{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":4151993,"defaultBranch":"master","name":"openvpn","ownerLogin":"OpenVPN","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2012-04-26T20:42:48.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/1569141?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1718885338.0","currentOid":""},"activityList":{"items":[{"before":"3cfd6f961d5c92bec283ac3616e1633b4e16760c","after":"0ea51261d096b54281287bbd2a6899041c4dbd43","ref":"refs/heads/master","pushedAt":"2024-06-26T16:55:31.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"configure: Try to detect LZO with pkg-config\n\nOn most systems this should work just fine.\n\nv2:\n - simplify code by removing -llzo special handling\nv3:\n - reintroduce support for autodetection without pkg-config,\n no need to break backwards compatibility right now\nv7:\n - Handle case correctly where lzo/lzo1x.h can not be included\n at all. On most distros this works even though the .pc\n file suggests to use it without. We had some partly\n solution for that but it wasn't really working.\nv8:\n - Handle systems that do not implicitly include limits.h\n in configure test builds.\n lzodefs.h usually relies on lzoconf.h to include it.\n\nChange-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693\nSigned-off-by: Frank Lichtenheld \nAcked-by: Gert Doering \nMessage-Id: <20240626161921.179301-1-frank@lichtenheld.com>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"configure: Try to detect LZO with pkg-config"}},{"before":"ad0c2c078ea505436b19255ebfbc8365044c5953","after":"3c43b016e9767df74909ea5644399e8872e38c97","ref":"refs/heads/release/2.6","pushedAt":"2024-06-26T16:55:31.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"configure: Try to detect LZO with pkg-config\n\nOn most systems this should work just fine.\n\nv2:\n - simplify code by removing -llzo special handling\nv3:\n - reintroduce support for autodetection without pkg-config,\n no need to break backwards compatibility right now\nv7:\n - Handle case correctly where lzo/lzo1x.h can not be included\n at all. On most distros this works even though the .pc\n file suggests to use it without. We had some partly\n solution for that but it wasn't really working.\nv8:\n - Handle systems that do not implicitly include limits.h\n in configure test builds.\n lzodefs.h usually relies on lzoconf.h to include it.\n\nChange-Id: I1c038dc4ec80d3499582d81eee61fee74f26e693\nSigned-off-by: Frank Lichtenheld \nAcked-by: Gert Doering \nMessage-Id: <20240626161921.179301-1-frank@lichtenheld.com>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28848.html\nSigned-off-by: Gert Doering \n(cherry picked from commit 0ea51261d096b54281287bbd2a6899041c4dbd43)","shortMessageHtmlLink":"configure: Try to detect LZO with pkg-config"}},{"before":"56355924b4945ec808500b18c714c111387697f9","after":"3cfd6f961d5c92bec283ac3616e1633b4e16760c","ref":"refs/heads/master","pushedAt":"2024-06-26T09:18:11.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Http-proxy: fix bug preventing proxy credentials caching\n\nCaching proxy credentials was not working due to the\nlack of handling already defined creds in get_user_pass(),\nwhich prevented the caching from working properly.\n\nFix this issue by getting the value of c->first_time,\nthat indicates if we're at the first iteration\nof the main loop and use it as second argument of the\nget_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP\nupon instance context restart credentials would be erased\nevery time.\n\nThe nocache member has been added to the struct\nhttp_proxy_options and also a getter method to retrieve\nthat option from ssl has been added, by doing this\nwe're able to erase previous queried user credentials\nto ensure correct operation.\n\nFixes: Trac #1187\nSigned-off-by: Gianmarco De Gregori \nAcked-by: Gert Doering \nChange-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a\nAcked-by: Frank Lichtenheld \nMessage-Id: <20240623200551.20092-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Http-proxy: fix bug preventing proxy credentials caching"}},{"before":"ddf6bf6d2a13583535c417532e96e8a8af77f977","after":"ad0c2c078ea505436b19255ebfbc8365044c5953","ref":"refs/heads/release/2.6","pushedAt":"2024-06-26T09:18:11.