ubuntu/+source/openvpn:ubuntu/hoary-security

Last commit made on 2005-12-21
Get this branch:
git clone -b ubuntu/hoary-security https://git.launchpad.net/ubuntu/+source/openvpn
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/hoary-security
Repository:
lp:ubuntu/+source/openvpn

Recent commits

a698842... by Gerardo Di Giacomo on 2005-09-07

Import patches-unapplied version 1.99+2.rc6-1ubuntu0.2 to ubuntu/hoary-security

Imported using git-ubuntu import.

Changelog parent: 260eb7313d06c76ea43d3431b482484dd767e5a4

New changelog entries:
  * Reupload with a higher version, previous version was uploaded as a native
    package.
  * SECURITY UPDATE: multiple denial of service vulnerabilities
  * crypto.c, ssl.c:
    - DoS attack against server when run with "verb 0" and without "tls-auth".
    If a client connection to the server fails certificate verification, the
    OpenSSL error queue is not properly flushed, which can result in another
    unrelated client instance on the server seeing the error and responding to
    it, resulting in disconnection of the unrelated client.
    - DoS attack against server by authenticated client. This bug presents a
    potential DoS attack vector against the server which can only be initiated
    by a connected and authenticated client. If the client sends a packet
    which fails to decrypt on the server, the OpenSSL error queue is not
    properly flushed, which can result in another unrelated client instance on
    the server seeing the error and responding to it, resulting in
    disconnection of the unrelated client.
  * errlevel.h, multi.c, multi.h, openvpn.8, options.c, options.h:
    - DoS attack against server by authenticated client. A malicious client in
    "dev tap" ethernet bridging mode could theoretically flood the server with
    packets appearing to come from hundreds of thousands of different MAC
    addresses, causing the OpenVPN process to deplete system virtual memory as
    it expands its internal routing table. A --max-routes-per-client
    directive has been added (default=256) to limit the maximum number of
    routes in OpenVPN's internal routing table which can be associated with a
    given client.
  * mtcp.c:
    - DoS attack against server by authenticated client. If two or more client
    machines try to connect to the server at the same time via TCP, using the
    same client certificate, and when --duplicate-cn is not enabled on the
    server, a race condition can crash the server with "Assertion failed at
    mtcp.c:411".
  * References:
    - CAN-2005-2531
    - CAN-2005-2532
    - CAN-2005-2533
    - CAN-2005-2534

260eb73... by Alberto Gonzalez Iniesta <email address hidden> on 2005-01-05

Import patches-unapplied version 1.99+2.rc6-1 to ubuntu/hoary

Imported using git-ubuntu import.

Changelog parent: 67c354bb534a7e377234d83c650a5a69d448abd9

New changelog entries:
  * The 'Three Wise Men' release.
  * New upstream release.
  * Update README.Debian with comments on changed string remapping.
    Thanks <email address hidden> for noting this first. (Closes: #288669)
  * New upstream release.
  * Updated README.Debian with info on plugins.
  * Built and installed plugins. Thanks Michael Renner for noticing.
    (Closes: #284224)
  * Added Build-Depends on libpam0g-dev, required by auth-pam plugin.
  * New upstream release. Corrects --mssfix behaviour (Closes: #280893)
  * Included Czech debconf translation. (Closes: #282995)
  * Updated (German|Danish|French|Japanese) debconf translations.
    (Closes: #281235, #282095, #282216, #282881)
  * New upstream version. Includes fix for the --key-method 1 bug.
  * WARNING: This version changes the default port (5000 previously)
    to 1194 (assigned by INANA). This will affect you if you don't
    have a 'port' option specified in your configuration files.
    Added a debconf note about it.
  * Updated es.po.
  * Patched ssl.c to fix bug in --key-method 1, that prevented
    OpenVPN 2.x from working with 1.x using that method.
    Thanks James for the prompt answer & patch.
    Thanks weasel for finding it out.
  * New upstream releases. Fixes the "Assertion failed at crypto.c"
    (Closes: #265632, #270005)
  * Updated README.Debian with clearer 2.x vs 1.x interoperability
    instructions.
  * Put if-{up,down}.d scripts back in place, this time they work.
    Just remember to quote shell vars when checking if they are empty.
    [ -n "$VAR" ] -> Good [ -n $VAR ] -> BAD
    Note to self, don't trust people's patches even if they are DD.
  * Removed if-{up,down}.d scripts until I get to know how they work.
  * Corrected names of if-{up,down}.d scripts. Duh!
  * New upstream release.
  * Renamed package to 1.99 to make it clearer that we're using
    version 2.0 and not 1.6. Some people rather talk about this on IRC
    and not tell the maintainer directly.
  * Added Brazilian Portuguese debconf templates. (Closes: #279351)
  * Modified init.d script so that specifying a daemon option in a
    VPN configuration won't make it fail.
    Thanks Christoph Biedl for the patch. (Closes: #278302)
  * Added scripts to allow specifying 'openvpn name' in
    /etc/network/interfaces to have the tunnel created and destroyed with
    the device it runs over. Thanks Joachim Breitner for the patch.
    (Closes: #273481)
  * Modified init.d script so that multiple VPNs can be started or stopped
    with a single command. (See README.Debian)
  * New upstream release.
  * New upstream release.
  * Added comments about compatibility issues between openvpn 2.x and 1.x
    to README.Debian (Closes: #276799)
  * Changed maintainer email address.
  * New upstream release. (Closes: #269631)
  * I decided to get OpenVPN 2 into sid, and hopefully into Sarge since
    the current beta works pretty well and adds important features I don't
    want missing in Sarge.
  * Updated README.Debian
  * Added German and Japanese debconf templates.
    (Closes: #266927, #270477)
  * Updated French and Danish debconf templates
    (Closes: #254064, #256053)

67c354b... by Alberto Gonzalez Iniesta <email address hidden> on 2004-06-10

Import patches-unapplied version 1.6.0-3 to ubuntu/warty

Imported using git-ubuntu import.