Page 1 of 1

Issues with the openvpn-2.3.15 source release

Posted: Thu May 18, 2017 12:21 pm
by 4367be43a437994fbb137d596406b05c
Downloading ... .15.tar.xz from different locations in Germany gives me a file with MD5 sum fcc00e0c7650a260a606b84d41dda9fa. Downloading the same file from Switzerland gives me a MD5 4367be43a437994fbb137d596406b05c.

Here is the diff:

Code: Select all

diff -r openvpn-2.3.15-de/ChangeLog openvpn-2.3.15-ch/ChangeLog
< Steffan Karger (6):
> Steffan Karger (5):
<       Don't assert out on receiving too-large control packets (CVE-2017-7478)
Only in openvpn-2.3.15-de/sample/sample-plugins/defer: Makefile~
Only in openvpn-2.3.15-de/sample/sample-plugins/defer: defer-w-pf.o
Only in openvpn-2.3.15-de/sample/sample-plugins/defer:
Only in openvpn-2.3.15-de/sample/sample-plugins/defer: test.c~
Only in openvpn-2.3.15-de/sample/sample-plugins/log: log_v3.o
Only in openvpn-2.3.15-de/sample/sample-plugins/log:
Only in openvpn-2.3.15-de/sample/sample-plugins/simple: base64.o
Only in openvpn-2.3.15-de/sample/sample-plugins/simple:
diff -r openvpn-2.3.15-de/src/openvpn/ssl.c openvpn-2.3.15-ch/src/openvpn/ssl.c
<                           if (!buf_copy (in, buf))
<                             {
<                               msg (D_MULTI_DROPPED,
<                                    "Incoming control channel packet too big, dropping.");
<                               goto error;
<                             }
>                           ASSERT (buf_copy (in, buf));

That looks quite obvious like a mistake, but it should be documented somewhere.

Re: Different file versions for openvpn-2.3.15.tar.xz

Posted: Thu May 18, 2017 1:16 pm
by dazo
Yes, unfortunately we managed to make a real mess with the v2.3.15 tarballs. This was a big mistake, and we are truly sorry for that. We were made aware of these issues quite recently.

We're now in the middle of fixing this, so please do await further updates on this thread.