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Http-proxy: fix bug preventing proxy credentials caching\n\nCaching proxy credentials was not working due to the\nlack of handling already defined creds in get_user_pass(),\nwhich prevented the caching from working properly.\n\nFix this issue by getting the value of c->first_time,\nthat indicates if we're at the first iteration\nof the main loop and use it as second argument of the\nget_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP\nupon instance context restart credentials would be erased\nevery time.\n\nThe nocache member has been added to the struct\nhttp_proxy_options and also a getter method to retrieve\nthat option from ssl has been added, by doing this\nwe're able to erase previous queried user credentials\nto ensure correct operation.\n\nFixes: Trac #1187\nSigned-off-by: Gianmarco De Gregori \nAcked-by: Gert Doering \nChange-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a\nAcked-by: Frank Lichtenheld \nMessage-Id: <20240623200551.20092-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html\nSigned-off-by: Gert Doering \n(cherry picked from commit 3cfd6f961d5c92bec283ac3616e1633b4e16760c)","shortMessageHtmlLink":"Http-proxy: fix bug preventing proxy credentials caching"}},{"before":"c9f29e35cd475f18c34aa96eb5fad452210404f9","after":"56355924b4945ec808500b18c714c111387697f9","ref":"refs/heads/master","pushedAt":"2024-06-20T15:20:58.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"configure: Add -Wstrict-prototypes and -Wold-style-definition\n\nThese are not covered by -Wall (nor -Wextra) but we want\nto enforce them.\n\nChange-Id: I6e08920e4cf4762b9f14a7461a29fa77df15255c\nSigned-off-by: Frank Lichtenheld \nAcked-by: Gert Doering \nMessage-Id: <20240620144230.19586-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28823.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"configure: Add -Wstrict-prototypes and -Wold-style-definition"}},{"before":"babf312ee0486e50ff1f7db5b544afc72ff7c922","after":"c9f29e35cd475f18c34aa96eb5fad452210404f9","ref":"refs/heads/master","pushedAt":"2024-06-20T13:34:16.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"t_server_null.sh: Fix failure case\n\nThe changes for POSIX shell compatibility and parallel\nmake compatibility broke actually failing the test\nwhen a subtest fails.\n\nChange-Id: I35f7cf84e035bc793d6f0f59e46edf1a2efe0391\nSigned-off-by: Frank Lichtenheld \nAcked-by: Samuli Seppänen \nMessage-Id: <20240620103749.7923-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28815.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"t_server_null.sh: Fix failure case"}},{"before":"414f428fa29694090ec4c46b10a8aba419c85659","after":"babf312ee0486e50ff1f7db5b544afc72ff7c922","ref":"refs/heads/master","pushedAt":"2024-06-20T12:08:30.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"interactive.c: Improve access control for gui<->service pipe\n\nAt the moment everyone but anonymous are permitted\nto create a pipe with the same name as interactive service creates,\nwhich makes it possible for malicious process with SeImpersonatePrivilege\nimpersonate as local user.\n\nThis hardens the security of the pipe, making it possible only for\nprocesses running as SYSTEM (such as interactive service) create the\npipe with the same name.\n\nWhile on it, replace EXPLICIT_ACCESS structures with SDDL string.\n\nCVE: 2024-4877\n\nChange-Id: I35e783b79a332d247606e05a39e41b4d35d39b5d\nReported by: Zeze with TeamT5 \nSigned-off-by: Lev Stipakov \nAcked-by: Selva Nair \nMessage-Id: <20240619144629.1718-2-lev@openvpn.net>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28808.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"interactive.c: Improve access control for gui<->service pipe"}},{"before":"51301eb6c233c284270e3f4ed0c7f5781f2b5c62","after":"ddf6bf6d2a13583535c417532e96e8a8af77f977","ref":"refs/heads/release/2.6","pushedAt":"2024-06-20T12:08:30.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"preparing release 2.6.11\n\nversion.m4, ChangeLog, Changes.rst\n\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"preparing release 2.6.11"}},{"before":"90e7a858e5594d9a019ad2b4ac6154124986291a","after":"51301eb6c233c284270e3f4ed0c7f5781f2b5c62","ref":"refs/heads/release/2.6","pushedAt":"2024-06-19T14:40:20.