On Thu, Apr 05, 2018 at 11:48:51AM +0200, Roger Price wrote: > Hi, I had a problem setting up DNS on an openvpn client. I'll describe it > here before submitting a bug report - I would appreciate comment on the > security aspects. > <snip> > > Looking more closely at script /etc/openvpn/update-resolv-conf, it begins > with the line > > [ -x /sbin/resolvconf ] || exit 0 > > File /sbin/resolvconf is not present, because package resolvconf is not a > prerequisite for openvpn, so the script fails silently! This looks to me > like a serious security problem. Joe Road-Warrior is out there, connected > to the "free" Wifi. He follows corporate instructions to turn on his > openvpn client, but because of the exit 0 he is still using the local > thoroughly compromised DNS server. >
apt-cache rdepends resolvconf shows a dependency of openvpn on openresolv, which according to apt-file provides /sbin/resolvconf (and also, if I am reading apt-cache output correctly, depends on resolvconf...) I can only assume one of the dependencies in that stack is a "suggests" rather than a "depends". If you are going to report a bug probably worth acknowledging this so you don't get turned away at the door. ... Yep, checking apt show openvpn, resolvconf is indeed a "suggests". Mark
