| 2023-02-03 17:57:33 |
Lena Voytek |
bug |
|
|
added bug |
| 2023-02-03 17:57:45 |
Lena Voytek |
nominated for series |
|
Ubuntu Focal |
|
| 2023-02-03 17:57:45 |
Lena Voytek |
bug task added |
|
openvpn (Ubuntu Focal) |
|
| 2023-02-03 17:57:45 |
Lena Voytek |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-02-03 17:57:45 |
Lena Voytek |
bug task added |
|
openvpn (Ubuntu Jammy) |
|
| 2023-02-03 17:57:49 |
Lena Voytek |
openvpn (Ubuntu): status |
New |
Fix Released |
|
| 2023-02-03 17:57:53 |
Lena Voytek |
openvpn (Ubuntu Focal): assignee |
|
Lena Voytek (lvoytek) |
|
| 2023-02-03 17:57:55 |
Lena Voytek |
openvpn (Ubuntu Jammy): assignee |
|
Lena Voytek (lvoytek) |
|
| 2023-02-03 18:24:17 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
| 2023-02-06 16:49:29 |
Lena Voytek |
description |
openvpn could use some updates to match their most recent upstream minor release to fix bugs in Jammy and Focal |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
[Major Changes]
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions may arise for users due to behavior changes from updates to items such as pkcs11-helper. |
|
| 2023-02-06 16:49:40 |
Lena Voytek |
openvpn (Ubuntu Jammy): status |
New |
In Progress |
|
| 2023-02-06 16:56:47 |
Lena Voytek |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/openvpn/+git/openvpn/+merge/436910 |
|
| 2023-02-07 15:20:15 |
Lena Voytek |
description |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
[Major Changes]
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions may arise for users due to behavior changes from updates to items such as pkcs11-helper. |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
The versions will not be moved to 2.6.x to avoid feature releases and focus on bug fixes.
[Major Changes]
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions may arise for users due to behavior changes from updates to items such as pkcs11-helper. |
|
| 2023-02-07 15:29:09 |
Lena Voytek |
description |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
The versions will not be moved to 2.6.x to avoid feature releases and focus on bug fixes.
[Major Changes]
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions may arise for users due to behavior changes from updates to items such as pkcs11-helper. |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
The versions will not be moved to 2.6.x to avoid feature releases and focus on bug fixes.
[Major Changes]
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions may arise for users due to behavior changes from updates to items such as pkcs11-helper. |
|
| 2023-02-08 21:04:38 |
Lena Voytek |
description |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
The versions will not be moved to 2.6.x to avoid feature releases and focus on bug fixes.
[Major Changes]
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions may arise for users due to behavior changes from updates to items such as pkcs11-helper. |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
[Major Changes]
Jammy:
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.11, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.11: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
| 2023-02-08 21:04:44 |
Lena Voytek |
openvpn (Ubuntu Focal): status |
New |
In Progress |
|
| 2023-02-09 08:01:05 |
Bryce Harrington |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/openvpn/+git/openvpn/+merge/437055 |
|
| 2023-02-17 22:55:32 |
Lena Voytek |
description |
[Impact]
MRE for latest stable release fixes in openvpn version 2.5.8 for Jammy, and version 2.4.11 for Focal
[Major Changes]
Jammy:
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.11, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.11: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.8
* Focal (20.04): OpenVPN 2.4.11
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.11, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.11: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
| 2023-04-14 20:31:56 |
Steve Langasek |
openvpn (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-04-14 20:31:57 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-04-14 20:31:59 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2023-04-14 20:32:03 |
Steve Langasek |
tags |
|
verification-needed verification-needed-jammy |
|
| 2023-04-20 15:32:48 |
Lena Voytek |
tags |
verification-needed verification-needed-jammy |
block-proposed verification-needed verification-needed-jammy |
|
| 2023-08-15 19:22:01 |
Lena Voytek |
summary |
MRE Updates 2.5.8 / 2.4.11 |
MRE Updates 2.5.9 / 2.4.12 |
|
| 2023-08-15 19:53:38 |
Lena Voytek |
description |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.8
* Focal (20.04): OpenVPN 2.4.11
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.11, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.11: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
| 2023-08-21 17:22:05 |
Lena Voytek |
summary |
MRE Updates 2.5.9 / 2.4.12 |
MRE Updates 2.5.8 / 2.4.12 |
|
| 2023-08-21 17:38:43 |
Lena Voytek |
description |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Stop asking for username+password on token expiry on system without credentials
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.8
* Focal (20.04): OpenVPN 2.4.12
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
| 2023-08-21 18:38:16 |
Lena Voytek |
summary |
MRE Updates 2.5.8 / 2.4.12 |
MRE Updates 2.5.9 / 2.4.12 |
|
| 2023-08-21 18:42:24 |
Lena Voytek |
description |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.8
* Focal (20.04): OpenVPN 2.4.12
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.8, major changes include:
Updates:
OpenSSL3 support
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Full release notes for versions 2.5.6-2.5.8: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
| 2023-08-21 20:45:58 |
Lena Voytek |
description |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Looking through each commit from the release of 2.4.7 to 2.4.12, I found one commit with backwards-incompatible changes, this is:
https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131 - multiple deferred authentication plug-ins no longer work with this commit, luckily this was already added in Focal previously through CVE-2022-0547.patch so no regression should occur by including it.
