http://blog.gmane.org/gmane.network.openvpn.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.network.openvpn.announce/23 This release fixes a serious (though not security-related) bug in the SSL/TLS negotiation over UDP that can cause SSL/TLS handshake failures. The bug was introduced in 2.1_rc9. All users of OpenVPN 2.1_rc9 and rc10 are urged to upgrade. Change log: 2008.09.14 -- Version 2.1_rc11 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode to fail if UDP packets are dropped. James ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ James Yonan 2008-09-15T02:31:21 http://permalink.gmane.org/gmane.network.openvpn.announce/22 Download: http://openvpn.net/download.html 2008.07.31 -- Version 2.1_rc9 * Security Fix -- affects non-Windows OpenVPN clients running OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT vulnerable nor are any versions of the OpenVPN server vulnerable). An OpenVPN client connecting to a malicious or compromised server could potentially receive an "lladdr" or "iproute" configuration directive from the server which could cause arbitrary code execution on the client. A successful attack requires that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client successfully authenticates the server, (c) the server is malicious or has been compromised and is under the control of the attacker, and (d) the client is running a non-Windows OS. Credit: David Wagner. * Miscellaneous defensive programming changes to multiple areas of the code. In particular, use of the system() call for calling executables such as ifconfig, route, and user-defined scripts has been completely revamped in favor of execve() on unix and CreateProcess() on Windows. * In Windows build, package a statically linked openssl.exe to work around observed instabilities in the dynamic build since the migration to OpenSSL 0.9.8h. James ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ James Yonan 2008-08-01T06:41:35 http://permalink.gmane.org/gmane.network.openvpn.announce/21 OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys. This vulnerability only affects Debian-based distributions and does not affect any Red Hat distributions. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166 How this affects OpenVPN: Any keys which were generated on the vulnerable distributions (Debian, Ubuntu, Kubuntu) using openvpn --genkey or the easy-rsa scripts should be considered compromised, since the security of each of these operations would depend on the quality of the randomness provided by the underlying OpenSSL library. You would want to revoke these keys, and rebuild them after having applied the fix. James ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ James Yonan 2008-05-15T16:27:28 http://permalink.gmane.org/gmane.network.openvpn.announce/20 To the OpenVPN Community: I apologize for the longer-than-expected 2.1 release cycle. But I'm actually pleased to announce that there is good news on the horizon. We will likely be getting some funding shortly to organize the OpenVPN project more as a traditional open source business, where support services and commercial licensing will fund paid positions for coordinating maintenance and release cycles. Quite frankly, as OpenVPN has matured, the effort required to maintain the project has gone beyond what a single individual can do in their spare time. The plan is this: in the short term, we're going to work on catching up with the patch queue and getting 2.1 out the door. In particular, there is one outstanding issue where we could use a volunteer. The 2.1-rc4 version of the Windows TAP driver, which contains a minor fix for Vista support, is broken on Win2K (When built with the Vista DDK RC 1 and explicitly targeted at Win2K and higher). This is something that needs to be resolved before 2.1 can be released. Longer term, the OpenVPN prognosis is looking very good. With additional funding being likely, look for improvements in the web site (Wiki, bug-reports/feature-request management), new commercial support offerings, and a possible appliance product. With new funding, we will also push for third party security certification and drafting of a comprehensive RFC that documents the underlying OpenVPN protocol. If you'd like to be a part of the new OpenVPN team, we are looking for guru-level developers to work on OpenVPN 3. If you are interested, please send your resume to info< at >openvpn.net and include "resume" in the subject line. Best Regards, James Olivier Goudron wrote: ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ James Yonan 2008-01-20T22:39:19 http://permalink.gmane.org/gmane.network.openvpn.announce/19 Basically any version of OpenVPN that uses OpenSSL versions prior to 0.9.7k is potentially vulnerable (including 2.0.7), however using "tls-auth" in the OpenVPN configuration reduces the vulnerability to a large extent. Now having said that, if you are using 2.0.7 on unix, you can continue to use 2.0.7, just stop the OpenVPN daemon(s), upgrade the OpenSSL package on your system, and then restart OpenVPN. If you are using 2.0.7 on Windows, you can do one of two things: (1) Upgrade to 2.0.8, which automatically upgrades OpenSSL to 0.9.7k. (2) Continue using 2.0.7, but drop in new versions of the OpenSSL DLLs (libeay32.dll and libssl32.dll) replacing the files in 2.0.7 of the same name. They are usually stored in \Program Files\OpenVPN\bin. You can download these and their related GnuPG signatures here: http://openvpn.net/release/openssl/ James ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV James Yonan 2006-09-12T18:25:27 http://permalink.gmane.org/gmane.network.openvpn.announce/18 2006.10.01 -- Version 2.0.9 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix published vulnerabilities. * Fixed TAP-Win32 bug that caused BSOD on Windows Vista (Henry Nestler). The TAP-Win32 driver has now been upgraded to version 8.4. 