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"interactive.c: Improve access control for gui<->service pipe\n\nAt the moment everyone but anonymous are permitted\nto create a pipe with the same name as interactive service creates,\nwhich makes it possible for malicious process with SeImpersonatePrivilege\nimpersonate as local user.\n\nThis hardens the security of the pipe, making it possible only for\nprocesses running as SYSTEM (such as interactive service) create the\npipe with the same name.\n\nWhile on it, replace EXPLICIT_ACCESS structures with SDDL string.\n\nCVE: 2024-4877\n\nChange-Id: I35e783b79a332d247606e05a39e41b4d35d39b5d\nReported by: Zeze with TeamT5 \nSigned-off-by: Lev Stipakov \nAcked-by: Selva Nair \nMessage-Id: <20240619134451.222-1-lev@openvpn.net>\nURL: https://www.mail-archive.com/search?l=mid&q=20240619134451.222-1-lev@openvpn.net\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"interactive.c: Improve access control for gui<->service pipe"}},{"before":"b3a68b85a729628ca8b97f9f0c2813f795289cfc","after":"414f428fa29694090ec4c46b10a8aba419c85659","ref":"refs/heads/master","pushedAt":"2024-06-19T13:37:44.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Properly handle null bytes and invalid characters in control messages\n\nThis makes OpenVPN more picky in accepting control message in two aspects:\n- Characters are checked in the whole buffer and not until the first\n NUL byte\n- if the message contains invalid characters, we no longer continue\n evaluating a fixed up version of the message but rather stop\n processing it completely.\n\nPreviously it was possible to get invalid characters to end up in log\nfiles or on a terminal.\n\nThis also prepares the logic a bit in the direction of having a proper\nframing of control messages separated by null bytes instead of relying\non the TLS framing for that. All OpenVPN implementations write the 0\nbytes between control commands.\n\nThis patch also include several improvement suggestion from Reynir\n(thanks!).\n\nCVE: 2024-5594\n\nReported-By: Reynir Björnsson \nChange-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9\nSigned-off-by: Arne Schwabe \nAcked-by: Antonio Quartulli \n\nMessage-Id: <20240619103004.56460-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Properly handle null bytes and invalid characters in control messages"}},{"before":"94bfb712366ece1ca3605d18e99580f482f0232b","after":"90e7a858e5594d9a019ad2b4ac6154124986291a","ref":"refs/heads/release/2.6","pushedAt":"2024-06-19T13:37:44.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Properly handle null bytes and invalid characters in control messages\n\nThis makes OpenVPN more picky in accepting control message in two aspects:\n- Characters are checked in the whole buffer and not until the first\n NUL byte\n- if the message contains invalid characters, we no longer continue\n evaluating a fixed up version of the message but rather stop\n processing it completely.\n\nPreviously it was possible to get invalid characters to end up in log\nfiles or on a terminal.\n\nThis also prepares the logic a bit in the direction of having a proper\nframing of control messages separated by null bytes instead of relying\non the TLS framing for that. All OpenVPN implementations write the 0\nbytes between control commands.\n\nThis patch also include several improvement suggestion from Reynir\n(thanks!).\n\nCVE: 2024-5594\n\nReported-By: Reynir Björnsson \nChange-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9\nSigned-off-by: Arne Schwabe \nAcked-by: Antonio Quartulli \n\nMessage-Id: <20240619103004.56460-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html\nSigned-off-by: Gert Doering \n(cherry picked from commit 414f428fa29694090ec4c46b10a8aba419c85659)","shortMessageHtmlLink":"Properly handle null bytes and invalid characters in control messages"}},{"before":"fccae1fa71140bd66f4a57597ca3c7307ba05b30","after":"d4921ba22f5ae4537d808986743a228617c86328","ref":"refs/heads/release/2.5","pushedAt":"2024-06-19T13:37:44.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Properly handle null bytes and invalid characters in control messages\n\nThis makes OpenVPN more picky in accepting control message in two aspects:\n- Characters are checked in the whole buffer and not until the first\n NUL byte\n- if the message contains invalid characters, we no longer continue\n evaluating a fixed up version of the message but rather stop\n processing it completely.