[meta-networking,09/26] openvpn: upgrade 2.6.15 -> 2.6.16

Message ID	20251125091156.1376-9-wangmy@fujitsu.com
State	New
Headers	show Return-Path: <wangmy@fujitsu.com> ip: 139.138.61.253, mailfrom: wangmy@fujitsu.com) From: Wang Mingyu < wangmy@fujitsu.com> To: openembedded-devel@lists.openembedded.org Cc: Wang Mingyu <wangmy@fujitsu.com> Subject: [oe] [meta-networking] [PATCH 09/26] openvpn: upgrade 2.6.15 -> 2.6.16 Date: Tue, 25 Nov 2025 17:11:39 +0800 Message-ID: <20251125091156.1376-9-wangmy@fujitsu.com> In-Reply-To: <20251125091156.1376-1-wangmy@fujitsu.com> References: <20251125091156.1376-1-wangmy@fujitsu.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,01/26] debootstrap: upgrade 1.0.141 -> 1.0.142 \| expand [meta-oe,01/26] debootstrap: upgrade 1.0.141 -> 1.0.142 [meta-oe,02/26] fuse3: upgrade 3.16.2 -> 3.17.4 [meta-oe,03/26] gpsd: upgrade 3.26.1 -> 3.27 [meta-oe,04/26] lcms: upgrade 2.16 -> 2.17 [meta-oe,05/26] libgphoto2: upgrade 2.5.32 -> 2.5.33 [meta-oe,06/26] lvm2: upgrade 2.03.36 -> 2.03.37 [meta-gnome,07/26] nautilus: upgrade 49.1 -> 49.2 [meta-oe,08/26] nss: upgrade 3.117 -> 3.118.1 [meta-networking,09/26] openvpn: upgrade 2.6.15 -> 2.6.16 [meta-python,10/26] python3-asgiref: upgrade 3.10.0 -> 3.11.0 [meta-python,11/26] python3-asyncinotify: upgrade 4.2.1 -> 4.3.2 [meta-python,12/26] python3-bandit: upgrade 1.8.6 -> 1.9.2 [meta-python,13/26] python3-bleak: upgrade 1.1.1 -> 2.0.0 [meta-python,14/26] python3-cfgv: upgrade 3.4.0 -> 3.5.0 [meta-python,15/26] python3-cmake: upgrade 4.1.2 -> 4.2.0 [16/26] python3-coverage: upgrade 7.11.3 -> 7.12.0 [meta-python,17/26] python3-dirty-equals: upgrade 0.10.0 -> 0.11 [meta-python,18/26] python3-gpt-image: upgrade 0.9.0 -> 0.9.1 [meta-python,19/26] python3-moteus: upgrade 0.3.95 -> 0.3.96 [meta-python,20/26] python3-psycopg: upgrade 3.2.12 -> 3.2.13 [meta-python,21/26] python3-rich-argparse: upgrade 1.7.1 -> 1.7.2 [meta-python,22/26] python3-stevedore: upgrade 5.5.0 -> 5.6.0 [meta-python,23/26] python3-types-psutil: upgrade 7.0.0.20250601 -> 7.1.1.20251122 [meta-oe,24/26] sanlock: upgrade 4.1.0 -> 4.2.0

Message ID

20251125091156.1376-9-wangmy@fujitsu.com

State

New

Headers

From: Wang Mingyu < wangmy@fujitsu.com>
To: openembedded-devel@lists.openembedded.org
Cc: Wang Mingyu <wangmy@fujitsu.com>
Subject: [oe] [meta-networking] [PATCH 09/26] openvpn: upgrade 2.6.15 ->
 2.6.16
Date: Tue, 25 Nov 2025 17:11:39 +0800
Message-ID: <20251125091156.1376-9-wangmy@fujitsu.com>
In-Reply-To: <20251125091156.1376-1-wangmy@fujitsu.com>
References: <20251125091156.1376-1-wangmy@fujitsu.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,01/26] debootstrap: upgrade 1.0.141 -> 1.0.142 | expand

Commit Message

Wang Mingyu Nov. 25, 2025, 9:11 a.m. UTC

From: Wang Mingyu <wangmy@fujitsu.com>

Code maintenance / Compat changes
---------------------------------
- adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these
  need special handling which we don't do, so the t_lpback self-test
  failed on them.  Exclude from list of allowed ciphers, as there is no
  strong reason today to make OpenVPN use these.
- fix various compile-time warnings

Documentation updates
---------------------
- fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings,
  manpage, ...)

Bugfixes
--------
- Fix memcmp check for the hmac verification in the 3way handshake.
  This bug renders the HMAC based protection against state exhaustion on
  receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
  CVE: 2025-13086
- fix invalid pointer creation in tls_pre_decrypt() - technically this is
  a memory over-read issue, in practice, the compilers optimize it away
  so no negative effects could be observed.
- Windows: in the interactive service, fix the "undo DNS config" handling.
- Windows: in the interactive service, disallow using of "stdin" for the
  config file, unless the caller is authorized OpenVPN Administrator
- Windows: in the interactive service, change all netsh calls to use
  interface index and not interface name - sidesteps all possible attack
  avenues with special characters in interface names.
- Windows: in the interactive service, improve error handling in
  some "unlikely to happen" paths.
- auth plugin/script handling: properly check for errors in creation on
  $auth_failed_reason_file (arf).
- for incoming TCP connections, close-on-exec option was applied to
  the wrong socket fd, leaking socket FDs to child processes.
- sitnl: set close-on-exec flag on netlink socket
- ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 .../openvpn/{openvpn_2.6.15.bb => openvpn_2.6.16.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-networking/recipes-support/openvpn/{openvpn_2.6.15.bb => openvpn_2.6.16.bb} (98%)

diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.15.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb
similarity index 98%
rename from meta-networking/recipes-support/openvpn/openvpn_2.6.15.bb
rename to meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb
index 8a88282cd5..88f564313f 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.6.15.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb
@@ -15,7 +15,7 @@  SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
 
 UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
 
-SRC_URI[sha256sum] = "e35513ee15995e3c71adfd8891b9f33522896c70b3baa2ed9a23c7a42c4d7bde"
+SRC_URI[sha256sum] = "05cb5fdf1ea33fcba719580b31a97feaa019c4a3050563e88bc3b34675e6fed4"
 
 CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn"

[meta-networking,09/26] openvpn: upgrade 2.6.15 -> 2.6.16

Commit Message

Patch