Meeting summary for 8 May 2024:
* *Closed: Discussion related to DNS IV flag*
/This was done with a IV_PROTO_DNS_OPTION_V2 proto flag./
* *New, closed:TunnelVision
<https://community.openvpn.net/openvpn/wiki/TunnelVision>vulnerability.*/
/This looks to be basically the same as theTunnelCrack
<https://community.openvpn.net/openvpn/wiki/TunnelCrack>vulnerability./
/Mitigations forTunnelCrack
<https://community.openvpn.net/openvpn/wiki/TunnelCrack>are underway
but take time to deliver as the implementation is different on each
platform./
/What we'll do is add a wiki article forTunnelVision
<https://community.openvpn.net/openvpn/wiki/TunnelVision>that
redirects toTunnelCrack
<https://community.openvpn.net/openvpn/wiki/TunnelCrack>statement
already present on our wiki./
/We'll add a section there specific to theTunnelVision
<https://community.openvpn.net/openvpn/wiki/TunnelVision>aspect of
this.//
* *Updated: Tunnelcrack progressTunnelCrack community wiki article
<https://community.openvpn.net/openvpn/wiki/TunnelCrack>*
/Status update onTunnelCrack
<https://community.openvpn.net/openvpn/wiki/TunnelCrack>mitigations:/
/Windows, openvpn2: ready to merge. openvpn3: in code review./
/Linux, openvpn2: in progress. openvpn3: in progress./
/macOS: to be determined./
/iOS: to be determined./
/Android: not vulnerable./
* *New:BlackHat?
<https://community.openvpn.net/openvpn/wiki/BlackHat>announcement
regarding 'OVPNX'.*/BlackHat?
<https://community.openvpn.net/openvpn/wiki/BlackHat>announced a
presentation about OVPNX vulnerabilities that lead to privilege
escalation./
/This is by the same guy, Vladimir Tokarev, that reported these
issues to us that we then solved./
/The problem is they are announcing it as zero-day vulnerabilities,
which is simply not true./
/These were responsibly disclosed and in cooperation were fixed and
published with the OpenVPN 2.6.10 and 2.5.10 releases./
/We did reach out to clarify things but haven't had a response yet./
/A security advisory and a blog post will be posted in the next day
or so on the main website, and it will be added to the company
newsletter as well./
/These will set the record straight that it's not zero-day, and
furthermore point out that this is not that critical of an issue as
you need privileges anyways to exploit it./
/Also this only affects OpenVPN2 GUI on Windows./
* *Updated: forums topics*
/rob0 and novaflash volunteered to take a look at the web server
config to make it work correctly./
/However due to other ongoing things, didn't have time yet, but will
be able to spend time on it soonish./
/Plan is to soon switch URLs so new forum is on forums.openvpn.net
and old forums is on archive address./
/- email confirmation on registration was suggested./
/- mod permissions, guide, hard or soft delete (chuck board?), what
to do with GDPR, etc. (write it down and actually make it available
to mods, maybe a hidden topic)/
/- access for mods to logs so one can see what others did/
* *Updated: mattock topics*
/PR created to add t_server_null tests to buildbot./
/There's a parallelism issue to fix between t_server_null.sh and
t_client.sh - will work on that./
As always you're welcome to join at #openvpn-meeting on Libera IRC
network every Wednesday at 13:00 Central European Time.
Kind regards,
Johan Draaisma
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