\n\nPreviously it was possible to get invalid characters to end up in log\nfiles or on a terminal.\n\nThis also prepares the logic a bit in the direction of having a proper\nframing of control messages separated by null bytes instead of relying\non the TLS framing for that. All OpenVPN implementations write the 0\nbytes between control commands.\n\nThis patch also include several improvement suggestion from Reynir\n(thanks!).\n\nCVE: 2024-5594\n\nReported-By: Reynir Björnsson \nChange-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9\nSigned-off-by: Arne Schwabe \nAcked-by: Antonio Quartulli \n\nMessage-Id: <20240619103004.56460-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html\nSigned-off-by: Gert Doering \n(cherry picked from commit 414f428fa29694090ec4c46b10a8aba419c85659)","shortMessageHtmlLink":"Properly handle null bytes and invalid characters in control messages"}},{"before":"d5c4c643f36637987d830494b407f2855c5e3fea","after":"94bfb712366ece1ca3605d18e99580f482f0232b","ref":"refs/heads/release/2.6","pushedAt":"2024-06-19T09:55:18.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Implement server_poll_timeout for socks\n\nSo far --server-poll-timeout was only applied\nfor HTTP proxies, apply it also to SOCKS proxies.\n\nThis removes the default 5 second socks connect timeout\nwhich can be too small depending on network setup and\nreplaces it with the configurable overall connect timeout\n(default 120 seconds).\n\nTrac: #328\nGithub: fixes OpenVPN/openvpn#267\n\nChange-Id: I2b109f8c551c23045a1be355778b08f0fd4d309f\nSigned-off-by: 5andr0 \nTested-By: ValdikSS \nAcked-by: Frank Lichtenheld \nMessage-Id: <20240315162011.1661139-1-frank@lichtenheld.com>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28408.html\nSigned-off-by: Gert Doering \n(cherry picked from commit b3a68b85a729628ca8b97f9f0c2813f795289cfc)","shortMessageHtmlLink":"Implement server_poll_timeout for socks"}},{"before":"06c7ce5d1fc3b17e0da731d22002e58b9e2d4994","after":"b3a68b85a729628ca8b97f9f0c2813f795289cfc","ref":"refs/heads/master","pushedAt":"2024-06-19T09:55:18.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Implement server_poll_timeout for socks\n\nSo far --server-poll-timeout was only applied\nfor HTTP proxies, apply it also to SOCKS proxies.\n\nThis removes the default 5 second socks connect timeout\nwhich can be too small depending on network setup and\nreplaces it with the configurable overall connect timeout\n(default 120 seconds).\n\nTrac: #328\nGithub: fixes OpenVPN/openvpn#267\n\nChange-Id: I2b109f8c551c23045a1be355778b08f0fd4d309f\nSigned-off-by: 5andr0 \nTested-By: ValdikSS \nAcked-by: Frank Lichtenheld \nMessage-Id: <20240315162011.1661139-1-frank@lichtenheld.com>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28408.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Implement server_poll_timeout for socks"}},{"before":"f6ee77d1f6149cf8f8982998aee6d433f58be507","after":"06c7ce5d1fc3b17e0da731d22002e58b9e2d4994","ref":"refs/heads/master","pushedAt":"2024-06-18T20:51:20.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Add t_server_null test suite\n\nChange-Id: I1b54da258c7d15551b6c3de7522a0d19afdb66de\nSigned-off-by: Samuli Seppänen \nAcked-by: Frank Lichtenheld \nMessage-Id: <20240613081422.139493-1-frank@lichtenheld.com>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28750.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Add t_server_null test suite"}},{"before":"dfbe11ac1842df400327be22951d0ba373534254","after":"d5c4c643f36637987d830494b407f2855c5e3fea","ref":"refs/heads/release/2.6","pushedAt":"2024-06-18T16:37:06.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Remove \"experimental\" denotation for --fast-io\n\nThis option is very old (from SVN days) and has been\nused by Access Server for many years. I don't think it\nmakes sense to claim that it is \"experimental\" at this\npoint.\n\nChange-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22\nSigned-off-by: Frank Lichtenheld \nAcked-by: Arne Schwabe \nMessage-Id: <20240618120156.4836-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28772.html\nSigned-off-by: Gert Doering \n(cherry picked from commit f6ee77d1f6149cf8f8982998aee6d433f58be507)","shortMessageHtmlLink":"Remove \"experimental\" denotation for --fast-io"}},{"before":"8eb397de3656402872f9c9584c6f703b87b50762","after":"f6ee77d1f6149cf8f8982998aee6d433f58be507","ref":"refs/heads/master","pushedAt":"2024-06-18T16:37:06.