From 2.6.11 release notes: """ CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5) CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson) CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client (Reynir Björnsson) """ There are also several Windows vulnerabilities in 2.6.10. 2.6.12 resolves a problem with the fix for CVE-2024-5594: """ the fix for CVE-2024-5594 (refuse control channel messages with nonprintable characters) was too strict, breaking user configurations with AUTH_FAIL messages having trailing CR/NL characters. This often happens if the AUTH_FAIL reason is set by a script. Strip those before testing the command buffer (github: #568). Also, add unit test. """ Reproducible: Always
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=314bc94029d37d3ad6ed566d1a46b7b4711cc426 commit 314bc94029d37d3ad6ed566d1a46b7b4711cc426 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-10-15 19:44:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-12-01 12:42:22 +0000 net-vpn/openvpn: add 2.6.12, security bump - Tests pass Bug: https://bugs.gentoo.org/938533 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/39004 Signed-off-by: Sam James <sam@gentoo.org> net-vpn/openvpn/Manifest | 1 + net-vpn/openvpn/openvpn-2.6.12.ebuild | 199 ++++++++++++++++++++++++++++++++++ 2 files changed, 200 insertions(+)