- 15 files changed, 309 insertions(+), 31 deletions(-) hooks/post-receive -- OpenVPN main development repository |