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Remove \"experimental\" denotation for --fast-io\n\nThis option is very old (from SVN days) and has been\nused by Access Server for many years. I don't think it\nmakes sense to claim that it is \"experimental\" at this\npoint.\n\nChange-Id: I913bb70c5e527e78e7cdb43110e23a8944f35a22\nSigned-off-by: Frank Lichtenheld \nAcked-by: Arne Schwabe \nMessage-Id: <20240618120156.4836-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28772.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Remove \"experimental\" denotation for --fast-io"}},{"before":"13ee7f902f18e27b981f8e440facd2e6515c6c83","after":"8eb397de3656402872f9c9584c6f703b87b50762","ref":"refs/heads/master","pushedAt":"2024-06-18T16:30:27.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Fix MBEDTLS_DEPRECATED_REMOVED build errors\n\nThis commit allows compiling OpenVPN with recent versions of mbed TLS\nif MBEDTLS_DEPRECATED_REMOVED is defined.\n\nChange-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9\nSigned-off-by: Max Fillinger \nAcked-by: Arne Schwabe \nMessage-Id: <20240618120127.4564-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28771.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Fix MBEDTLS_DEPRECATED_REMOVED build errors"}},{"before":"1ae753e4240434abda0a33aed07b289fa9c6ee79","after":"dfbe11ac1842df400327be22951d0ba373534254","ref":"refs/heads/release/2.6","pushedAt":"2024-06-06T20:24:09.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Implement Windows CA template match for Crypto-API selector\n\nThe certificate selection process for the Crypto API certificates\nis currently fixed to match on subject or identifier. Especially\nif certificates that are used for OpenVPN are managed by a Windows CA,\nit is appropriate to select the certificate to use by the template\nthat it is generated from, especially on domain-joined clients which\nautomatically acquire/renew the corresponding certificate.\n\nThe attached match implements the match on TMPL: with either a template\nname (which is looked up through CryptFindOIDInfo) or by specifying the\nOID of the template directly, which then is matched against the\ncorresponding X509 extensions specifying the template that the certificate\nwas generated from.\n\nThe logic requires to walk all certificates in the underlying store and\nto match the certificate extensions directly. The hook which is\nimplemented in the certificate selection logic is generic to allow\nother Crypto-API certificate matches to also be implemented at some\npoint in the future.\n\nThe logic to match the certificate template is taken from the\nimplementation in the .NET core runtime, see Pal.Windows/FindPal.cs in\nin the implementation of System.Security.Cryptography.X509Certificates.\n\nChange-Id: Ia2c3e4c5c83ecccce1618c43b489dbe811de5351\nSigned-off-by: Heiko Wundram \nSigned-off-by: Hannes Domani \nAcked-by: Selva Nair \nMessage-Id: <20240606103441.26598-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28726.html\nSigned-off-by: Gert Doering \n(cherry picked from commit 13ee7f902f18e27b981f8e440facd2e6515c6c83)","shortMessageHtmlLink":"Implement Windows CA template match for Crypto-API selector"}},{"before":"bf887c95e46c6892ac1f68be5559525f8d975530","after":"13ee7f902f18e27b981f8e440facd2e6515c6c83","ref":"refs/heads/master","pushedAt":"2024-06-06T11:33:38.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Implement Windows CA template match for Crypto-API selector\n\nThe certificate selection process for the Crypto API certificates\nis currently fixed to match on subject or identifier. Especially\nif certificates that are used for OpenVPN are managed by a Windows CA,\nit is appropriate to select the certificate to use by the template\nthat it is generated from, especially on domain-joined clients which\nautomatically acquire/renew the corresponding certificate.\n\nThe attached match implements the match on TMPL: with either a template\nname (which is looked up through CryptFindOIDInfo) or by specifying the\nOID of the template directly, which then is matched against the\ncorresponding X509 extensions specifying the template that the certificate\nwas generated from.