[FFe] Merge openvpn 2.1_rc11-1 from Debian

Bug #279655 reported by Thierry Carrez on 2008-10-07
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)

Bug Description

Binary package hint: openvpn

Intrepid currently ships openvpn 2.1 rc9, which introduced several regressions compared to rc7 (hardy) behavior and features :

* --lladdr input validation code expects the lladdr parameter to be an IP address when it is actually a MAC address (introduced in rc9)
* --ifconfig, --route, and --route-gateway used to be able to accept DNS names (introduced in rc8)
* all scripts parameters used to accept arguments but they no lonoger can (introduced in rc9, also filed here as bug 277447)
* Deferred authentication features introduced a bug in intra-session TLS key rollover (introduced in rc8)

Debian's rc11-1 release (from Sep 18) fixes all those regressions and lots of other bugs, while introducing only a couple of new features. It has proven stable since its release without any further regressions compared to rc7 behavior.

I'll prepare a merge with that version and submit it for Feature Freeze exception approval.

Related branches

Thierry Carrez (ttx) on 2008-10-07
Changed in openvpn:
assignee: nobody → tcarrez
Thierry Carrez (ttx) wrote :

Debdiff from Debian version to merged version

Remaining diffs:
* debian/openvpn.init.d: Added 'status' action to init script, show per-VPN result messages and add "--script-security 2" by default for backwards compatibility
* debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()

Thierry Carrez (ttx) wrote :

Diffstat between current rc9-3ubuntu2 and proposed rc11-1ubuntu1

Thierry Carrez (ttx) wrote :

Detailed changelog:

[regressionfix] Fixed --lladdr bug introduced in 2.1-rc9 where input validation code was incorrectly expecting the lladdr parameter to be an IP address when it is actually a MAC address (HoverHell).

[bugfix] Fixed a bug that can cause SSL/TLS negotiations in UDP mode to fail if UDP packets are dropped.

[feature] Added "--server-bridge" (without parameters) to enable DHCP proxy mode: Configure server mode for ethernet bridging using a DHCP-proxy, where clients talk to the OpenVPN server-side DHCP server to receive their IP address allocation and DNS server addresses.

[feature] Added "--route-gateway dhcp", to enable the extraction of the gateway address from a DHCP negotiation with the OpenVPN server-side LAN.

[feature] Warn when ethernet bridging that the IP address of the bridge adapter is probably not the same address that the LAN adapter was set to previously.

[feature] When running as a server, warn if the LAN network address is the all-popular 192.168.[0|1].x, since this condition commonly leads to subnet conflicts down the road.

[bugfix] Primarily on the client, check for subnet conflicts between the local LAN and the VPN subnet.

[buildfix] Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO and USE_SSL flags are enabled (Alon Bar-Lev).

[buildfix] Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new --script-security rules. Also adds retrying if the addresses are in use (Matthias Andree).

[buildfix] Fixed build issue with ./configure --disable-socks --disable-http.

[buildfix] Fixed separate compile errors in options.c and ntlm.c that occur on strict C compilers (such as old versions of gcc) that require that C variable declarations occur at the start of a {} block, not in the middle.

[bugfix] Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which the new implementation of extract_x509_field_ssl depends on.

[bugfix] LZO compression buffer overflow errors will now invalidate the packet rather than trigger a fatal assertion.

[buildfix] Fixed minor compile issue in ntlm.c (mid-block declaration).

[regressionfix] Added --allow-pull-fqdn option which allows client to pull DNS names from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options.

[regressionfix] 2.1_rc8 and earlier did implicit shell expansion on script arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded

[rfc-conformancefix] Modified ip_or_dns_addr_safe, which validates pulled DNS names to more closely conform to RFC 3696

[regressionfix] Fixed bug in intra-session TLS key rollover that was introduced with deferred authentication features in 2.1_rc8.

Thierry Carrez (ttx) wrote :

New package builds and upgrades correctly.
Basic functional testing has been performed.

Changed in openvpn:
assignee: tcarrez → nobody
Steve Langasek (vorlon) wrote :

FFe granted, please upload.

Changed in openvpn:
status: New → Confirmed
Thierry Carrez (ttx) wrote :

Testing with n-m-openvpn doesn't show a regression. That said it doesn't work very well with rc9-3 (in particular it doesn't like openvpn soft-restarts very much), will follow up with corresponding n-m-openvpn bugs.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.1~rc11-1ubuntu1

openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low

  * Merge with Debian (LP: #279655), remaining diffs:
    - debian/openvpn.init.d: Added 'status' action to init script, show
      per-VPN result messages and add "--script-security 2" by default for
      backwards compatibility
    - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
  * Fixes regression when calling commands with arguments (LP: #277447)

 -- Thierry Carrez <email address hidden> Tue, 07 Oct 2008 16:30:44 +0200

Changed in openvpn:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers