git.ipfire.org Git - ipfire-2.x.git/commit

author	Adolf Belka <adolf.belka@ipfire.org>
	Sat, 7 Sep 2024 17:29:27 +0000 (19:29 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Mon, 9 Sep 2024 15:42:27 +0000 (15:42 +0000)
commit	91c0e2735d137630a867aef40c9e1bde2a95f69e
tree	86da34e956a78ed034cd58c3266df19c14e9bf1b	tree
parent	6c6813283a643025f0032ba1f7398a906d8b348a	commit \| diff

openvpn: Update to version 2.5.10

- Update from version 2.5.9 to 2.5.10
- Update of rootfile not required
- 3 CVE Fixes in this version but all are for Windows installations.
- Changelog
    2.5.10
Security fixes
- CVE-2024-27459: Windows: fix a possible stack overflow in the
  interactive service component which might lead to a local privilege
  escalation.
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-24974: Windows: disallow access to the interactive service
  pipe from remote computers.
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-27903: Windows: disallow loading of plugins from untrusted
  installation paths, which could be used to attack openvpn.exe via
  a malicious plugin.  Plugins can now only be loaded from the OpenVPN
  install directory, the Windows system directory, and possibly from
  a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
User visible changes
- License amendment: all NEW commits fall under a modified license that
  explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) -
  see COPYING for details.  Existing code in the release/2.5 branch
  will not been relicensed (only in release/2.6 and later branches).

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>