From 8f9b4e04b156e64f68171bf1ce5eeeb82ca2a9b0 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 21 Mar 2024 20:00:42 +0800 Subject: openvpn: upgrade 2.6.9 -> 2.6.10 License-Update: Update copyright years to 2024 ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.10/Changes.rst Security fixes: CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in !TapSharedSendPacket. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- .../recipes-support/openvpn/openvpn_2.6.10.bb | 76 ++++++++++++++++++++++ .../recipes-support/openvpn/openvpn_2.6.9.bb | 76 ---------------------- 2 files changed, 76 insertions(+), 76 deletions(-) create mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb delete mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.6.9.bb (limited to 'meta-networking') diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb new file mode 100644 index 0000000000..f8de78ff74 --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb @@ -0,0 +1,76 @@ +SUMMARY = "A full-featured SSL VPN solution via tun device." +HOMEPAGE = "https://openvpn.net/" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=89196bacc47ed37a5b242a535661a049" +DEPENDS = "lzo lz4 openssl iproute2 libcap-ng ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +inherit autotools systemd update-rc.d pkgconfig + +SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ + file://openvpn \ + " + +UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" + +SRC_URI[sha256sum] = "1993bbb7b9edb430626eaa24573f881fd3df642f427fcb824b1aed1fca1bcc9b" + +CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME:${PN} = "openvpn" +INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." + +CFLAGS += "-fno-inline" + +# I want openvpn to be able to read password from file (hrw) +EXTRA_OECONF += "--enable-iproute2" +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" + +# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. +EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" + +EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ + " + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + " + +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" + +do_install:append() { + install -d ${D}/${sysconfdir}/init.d + install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d + + install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/server + install -d ${D}/${sysconfdir}/openvpn/client + + install -d ${D}/${sysconfdir}/openvpn/sample + install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts + install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts + + install -d -m 710 ${D}/${localstatedir}/lib/openvpn +} + +PACKAGES =+ " ${PN}-sample " + +RRECOMMENDS:${PN} = "kernel-module-tun" + +FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" +FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ + ${systemd_system_unitdir}/openvpn-client@.service \ + ${nonarch_libdir}/tmpfiles.d \ + " +FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ + " diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.9.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.9.bb deleted file mode 100644 index 3af6b30a70..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.9.bb +++ /dev/null @@ -1,76 +0,0 @@ -SUMMARY = "A full-featured SSL VPN solution via tun device." -HOMEPAGE = "https://openvpn.net/" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=4b34e946059f80dcfd811e8dd471b5ed" -DEPENDS = "lzo lz4 openssl iproute2 libcap-ng ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -inherit autotools systemd update-rc.d pkgconfig - -SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ - file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ - file://openvpn \ - " - -UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" - -SRC_URI[sha256sum] = "e08d147e15b4508dfcd1d6618a1f21f1495f9817a8dadc1eddf0532fa116d7e3" - -CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME:${PN} = "openvpn" -INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." - -CFLAGS += "-fno-inline" - -# I want openvpn to be able to read password from file (hrw) -EXTRA_OECONF += "--enable-iproute2" -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" - -# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. -EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" - -EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ - TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ - " - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ - ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - " - -PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" - -do_install:append() { - install -d ${D}/${sysconfdir}/init.d - install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d - - install -d ${D}/${sysconfdir}/openvpn - install -d ${D}/${sysconfdir}/openvpn/server - install -d ${D}/${sysconfdir}/openvpn/client - - install -d ${D}/${sysconfdir}/openvpn/sample - install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf - install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts - install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files - install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys - install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts - - install -d -m 710 ${D}/${localstatedir}/lib/openvpn -} - -PACKAGES =+ " ${PN}-sample " - -RRECOMMENDS:${PN} = "kernel-module-tun" - -FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" -FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ - ${systemd_system_unitdir}/openvpn-client@.service \ - ${nonarch_libdir}/tmpfiles.d \ - " -FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ - " -- cgit v1.2.3-54-g00ecf