Request 898085: Submit openvpn - openSUSE Build Service

This request supersedes: request 898040 (Show diff)

Overview

Request 898085 accepted

- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project

Created by rmax almost 3 years ago
In state accepted
Supersedes 898040

Submit openvpn

Comments for request 898085 2
Comments for request 898040 1

Jan Engelhardt (jengelh) - almost 3 years ago

reviewer

"sysv5" - System V only ever made it to Release 4 (SVR4). I'll ignore it ;-)

Reinhard Max (rmax) - almost 3 years ago

author source maintainer

Will get fixed next time the package gets touched anyway.

Login required, please login in order to comment

Jan Engelhardt (jengelh) - almost 3 years ago

reviewer

58 +sed -e "s|\" __DATE__|$(date '+%{b} %{e} %{Y}' -r version.m4)\"|g" \

That line is quite botched. You don't want %b but %%b. etc

Login required, please login in order to comment

Request History

rmax created request almost 3 years ago

- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project

factory-auto added opensuse-review-team as a reviewer almost 3 years ago

Please review sources

factory-auto accepted review almost 3 years ago

Check script succeeded

licensedigger accepted review almost 3 years ago

ok

dimstar_suse set openSUSE:Factory:Staging:D as a staging project almost 3 years ago

Being evaluated by staging project "openSUSE:Factory:Staging:D"

dimstar_suse accepted review almost 3 years ago

Picked "openSUSE:Factory:Staging:D"

dimstar accepted review almost 3 years ago

dimstar_suse accepted review almost 3 years ago

Staging Project openSUSE:Factory:Staging:D got accepted.

dimstar_suse approved review almost 3 years ago

Staging Project openSUSE:Factory:Staging:D got accepted.

dimstar_suse accepted request almost 3 years ago

Staging Project openSUSE:Factory:Staging:D got accepted.

openSUSE Build Service is sponsored by