Re: [Openvpn-users] [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

[David Sommerseth]

On 21/06/17 12:47, Samuli Seppänen wrote:
> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
> can be downloaded from here:
> 
> 
> 
> OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
> the process several vulnerabilities were found, some of which are
> remotely exploitable in certain circumstances. We recommend you to
> upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are
> available in our official security announcement:
> 
> 
> 
> In addition a number of bugs with no security impact have been fixed.
> The one big feature in the 2.4.3 release is support for building with
> OpenSSL 1.1.
> 
> A summary of all included changes is available here:
> 
> 
So just trying to hijack this discussion which is to be found a few more
places elsewhere in this mail thread.  No need to let this discussion
run longer.

There are several area where we definitely can improve the release
process.  Last round where we managed to mess up the 2.3.15 release, so
I wrote a brand new "prepare release tarballs" script, which also
handles the signing.  This script _was_ used to produce the files to be
pushed out for the 2.4.3/2.3.17 releases.

But for reasons unknown to me, those tarballs got re-created somewhere
later in the release chain.  The contents of all tarballs are
essentially the same, but due to the "nice" artefact that the tar format
is non-deterministic on the output, even though the input is the same,
that begins to prepare the stage for this chaos.  Especially when what
is being uploaded is partly from the initial run and then some files
from a different run.

All that is history now.  Now we need to look forward.  Many good points
have been raised.

- Do we need .tar.gz and .zip files?  Where and why?
  The fewer source tarballs we need to handle, the less chance for
  errors

- Improve Makefile.am to not generate dist-gz files when running
  distcheck.  The distcheck run often provides very good indicator if we
  have packaged all the needed files in the source tarball.  If this
  doesn't pass, something is really wrong.

- Do we really need to re-create the source tarballs which the new
  ./dev-tools/gen-release-tarballs.sh?  Why?

- What can be done with Cloudflare to fully ensure their caches are
  truly purged when we ask for it?  As Jonathan noticed, their caches
  are tightly connected to the web browser and have a non-deterministic
  behaviour across browsers, even on the same computer.

- What else in the release process can be automated and put into a
  script?  This to ensure consistency between all releases we do.

- We need to write down a proper check-list of all the steps needed
  for a release, including putting a clear responsibility for each
  release.  This list must also mention which scripts to be run.  Again,
  automation is key to reduce the risk for errors.

- Consider how many who really needs to be involved in producing a
  release.  More chefs in a kitchen can result in great food, but it can
  also end up quite messy.

- At the same time, ensure we don't end up in a "single point of
  failure".  More of us core developers need to be able to step in for
  others, and still be able to produce a release without errors.  This
  can be the end result if we have proper scripts, both for automated
  and manual tasks.


My intention with these points are primarily "food for thought".  I
don't fully believe it will be easy to have a well structured debate
about the complete release process in a mailing list thread.

So I suggest we take a few weeks holiday, let this sink in, and then we
can schedule a meeting some time in August where we discuss these
issues.  And lets hope we don't need to rush yet another release before
August :)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Combining redirect-gateway with block-outside-dns

[debbie10t]

Never mind .. of course it would not block dns otherwise private VPNs 
could not use google dns etc.


On 21/06/17 15:50, debbie10t wrote:

Hi

Ref: https://forums.openvpn.net/viewtopic.php?f=6&t=24318
(Not interested in a solution for it, just for info)

Details of *my* question:

Server.conf:

   push "redirect-gateway def1 block-local"
   push "dhcp-option DNS 10.100.0.X"
   push "block-outside-dns"

Note:
1. There is no push "route 10.100.0.X"
2. redirect-gateway should force 10.100.0.X over the tunnel
(presuming there is no specific route on the client)
3. (eg) Server LAN 192.168.101.0/24
 Client LAN 192.168.121.0/24

In this scenario:
Would block-outside-dns block access to the pushed DNS server ?

thanks


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Combining redirect-gateway with block-outside-dns

[debbie10t]

Hi

Ref: https://forums.openvpn.net/viewtopic.php?f=6&t=24318
(Not interested in a solution for it, just for info)

Details of *my* question:

Server.conf:

  push "redirect-gateway def1 block-local"
  push "dhcp-option DNS 10.100.0.X"
  push "block-outside-dns"

Note:
1. There is no push "route 10.100.0.X"
2. redirect-gateway should force 10.100.0.X over the tunnel
   (presuming there is no specific route on the client)
3. (eg) Server LAN 192.168.101.0/24
Client LAN 192.168.121.0/24

In this scenario:
Would block-outside-dns block access to the pushed DNS server ?

thanks

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.3.17 released (with security fixes)

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.3.17.
It can be downloaded from here:



OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances. Most of these issues also
affect OpenVPN 2.3.16 and earlier. We recommend you to upgrade to
OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are available
in our official security announcement:



A summary of the changes is available here:



A full list of changes is available here:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.3 released (with security fixes)

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
can be downloaded from here:



OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances. We recommend you to
upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are
available in our official security announcement:



In addition a number of bugs with no security impact have been fixed.
The one big feature in the 2.4.3 release is support for building with
OpenSSL 1.1.

A summary of all included changes is available here:



A full list of changes is available here:



Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:



The new OpenVPN GUI features are documented here:



Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users