Bug#1118479: openvpn-auth-radius: fails to authenticate response packets
Package: openvpn-auth-radius
Version: 2.1-9
Severity: important
X-Debbugs-Cc: martin.rampersad@emkal.ca
Dear Maintainer,
I recently upgraded one of my boxes to Debian 13 Trixie.
With the same configs, I was unable to authenticate against an unchanged RADIUS
server.
I downloaded the source, removed the 0007 BLASTRadius mitigation patch, and
rebuilt. This allowed me to successfuly connect to OpenVPN again.
I reapplied the patch and debugged the issue. I submitted a fix and it has been
accepted into unstable (2.1-10) with many thanks to sthibault.
I believe this bug renders the package completely unusable in stable. There is
a function which authenticates received packets which never succeeds because
the secret key is copied from a temporary string c_str and has garbage in it by
the time it is used to perform the necessary hashes.
Is there a way to get this patch in stable?
Thank you,
Martin Rampersad
-- System Information:
Debian Release: 13.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openvpn-auth-radius depends on:
ii libc6 2.41-12
ii libgcc-s1 14.2.0-19
ii libgcrypt20 1.11.0-7
ii libstdc++6 14.2.0-19
ii openvpn 2.6.14-1
openvpn-auth-radius recommends no packages.
openvpn-auth-radius suggests no packages.
Reply to: