[PATCH 19.07 3/3] openvpn: update to 2.4.11

Magnus Kroken mkroken at gmail.com
Wed Apr 21 21:10:58 BST 2021


Fixes two related security vulnerabilities (CVE-2020-15078) which under
very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.

This release also includes other bug fixes and improvements.

Signed-off-by: Magnus Kroken <mkroken at gmail.com>
---
 package/network/services/openvpn/Makefile                     | 4 ++--
 .../110-openssl-dont-use-deprecated-ssleay-symbols.patch      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 5f102d967d..33da5688c7 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.9
+PKG_VERSION:=2.4.11
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
+PKG_HASH:=e579eff218ab1d765965e64a917927504d8324717afdfcd56850f6b83ba8441b
 
 PKG_MAINTAINER:=Felix Fietkau <nbd at nbd.name>
 
diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
index c7faf7c0c0..a8ad6868c4 100644
--- a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
+++ b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@@ -47,7 +47,7 @@ Signed-off-by: Gert Doering <gert at greenie.muc.de>
  #endif
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
+@@ -2018,7 +2018,7 @@ get_highest_preference_tls_cipher(char *
  const char *
  get_ssl_library_version(void)
  {
-- 
2.20.1




More information about the openwrt-devel mailing list