Segfaulting STR: Rocky9 host, used 2.6.7 from the copr repo. ================================ port 1194 proto tcp-server dev tun1 ca /etc/openvpn/server/keys/ca.crt cert /etc/openvpn/server/keys/server.crt key /etc/openvpn/server/keys/server.key dh none tls-groups secp521r1:secp384r1 topology subnet server 10.50.236.0 255.255.255.0 keepalive 10 120 tls-auth /etc/openvpn/server/keys/ta.key 0 data-ciphers AES-256-GCM auth SHA512 tls-version-min 1.2 user openvpn group openvpn persist-key persist-tun log-append /var/log/openvpn/openvpn.log verb 4 auth-gen-token 0 3600 ================================
Spun this config up, then ran: iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 443,80 -j REDIRECT --to-ports 1194 Within 5 minutes the random web scanners found and segfaulted me. Hope this helps. On Fri, Nov 10, 2023 at 7:48 PM Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > On Fri, Nov 10, 2023 at 10:51:34AM +0100, Gert Doering wrote: > > I'll see if I can reproduce this case here and we'll fix it ASAP. > > We couldn't reproduce it yet, but we have a crash dump in GH issue #449, > which hints at the commit cd4d819c99266 getting this double-extra-check > wrong. > > So if you build from git, can you do a checkout of release/2.6, and > then do "git revert cd4d819c99266", and build from that? This would > give you a 2.6.7 "with both CVE fixes, but without the extra safeguard > check" - which isn't *really* needed, but its intention was "should > another mistake of sort addressed in the CVE fixes happen again, it > would get caught" - so double belt and suspenders... > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
