From 4260d11e8b47a8a7aac0927abe2c9e89931b4467 Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Sun, 12 Jun 2016 23:49:42 +0200 Subject: [PATCH] openvpn: update to 2.3.11 Security fixes: * Fixed port-share bug with DoS potential * Fix buffer overflow by user supplied data Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11 Signed-off-by: Magnus Kroken --- package/network/services/openvpn/Makefile | 6 +++--- ...larssl-disable-runtime-version-check.patch | 2 +- .../101-remove_polarssl_debug_call.patch | 21 +++++++++++++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index e0e1b124c3..19f78bc508 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.10 -PKG_RELEASE:=2 +PKG_VERSION:=2.3.11 +PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_MD5SUM:=8831ded42db4317e287157b6b8cba74c +PKG_MD5SUM:=0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch index 73ab40649d..bd8e5b780d 100644 --- a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c -@@ -1153,7 +1153,7 @@ const char * +@@ -1151,7 +1151,7 @@ const char * get_ssl_library_version(void) { static char polar_version[30]; diff --git a/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch new file mode 100644 index 0000000000..3cef32395e --- /dev/null +++ b/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch @@ -0,0 +1,21 @@ +openvpn: remove call to PolarSSL debug function + +OpenVPN >=2.3.11 uses PolarSSL debug functions for improved logging. +This requires that PolarSSL is built with POLARSSL_DEBUG_C, which increases +its size significantly. + +This change does not impact OpenVPN operation, see: +https://sourceforge.net/p/openvpn/mailman/message/35153943/ + +Signed-off-by: Magnus Kroken + +--- a/src/openvpn/ssl_polarssl.c ++++ b/src/openvpn/ssl_polarssl.c +@@ -742,7 +742,7 @@ void key_state_ssl_init(struct key_state + if (polar_ok(ssl_init(ks_ssl->ctx))) + { + /* Initialise SSL context */ +- debug_set_threshold(3); ++ /*debug_set_threshold(3);*/ + ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); + ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); -- 2.30.2