\n\nThe logic requires to walk all certificates in the underlying store and\nto match the certificate extensions directly. The hook which is\nimplemented in the certificate selection logic is generic to allow\nother Crypto-API certificate matches to also be implemented at some\npoint in the future.\n\nThe logic to match the certificate template is taken from the\nimplementation in the .NET core runtime, see Pal.Windows/FindPal.cs in\nin the implementation of System.Security.Cryptography.X509Certificates.\n\nChange-Id: Ia2c3e4c5c83ecccce1618c43b489dbe811de5351\nSigned-off-by: Heiko Wundram \nSigned-off-by: Hannes Domani \nAcked-by: Selva Nair \nMessage-Id: <20240606103441.26598-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28726.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Implement Windows CA template match for Crypto-API selector"}},{"before":"7dfff75659e6c06abe500f5b8716d9712aa41bcc","after":"bf887c95e46c6892ac1f68be5559525f8d975530","ref":"refs/heads/master","pushedAt":"2024-06-05T20:48:52.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Windows: enforce 'block-local' with WFP filters\n\nIn an attempt to better defend against the TunnelCrack attacks, enforce\nthat no traffic can pass to anything else than the VPN interface when\nthe 'block-local' flags is given with either --redirect-gateway or\n--redirect-private.\n\nReuse much of the existing --block-outside-dns code, but make it more\ngeneral, so that it can also block any traffic, not just port 53.\n\nUses the Windows Filtering Platform for enforcement in addition to the\nroutes redirecting the networks into the tunnel.\n\nChange-Id: Ic9bf797bfc7e2d471998a84cb0f071db3e4832ba\nSigned-off-by: Heiko Hund \nAcked-by: Lev Stipakov \nAcked-by: Gert Doering \nMessage-Id: <20240605123856.26267-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28717.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Windows: enforce 'block-local' with WFP filters"}},{"before":"d601237976323b5d8f6ac65c27ccc510563ad75f","after":"7dfff75659e6c06abe500f5b8716d9712aa41bcc","ref":"refs/heads/master","pushedAt":"2024-06-05T11:16:50.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"test_user_pass: Fix building with --enable-systemd\n\nNeed to make sure that ENABLE_SYSTEMD is really disabled.\n\nChange-Id: Ic33c210f06e173a450534aa0969c57f140086655\nSigned-off-by: Frank Lichtenheld \nAcked-by: Gert Doering \nMessage-Id: <20240605111012.3023-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28708.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"test_user_pass: Fix building with --enable-systemd"}},{"before":"2f2ff186564c3999efaf48d734df95471ac22d84","after":"1ae753e4240434abda0a33aed07b289fa9c6ee79","ref":"refs/heads/release/2.6","pushedAt":"2024-06-05T11:10:55.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"LZO: do not use lzoutils.h macros\n\nInstead of lzo_{free,malloc} we can just use the\nfree and malloc as the lzoutils.h header itself\nsuggests.\n\nChange-Id: I32ee28fde5d38d736f753c782d88a81de7fe2980\nSigned-off-by: Frank Lichtenheld \nAcked-by: Arne Schwabe \nMessage-Id: <20240604211708.32315-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28705.html\nSigned-off-by: Gert Doering \n(cherry picked from commit d601237976323b5d8f6ac65c27ccc510563ad75f)","shortMessageHtmlLink":"LZO: do not use lzoutils.h macros"}},{"before":"82036c17c45d45c3fe8725f64b33720cb9c94dad","after":"d601237976323b5d8f6ac65c27ccc510563ad75f","ref":"refs/heads/master","pushedAt":"2024-06-05T11:10:55.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"LZO: do not use lzoutils.h macros\n\nInstead of lzo_{free,malloc} we can just use the\nfree and malloc as the lzoutils.h header itself\nsuggests.\n\nChange-Id: I32ee28fde5d38d736f753c782d88a81de7fe2980\nSigned-off-by: Frank Lichtenheld \nAcked-by: Arne Schwabe \nMessage-Id: <20240604211708.32315-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28705.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"LZO: do not use lzoutils.h macros"}},{"before":"65fb67cd6c320a426567b2922c4282fb8738ba3f","after":"2f2ff186564c3999efaf48d734df95471ac22d84","ref":"refs/heads/release/2.6","pushedAt":"2024-06-02T15:50:34.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Allow to set ifmode for existing DCO interfaces in FreeBSD\n\nWhile prexisting devices work well TUN/TAP the DCO interfaces require\nsetting the ifmode which cannot be done by FreeBSD base tooling. In\npeer-to-peer mode this is not a problem because that is the default mode.\nSubnet mode, however, will fail to be set and the resulting connection does\nnot start:\n\n Failed to create interface ovpns2 (SIOCSIFNAME): File exists (errno=17)\n DCO device ovpns2 already exists, won't be destroyed at shutdown\n /sbin/ifconfig ovpns2 10.1.8.1/24 mtu 1500 up\n ifconfig: in_exec_nl(): Empty IFA_LOCAL/IFA_ADDRESS\n ifconfig: ioctl (SIOCAIFADDR): Invalid argument\n FreeBSD ifconfig failed: external program exited with error status: 1\n Exiting due to fatal error\n\nSlightly restructure the code to catch the specific error\ncondition and execute dco_set_ifmode() in this case as well.\n\nSigned-off-by: Franco Fichtner \nAcked-by: Gert Doering \nMessage-Id: \nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28688.html\nSigned-off-by: Gert Doering \n(cherry picked from commit 82036c17c45d45c3fe8725f64b33720cb9c94dad)","shortMessageHtmlLink":"Allow to set ifmode for existing DCO interfaces in FreeBSD"}},{"before":"fbe3b49b373ea8e81aaa31a383258403a3bfcd07","after":"82036c17c45d45c3fe8725f64b33720cb9c94dad","ref":"refs/heads/master","pushedAt":"2024-06-02T15:50:34.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Allow to set ifmode for existing DCO interfaces in FreeBSD\n\nWhile prexisting devices work well TUN/TAP the DCO interfaces require\nsetting the ifmode which cannot be done by FreeBSD base tooling. In\npeer-to-peer mode this is not a problem because that is the default mode.\nSubnet mode, however, will fail to be set and the resulting connection does\nnot start:\n\n Failed to create interface ovpns2 (SIOCSIFNAME): File exists (errno=17)\n DCO device ovpns2 already exists, won't be destroyed at shutdown\n /sbin/ifconfig ovpns2 10.1.8.1/24 mtu 1500 up\n ifconfig: in_exec_nl(): Empty IFA_LOCAL/IFA_ADDRESS\n ifconfig: ioctl (SIOCAIFADDR): Invalid argument\n FreeBSD ifconfig failed: external program exited with error status: 1\n Exiting due to fatal error\n\nSlightly restructure the code to catch the specific error\ncondition and execute dco_set_ifmode() in this case as well.\n\nSigned-off-by: Franco Fichtner \nAcked-by: Gert Doering \nMessage-Id: \nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28688.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Allow to set ifmode for existing DCO interfaces in FreeBSD"}},{"before":"55bb3260c12bae33b6a8eac73cbb6972f8517411","after":"fbe3b49b373ea8e81aaa31a383258403a3bfcd07","ref":"refs/heads/master","pushedAt":"2024-06-01T20:27:29.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Allow the TLS session to send out TLS alerts\n\nPrevious OpenVPN versions shut down the TLS control channel immediately\nwhen encountering an error. This also meant that we would not send out\nTLS alerts to notify a client about potential problems like mismatching\nTLS versions or having no common cipher.\n\nThis commit adds a new key_state S_ERROR_PRE which still allows to\nsend out the remaining TLS packets of the control session which are\ntypically the alert message and then going to S_ERROR. We do not\nwait for retries. So this is more a one-shot notify but that is\nacceptable in this situation.\n\nSending out alerts is a slight compromise in security as alerts give\nout a bit of information that otherwise is not given\nout. But since all other consumers TLS implementations are already doing this\nand TLS implementations (nowadays) are very careful not to leak (sensitive)\ninformation by alerts and since the user experience is much better with\nalerts, this compromise is worth it.\n\nChange-Id: I0ad48915004ddee587e97c8ed190ba8ee989e48d\nSigned-off-by: Arne Schwabe \nAcked-by: Frank Lichtenheld \nMessage-Id: <20240408124933.243991-1-frank@lichtenheld.com>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28540.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Allow the TLS session to send out TLS alerts"}},{"before":"763b35f652b1913ddd01e6c548b3e6a57076ba42","after":"55bb3260c12bae33b6a8eac73cbb6972f8517411","ref":"refs/heads/master","pushedAt":"2024-05-17T06:44:21.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Only schedule_exit() once\n\nIf an exit has already been scheduled we should not schedule it again.\nOtherwise, the exit signal is never emitted if the peer reschedules the\nexit before the timeout occurs.\n\nschedule_exit() now only takes the context as argument. The signal is\nhard coded to SIGTERM, and the interval is read directly from the\ncontext options.\n\nFurthermore, schedule_exit() now returns a bool signifying whether an\nexit was scheduled; false if exit is already scheduled. The call sites\nare updated accordingly. A notable difference is that management is only\nnotified *once* when an exit is scheduled - we no longer notify\nmanagement on redundant exit.\n\nThis patch was assigned a CVE number after already reviewed and ACKed,\nbecause it was discovered that a misbehaving client can use the (now\nfixed) server behaviour to avoid being disconnected by means of a\nmanagment interface \"client-kill\" command - the security issue here is\n\"client can circumvent security policy set by management interface\".\n\nThis only affects previously authenticated clients, and only management\nclient-kill, so normal renegotion / AUTH_FAIL (\"your session ends\") is not\naffected.\n\nCVE: 2024-28882\n\nChange-Id: I9457f005f4ba970502e6b667d9dc4299a588d661\nSigned-off-by: Reynir Björnsson \nAcked-by: Arne Schwabe \nMessage-Id: <20240516120434.23499-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Only schedule_exit() once"}},{"before":"8aed156be81a3bdd3098bfed5e8f95662d06633c","after":"65fb67cd6c320a426567b2922c4282fb8738ba3f","ref":"refs/heads/release/2.6","pushedAt":"2024-05-17T06:44:21.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Only schedule_exit() once\n\nIf an exit has already been scheduled we should not schedule it again.\nOtherwise, the exit signal is never emitted if the peer reschedules the\nexit before the timeout occurs.\n\nschedule_exit() now only takes the context as argument. The signal is\nhard coded to SIGTERM, and the interval is read directly from the\ncontext options.\n\nFurthermore, schedule_exit() now returns a bool signifying whether an\nexit was scheduled; false if exit is already scheduled. The call sites\nare updated accordingly. A notable difference is that management is only\nnotified *once* when an exit is scheduled - we no longer notify\nmanagement on redundant exit.\n\nThis patch was assigned a CVE number after already reviewed and ACKed,\nbecause it was discovered that a misbehaving client can use the (now\nfixed) server behaviour to avoid being disconnected by means of a\nmanagment interface \"client-kill\" command - the security issue here is\n\"client can circumvent security policy set by management interface\".\n\nThis only affects previously authenticated clients, and only management\nclient-kill, so normal renegotion / AUTH_FAIL (\"your session ends\") is not\naffected.\n\nCVE: 2024-28882\n\nChange-Id: I9457f005f4ba970502e6b667d9dc4299a588d661\nSigned-off-by: Reynir Björnsson \nAcked-by: Arne Schwabe \nMessage-Id: <20240516120434.23499-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html\nSigned-off-by: Gert Doering \n(cherry picked from commit 55bb3260c12bae33b6a8eac73cbb6972f8517411)","shortMessageHtmlLink":"Only schedule_exit() once"}},{"before":"51f80db910eb48e720ce106b5b9b5ec96d8e0e23","after":"763b35f652b1913ddd01e6c548b3e6a57076ba42","ref":"refs/heads/master","pushedAt":"2024-05-15T11:40:30.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"cron2","name":"Gert Doering","path":"/cron2","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3456368?s=80&v=4"},"commit":{"message":"Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL\n\nAfter the removal of the OpenSSL 1.0.2 support, LibreSSL/wolfSSL are the\nonly libraries that still needs the custom implementation.\n\nSince our LibreSSL/wolfSSL support is always best effort, we can afford to\nlimit LibreSSL support in this way. If they want to support this, they\nshould expose the functionality as well.\n\nChange-Id: I5bfa3630ad4dff2807705658bc877c4a429a39ce\nSigned-off-by: Arne Schwabe \nAcked-by: Gert Doering \nMessage-Id: <20240515100115.11056-1-gert@greenie.muc.de>\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28672.html\nSigned-off-by: Gert Doering ","shortMessageHtmlLink":"Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEb_mSgQA","startCursor":null,"endCursor":null}},"title":"Activity · OpenVPN/openvpn"}