2006.10.01 -- Version 2.1-beta16 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix published vulnerabilities. * Fixed TAP-Win32 bug that caused BSOD on Windows Vista (Henry Nestler). * Autodetect 32/64 bit Windows in installer and install appropriate TAP driver (Mathias Sundman, Hypherion). * Fixed bug in loopback self-test introduced in 2.1-beta15 where self test as invoked by "make check" would not properly exit after 2 minutes (Paul Howarth). James ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV James Yonan 2006-10-01T13:02:10 http://permalink.gmane.org/gmane.network.openvpn.announce/17 2006.09.12 -- Version 2.0.8 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix RSA Signature Forgery (CVE-2006-4339). * No changes to OpenVPN source code between 2.0.7 and 2.0.8. 2006.09.12 -- Version 2.1-beta15 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix RSA Signature Forgery (CVE-2006-4339). * Fixed bug introduced with the --port-share directive (back in 2.1-beta9 which causes TLS soft resets (1 per hour by default) in TCP server mode to force a blockage of tunnel packets and later time-out and restart the connection. * pkcs11 changes: 1. Modified ssl.c to not FATAL and return to init.c so auth-retry will work. 2. Modifed pkcs11-helper.c to fix some problem with multiple providers. 3. Updated makefile.w32-vc to include lladdr.*, updated linkage libraries. 4. Modified lladdr.c to be compiled under visual C. 5. Added retry counter to PKCS#11 PIN hook. 6. Modified PKCS#11 PIN retry loop to return correct error code when PIN is incorrect. 7. Fix handling (ignoring) zero sized attributes. 8. Fix gcc-2 issues. 9. Fix openssl 0.9.6 (first version) issues. 10. easy-rsa Makefile (install) is now available so that distribs will be able to install it safely. * Added two new management states: OPENVPN_STATE_RESOLVE -- DNS lookup OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server * Echo management state change to log. * Minor syshead.h change for NetBSD to allow TCP_NODELAY flag to work. * Modified --port-share code to remove the assumption that CMSG_SPACE always evaluates to a constant, to enable compilation on NetBSD and possibly other BSDs as well. * Eliminated gcc 3.3.3 warnings on NetBSD when ./configure --enable-strict is used. * Added optional minimum-number-of-bytes parameter to --inactive directive. James ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 James Yonan 2006-09-12T08:17:12 http://permalink.gmane.org/gmane.network.openvpn.announce/16 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters to 64 bits caused a bug in the Windows version which has now been fixed. The bug could cause intermittent crashes. James ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 James Yonan 2006-04-12T10:04:58 http://permalink.gmane.org/gmane.network.openvpn.announce/15 This release contains fixes for two security issues that just came to my attention over the past 24 hours, which affect OpenVPN 2.0, 2.0.1, 2.0.2, and the 2.1 beta series. OpenVPN 1.x is not affected. Individual patches are available here: http://openvpn.net/patch/2.0.4-security-patches Change Log: * Security fix -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). CVE-2005-3393 * Security fix -- Potential DoS vulnerability on the server in TCP mode. If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. CVE-2005-3409 * Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). * Added ".PHONY: plugin" to Makefile.am to work around "make dist" issue. * Fixed double fork issue that occurs when --management-hold is used. * Moved TUN/TAP read/write log messages from --verb 8 to 6. * Warn when multiple clients having the same common name or username usurp each other when --duplicate-cn is not used. * Modified Windows and Linux versions of get_default_gateway to return the route with the smallest metric if multiple 0.0.0.0/0.0.0.0 entries are present. James ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php James Yonan 2005-11-01T20:17:02 http://permalink.gmane.org/gmane.network.openvpn.announce/14 Download: http://openvpn.net/download.html Changes since 2.0.1: * Fixed regression bug in Win32 installer, introduced in 2.0.1, which incorrectly set OpenVPN service to autostart. * Don't package source code zip file in Windows installer in order to reduce the size of the installer. The source zip file can always be downloaded separately if needed. * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD version of get_default_gateway. Allocated socket for route manipulation is never freed so number of mbufs continuously grow and exhaust system resources after a while (Jaroslav Klaus). * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects. * Modified pkitool script to be /bin/sh compatible (Johnny Lam). James ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf James Yonan 2005-08-25T17:20:03 http://permalink.gmane.org/gmane.network.openvpn.announce/12 I'm happy to announce that OpenVPN 2.0 has been released! http://openvpn.net/download.html Thanks to all who have supported the project with donations, developing code, writing articles, and helping to support people on the mailing lists. I'm going to sit back now, relax, maybe try to get my server slashdotted, and I'll try not to think too much about OpenVPN 3.0 until the middle of the week :) Enjoy, James ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click James Yonan 2005-04-18T04:35:36 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.network.openvpn.announce