Hi,
On 13/03/2022 20:31, David Sommerseth wrote:
From: David Sommerseth <dav...@openvpn.net>
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this discovered with an error in the log.
CVE: 2022-0547
Signed-off-by: David Sommerseth <dav...@openvpn.net>
Same as the patch for master.
Acked-by: Antonio Quartulli <a...@unstable.cc>
+ error = true;
+ msg(M_FATAL,
+ "Exiting due to multiple authentication plug-ins "
+ "performing deferred authentication. Only one "
+ "authentication plug-in doing deferred auth is "
+ "allowed. Ignoring the result and stopping now, "
+ "the current authentication result is not to be "
+ "trusted.");
Frank reported that we should use double space after the full-stop.
Honestly I'd prefer just single-space everywhere as it is more
"traditional".
This said, Gert can make the final decision and modify the patch on the fly.
Cheers,
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
