As for the "plugin loading", this patch was sent "with ACK included" to
the openvpn-devel@ list because it was developed under embargo (CVE),
and reviewed and ACKed in a closed group. I have verified that this
patch is identical to the that Heiko and the original reporter saw and
ACKed.
It's not very clear if there is a real attack angle here, but generally
speaking this is a local process which only the GUI running on the
same machine should be speaking to, so we do not want arbitrary machines
in the network to be able to connect to its pipe and "try things".
I have test compiled this on MinGW and GHA, but did not actually run it.
Your patch has been applied to the master, release/2.6 and release/2.5
branch (security relevant bugfix).
commit 2c1de0f0803360c0a6408f754066bd3a6fb28237 (master)
commit a95e665041466ec7d4ca6dbf89d22c7950e9ef26 (release/2.6)
commit e0775c042c7908a9b315da8092b436d03abea08a (release/2.5)
Author: Lev Stipakov
Date: Tue Mar 19 17:16:07 2024 +0200
interactive.c: disable remote access to the service pipe
Signed-off-by: Lev Stipakov <l...@openvpn.net>
Acked-by: Heiko Hund <he...@openvpn.net>
Message-Id: <20240319151723.936-2-...@openvpn.net>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html
Signed-off-by: Gert Doering <g...@greenie.muc.de>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