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
| 2023-08-21 22:56:08 |
Lena Voytek |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/openvpn/+git/openvpn/+merge/449561 |
|
| 2023-08-21 22:57:00 |
Lena Voytek |
openvpn (Ubuntu Jammy): status |
Fix Committed |
In Progress |
|
| 2023-09-01 23:24:49 |
Lena Voytek |
tags |
block-proposed verification-needed verification-needed-jammy |
verification-done verification-done-jammy |
|
| 2023-09-14 20:43:46 |
Andreas Hasenack |
openvpn (Ubuntu Jammy): status |
In Progress |
Incomplete |
|
| 2023-09-14 22:06:21 |
Lena Voytek |
tags |
verification-done verification-done-jammy |
block-proposed-jammy verification-done verification-done-jammy |
|
| 2023-10-11 21:05:17 |
Andreas Hasenack |
openvpn (Ubuntu Jammy): status |
Incomplete |
In Progress |
|
| 2023-10-29 18:00:58 |
Andreas Hasenack |
attachment added |
|
vpn-setup-with-pkcs11 https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/+attachment/5714185/+files/vpn-setup-with-pkcs11 |
|
| 2023-10-31 12:20:15 |
Andreas Hasenack |
description |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Looking through each commit from the release of 2.4.7 to 2.4.12, I found one commit with backwards-incompatible changes, this is:
https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131 - multiple deferred authentication plug-ins no longer work with this commit, luckily this was already added in Focal previously through CVE-2022-0547.patch so no regression should occur by including it.
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Looking through each commit from the release of 2.4.7 to 2.4.12, I found one commit with backwards-incompatible changes, this is:
https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131 - multiple deferred authentication plug-ins no longer work with this commit, luckily this was already added in Focal previously through CVE-2022-0547.patch so no regression should occur by including it.
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Jammy specific test plan]
Given that in jammy we had to re-enable openssl3 engine support, here is a test for that to make sure it keeps working.
In a jammy *VM*:
- Download test script:
wget https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/+attachment/5714185/+files/vpn-setup-with-pkcs11
- Install test dependencies
sudo apt install openvpn easy-rsa openssl opensc-pkcs11 gnutls-bin softhsm2 dpkg-dev libengine-pkcs11-openssl expect
- Run test:
sudo ./vpn-setup-with-pkcs11
It runs with set -e, so expected result is "## All good, stopping client and server services" and "## Done."
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
| 2023-10-31 12:22:38 |
Andreas Hasenack |
description |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Looking through each commit from the release of 2.4.7 to 2.4.12, I found one commit with backwards-incompatible changes, this is:
https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131 - multiple deferred authentication plug-ins no longer work with this commit, luckily this was already added in Focal previously through CVE-2022-0547.patch so no regression should occur by including it.
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Jammy specific test plan]
Given that in jammy we had to re-enable openssl3 engine support, here is a test for that to make sure it keeps working.
In a jammy *VM*:
- Download test script:
wget https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/+attachment/5714185/+files/vpn-setup-with-pkcs11
- Install test dependencies
sudo apt install openvpn easy-rsa openssl opensc-pkcs11 gnutls-bin softhsm2 dpkg-dev libengine-pkcs11-openssl expect
- Run test:
sudo ./vpn-setup-with-pkcs11
It runs with set -e, so expected result is "## All good, stopping client and server services" and "## Done."
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
This bug tracks an update for the OpenVPN package, moving to versions:
* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12
Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
Jammy:
For openvpn 2.5.6-2.5.9, major changes include:
Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers
CVE Fixes:
CVE-2022-0547
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument
Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.
Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
Focal:
For openvpn 2.4.8-2.4.12, major changes include:
Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better
CVE Fixes:
CVE-2020-11810
CVE-2020-15078
Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes
Looking through each commit from the release of 2.4.7 to 2.4.12, I found one commit with backwards-incompatible changes, this is:
https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131 - multiple deferred authentication plug-ins no longer work with this commit, luckily this was already added in Focal previously through CVE-2022-0547.patch so no regression should occur by including it.
Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication
Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/
[Jammy specific test plan]
Given that in jammy we had to re-enable openssl3 engine support, here is a test for that to make sure it keeps working.
In a jammy *VM*:
- Download test script:
wget https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/+attachment/5714185/+files/vpn-setup-with-pkcs11
- Install test dependencies
sudo apt install openvpn easy-rsa openssl opensc-pkcs11 gnutls-bin softhsm2 dpkg-dev libengine-pkcs11-openssl expect
- Run test:
sudo ./vpn-setup-with-pkcs11
It runs with set -e, so expected result is "## All good, stopping client and server services" and "## Done." This result is expected both with the current jammy package, and the proposed update.
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there. |
|
