Attention is currently required from: flichtenheld, plaisthos.
mattock has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/668?usp=email )
Change subject: t_server_null.sh: Fix failure case
..
Patch Set
it should happen during start-up.
I would argue for
- we log "minimum supported version is 1.2" and go on
or
- we log "minimum supported version is 1.2" and exit
both is acceptable. It will break people's setups in different ways,
though... the first will pretend all is well, and older
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/668?usp=email
to review the following change.
Change subject: t_server_null.sh: Fix failure case
.
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/683?usp=email
to review the following change.
Change subject: Check that tls-version-min is supported on start
Hi,
On Wed, Jun 19, 2024 at 10:48 AM Lev Stipakov wrote:
> At the moment everyone but anonymous are permitted
> to create a pipe with the same name as interactive service creates,
> which makes it possible for malicious process with SeImpersonatePrivilege
> impersonate as local user.
>
> This ha
At the moment everyone but anonymous are permitted
to create a pipe with the same name as interactive service creates,
which makes it possible for malicious process with SeImpersonatePrivilege
impersonate as local user.
This hardens the security of the pipe, making it possible only for
processes r
This is another "developed in secrecy on the security@ mailing list"
patch, because it has security implications.
It affects windows builds, where it is possible to have two different
processes provide a pipe with the same name (e!), and a connecting
client will might not end up at the interac
Attention is currently required from: flichtenheld, plaisthos.
cron2 has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/667?usp=email )
Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition
.
Attention is currently required from: cron2, flichtenheld, plaisthos.
Hello cron2, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/667?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-
Forgot to add:
This applies only to 2.6 -- for master we'll need a rebased version.
On Wed, Jun 19, 2024 at 9:51 AM Selva Nair wrote:
>
>
> On Wed, Jun 19, 2024 at 9:47 AM Lev Stipakov wrote:
>
>> At the moment everyone but anonymous are permitted
>> to create a pipe with the same name as inte
Hi,
I *think* I reproduced the problem you're encountering.
If I put
setenv opt tls-version-min 1.0
in the server config, then *every* connection attempt will trigger a fatal
error in the server. Doesn't matter what TLS versions the client supports.
If I put that option into the client config
On Wed, Jun 19, 2024 at 9:47 AM Lev Stipakov wrote:
> At the moment everyone but anonymous are permitted
> to create a pipe with the same name as interactive service creates,
> which makes it possible for malicious process with SeImpersonatePrivilege
> impersonate as local user.
>
> This hardens
Hi,
On Wed, Jun 19, 2024 at 01:38:46PM +, Maximilian Fillinger wrote:
> I *think* I reproduced the problem you're encountering.
>
> If I put
>
> setenv opt tls-version-min 1.0
>
> in the server config, then *every* connection attempt will trigger a fatal
> error in the server. Doesn't matt
At the moment everyone but anonymous are permitted
to create a pipe with the same name as interactive service creates,
which makes it possible for malicious process with SeImpersonatePrivilege
impersonate as local user.
This hardens the security of the pipe, making it possible only for
processes r
I have tested this with lots of well-behaved peers - namely, client against
2.3/2.4/2.5 servers, and (master) server against 2.2-master clients. All
works :-) (I did not test with a malicious endpoint).
Also, it has unit tests ;-)
Your patch has been applied to the master, release/2.6 and releas
Meeting summary for 19 June 2024:
* *Updated: release openvpn 2.6.11*
/There is a security issue reported by reynir that is resolved, and
we want to get that out in 2.6.11 tomorrow./
/The tunnelcrack mitigations for Windows are held back because we
have had absolutely no response on
Attention is currently required from: cron2, flichtenheld, plaisthos.
its_Giaan has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/523?usp=email )
Change subject: Http-proxy: fix bug preventing proxy credentials caching
...
Attention is currently required from: cron2, flichtenheld, its_Giaan, plaisthos.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/523?usp=email
to look at the new patch set (#9).
The following approvals got outdate
Hi,
I noticed a typo in a comment which is easy to understand correctly but
makes it technically incorrect:
+/* commands on the control channel are seperated by \0x00 bytes.
+ * cmdlen does not include the 0 byte of the string */
Here I think \0x00 should be \x00 (or
Attention is currently required from: flichtenheld, plaisthos.
cron2 has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/667?usp=email )
Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition
.
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/667?usp=email
to review the following change.
Change subject: configure: Add -Wstrict-prototypes and -Wold-style-definition
..
Hi,
On Wed, Jun 19, 2024 at 12:30:04PM +0200, Gert Doering wrote:
> From: Arne Schwabe
>
> This makes OpenVPN more picky in accepting control message in two aspects:
> - Characters are checked in the whole buffer and not until the first
> NUL byte
> - if the message contains invalid characters
From: Arne Schwabe
This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
NUL byte
- if the message contains invalid characters, we no longer continue
evaluating a fixed up version of the message but rath
Attention is currently required from: its_Giaan, plaisthos.
cron2 has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/523?usp=email )
Change subject: Http-proxy: fix bug preventing proxy credentials caching
.
Took me long enough, but now it's in :-) - thanks, and thanks ValdikSS
for reporting test success.
I've run this on the server side test bed (which will not excercise SOCKS
paths, but to verify that "nothing unrelated got hit") and on the client,
with a few SOCKs proxy tests. These are all "fast
Hi,
this breaks *all* client connects on my server testbed. No matter if
2.2 or 2.5 client, when building with mbedtls (2.28.7), the resulting
binary refuses ALL incoming connection with
Jun 19 10:21:44 gentoo tap-udp-p2mp[1723]: 2001:608:0:814::f000:16
tls_version_to_ssl_version: invalid or un
Attention is currently required from: its_Giaan, plaisthos.
cron2 has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/524?usp=email )
Change subject: Route: add support for user defined routing table
..
27 matches
Mail list logo
