[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1118479: marked as done (openvpn-auth-radius: fails to authenticate response packets)

Your message dated Fri, 31 Oct 2025 09:17:25 +0000
with message-id <E1vElG9-009w4Y-30@fasolo.debian.org>
and subject line Bug#1118479: fixed in openvpn-auth-radius 2.1-9+deb13u1
has caused the Debian Bug report #1118479,
regarding openvpn-auth-radius: fails to authenticate response packets
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1118479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118479
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openvpn-auth-radius
Version: 2.1-9
Severity: important
X-Debbugs-Cc: martin.rampersad@emkal.ca

Dear Maintainer,

I recently upgraded one of my boxes to Debian 13 Trixie.

With the same configs, I was unable to authenticate against an unchanged RADIUS
server.

I downloaded the source, removed the 0007 BLASTRadius mitigation patch, and
rebuilt. This allowed me to successfuly connect to OpenVPN again.

I reapplied the patch and debugged the issue. I submitted a fix and it has been
accepted into unstable (2.1-10) with many thanks to sthibault.

I believe this bug renders the package completely unusable in stable. There is
a function which authenticates received packets which never succeeds because
the secret key is copied from a temporary string c_str and has garbage in it by
the time it is used to perform the necessary hashes.

Is there a way to get this patch in stable?

Thank you,

Martin Rampersad


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openvpn-auth-radius depends on:
ii  libc6        2.41-12
ii  libgcc-s1    14.2.0-19
ii  libgcrypt20  1.11.0-7
ii  libstdc++6   14.2.0-19
ii  openvpn      2.6.14-1

openvpn-auth-radius recommends no packages.

openvpn-auth-radius suggests no packages.

--- End Message ---
--- Begin Message --- 
Source: openvpn-auth-radius
Source-Version: 2.1-9+deb13u1
Done: Samuel Thibault <sthibault@debian.org>

We believe that the bug you reported is fixed in the latest version of
openvpn-auth-radius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1118479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated openvpn-auth-radius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 26 Oct 2025 18:28:22 +0100
Source: openvpn-auth-radius
Architecture: source
Version: 2.1-9+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Closes: 1118479
Changes:
 openvpn-auth-radius (2.1-9+deb13u1) trixie; urgency=medium
 .
   * patches/0008-authenticate-fix: Fix packet authentication
     (Closes: Bug#1118479)
Checksums-Sha1:
 cca1dc77d475b051d04a51c58a4393aa31ded0f2 1985 openvpn-auth-radius_2.1-9+deb13u1.dsc
 2d6eddee322ebd94bdf133b89a77ddfa83b1cc8a 9352 openvpn-auth-radius_2.1-9+deb13u1.debian.tar.xz
 9ead0942f88397a53e5846ef83aa67ecb58d534e 6391 openvpn-auth-radius_2.1-9+deb13u1_amd64.buildinfo
Checksums-Sha256:
 cb176fa74299dd23732bef88be9aa6eda45c4764d23c701e12fa35841742014b 1985 openvpn-auth-radius_2.1-9+deb13u1.dsc
 111b237e3953ed8fe618d38488ecddc67c33b18984fe102332cb04553d737c19 9352 openvpn-auth-radius_2.1-9+deb13u1.debian.tar.xz
 52330d78d6575aa9804aa90801d6e53b2ffcb22560b5d9da116abf97689a0020 6391 openvpn-auth-radius_2.1-9+deb13u1_amd64.buildinfo
Files:
 10856cff122616176e6250d03a41e92a 1985 net optional openvpn-auth-radius_2.1-9+deb13u1.dsc
 3e8d71e80b41e686801ba2274dd5d93c 9352 net optional openvpn-auth-radius_2.1-9+deb13u1.debian.tar.xz
 6fa07b79b4e24a9b645093bcce05cff5 6391 net optional openvpn-auth-radius_2.1-9+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEqpLrvfAUiqYaQ7iu5IlMrEVBS7AFAmj+XRQACgkQ5IlMrEVB
S7CLaxAAjKMJAUnHSDzGesyLROCdML5aCMffAsQfsQNYq35cAzVZdlf4HLSkbRSz
HNuR3zq1TxtD7l5ln376Lxj7ha5Zh6Fw5+Co4SSx+JWU8QRzGyvn9Ovrjh3tDAH3
akaUFwdb/VBE2IUEE58cqCsztLsGhF/TeF9PE+qlr+PbobZzIS9FTIGe1Wz5F0D2
+YGaeb8ztMpuqEXc0gir2neo7dR76POLx+zvbVkPlPhnpffuXgrBi6wPPI2WWZ5r
HZZGPT4j2UMGwrAN86CImI4X4rnvIJ1Cx4aeX12V7TCj6I3X42fk1SoE3AXKTsNQ
V2PKBRVCQ8ys/KOEw3yhDFxT+pINiiR6mrxYN5FQT50awt/BUwrrSVCsI5HBZcTm
OjcklpS05B/lAvdnyJv9Px7EKe7qBZnSWuv4jWzuYiWx+95pqjl7jEMd0GXJmQTD
HPy1FZiOtbJSiB9LEB2OwnGuC7lVhG/6a7jHPJVP8kEVE5GdDta8/A/pGgM2iQJ9
98tWlYQUjuNVm3L+CjZYKiNWgsSrm21u+N9dOB8z4zYgyT4ukoXOXSxLCQEojPGU
TeXGOd6CIZqoYZKO6u752fFA37gMkSrNYGbtdFhatjIil2QhmSTLYlhmS5jqllpH
/flZH18KxG2ABahnASefEiVp6UxXowappw8Op6vNHPmrS5yED88=
=nboP
-----END PGP SIGNATURE-----

Attachment: pgpAnNOl4peAM.pgp
Description: PGP signature


--- End Message ---
Reply to: