Package: openvpn-auth-radius Version: 2.1-9 Severity: important X-Debbugs-Cc: [email protected]
Dear Maintainer, I recently upgraded one of my boxes to Debian 13 Trixie. With the same configs, I was unable to authenticate against an unchanged RADIUS server. I downloaded the source, removed the 0007 BLASTRadius mitigation patch, and rebuilt. This allowed me to successfuly connect to OpenVPN again. I reapplied the patch and debugged the issue. I submitted a fix and it has been accepted into unstable (2.1-10) with many thanks to sthibault. I believe this bug renders the package completely unusable in stable. There is a function which authenticates received packets which never succeeds because the secret key is copied from a temporary string c_str and has garbage in it by the time it is used to perform the necessary hashes. Is there a way to get this patch in stable? Thank you, Martin Rampersad -- System Information: Debian Release: 13.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.48+deb13-amd64 (SMP w/32 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn-auth-radius depends on: ii libc6 2.41-12 ii libgcc-s1 14.2.0-19 ii libgcrypt20 1.11.0-7 ii libstdc++6 14.2.0-19 ii openvpn 2.6.14-1 openvpn-auth-radius recommends no packages. openvpn-auth-radius suggests no packages.
