Fedora has issued an advisory on May 7: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html Cauldron is not affected as it was fixed upstream in 2.3.1. Patched package uploaded for Mageia 2. Patch added in Mageia 1 SVN. Advisory: ======================== Updated openvpn package fixes security vulnerability: OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher implementation of the crypto library, optimistically at a rate of about one character per 3 hours. PolarSSL seems vulnerable to such an attack; the vulnerability of OpenSSL has not been verified or tested (CVE-2013-2061). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061 https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html ======================== Updated packages in core/updates_testing: ======================== openvpn-2.2.2-5.3.mga2 from openvpn-2.2.2-5.3.mga2.src.rpm Reproducible: Steps to Reproduce:
Some info for testing here: http://openvpn.net/index.php/open-source/documentation/howto.html
Testing mga2 64 # cp /usr/share/openvpn/sample-config-files/server.conf /etc/openvpn/ # cp /usr/share/openvpn/sample-keys/* /etc/openvpn/ Seems to be a problem with the systemd service file. # service openvpn start Starting openvpn (via systemctl): Failed to issue method call: Unit openvpn.service failed to load: Invalid argument. See system logs and 'systemctl status openvpn.service' for details. [FAILED] # systemctl status openvpn.service openvpn.service Loaded: error (Reason: Invalid argument) Active: inactive (dead) Skipping the redirection to systemctl.. # service --skip-redirect openvpn start Starting openvpn: [ OK ] # ps aux | grep vpn openvpn 26470 0.0 0.0 24052 1280 ? Ss 19:05 0:00 /usr/sbin/openvpn --user openvpn --group openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn --script-security 2 # service --skip-redirect openvpn stop Shutting down openvpn: [ OK ] # systemctl start openvpn.service Failed to issue method call: Unit openvpn.service failed to load: Invalid argument. See system logs and 'systemctl status openvpn.service' for details.
Whiteboard: (none) => feedback
Created attachment 4018 [details] /etc/openvpn/server.conf It's basically the sample server.conf with the user set to use openvpn:openvpn
See Colin's comments in Bug 6291.
CC: (none) => mageia
CC: (none) => oe
https://bugzilla.redhat.com/show_bug.cgi?id=960192#c1 https://bugzilla.redhat.com/show_bug.cgi?id=960192#c5
Thanks David, so in this instance it should be.. # systemctl start openvpn@server.service Trying again :)
Whiteboard: feedback => (none)
Testing complete mga2 32 # systemctl restart openvpn@server.service # systemctl status openvpn@server.service openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled) Active: active (running) since Wed, 22 May 2013 12:02:12 +0100; 4s ago Process: 17202 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS) Main PID: 17205 (openvpn) CGroup: name=systemd:/system/openvpn@.service/server รข 17205 /usr/sbin/openvpn --daemon --writepid /var/run/openv... May 22 12:02:12 laptop openvpn[17205]: GID set to openvpn May 22 12:02:12 laptop openvpn[17205]: UID set to openvpn May 22 12:02:12 laptop openvpn[17205]: Listening for incoming TCP connection ...94 May 22 12:02:12 laptop openvpn[17205]: TCPv4_SERVER link local (bound): [unde...94 May 22 12:02:12 laptop openvpn[17205]: TCPv4_SERVER link remote: [undef] May 22 12:02:12 laptop openvpn[17205]: MULTI: multi_init called, r=256 v=256 May 22 12:02:12 laptop openvpn[17205]: IFCONFIG POOL: base=10.8.0.4 size=62 May 22 12:02:12 laptop openvpn[17205]: IFCONFIG POOL LIST May 22 12:02:12 laptop openvpn[17205]: MULTI: TCP INIT maxclients=1024 maxeve...28 May 22 12:02:12 laptop openvpn[17205]: Initialization Sequence Completed Confirmed it is running as openvpn user and listening for connections # ps aux | grep vpn openvpn 17350 0.0 0.0 5408 1060 ? Ss 12:04 0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf # netstat -pan | grep 1194 udp 0 0 0.0.0.0:1194 0.0.0.0:* 17350/openvpn Connecting to it.. # cp /usr/share/openvpn/sample-config-files/client.conf /etc/openvpn/ Edited /etc/openvpn/client.conf so it connects to localhost # cd /etc/openvpn # openvpn client.conf Vefiried it connected ok and could be pinged from another terminal tab.. $ ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.057 ms
Whiteboard: (none) => has_procedure mga2-32-ok
Removing it gives an error but it doesn't leave anything behind in /lib/systemd/system/ # urpme openvpn removing openvpn-2.2.2-5.3.mga2.i586 Failed to issue method call: Unit name openvpn@.service is not valid. removing package openvpn-2.2.2-5.3.mga2.i586
Testing complete mga2 64 Validating Advisory & srpm in comment 0 Could sysadmin please push from 2 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0153
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED