Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

Antonio Quartulli Tue, 15 Mar 2022 08:06:30 -0700

Hi,

On 13/03/2022 21:07, David Sommerseth wrote:

From: David Sommerseth <dav...@openvpn.net>


The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted.  For now we bail
out when this discovered with an error in the log.

CVE: 2022-0547
Signed-off-by: David Sommerseth <dav...@openvpn.net>


Tested and it does what it says on the lid.

The whole approach requires larger refactoring, but for now this isenough to close the hole.


Acked-by: Antonio Quartulli <a...@unstable.cc>



--
Antonio Quartulli


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

Reply via email to