On Wed, Jul 18, 2012 at 10:10 AM, David Sommerseth <
openvpn.l...@topphemmelig.net> wrote:
> * The computer is configured to allow OpenVPN to run without root
> password
>
Yes. The vulnerability requires configuring the computer to allow *the
user*to start OpenVPN
*as root* without entering the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 18/07/12 14:44, Jonathan K. Bullard wrote:
> On Tue, Jun 26, 2012 at 1:05 PM, Alon Bar-Lev
> mailto:alon.bar...@gmail.com>> wrote:
>
> Currently openvpn requires/endorses specifying full path in plugin
> parameter. As build system already aware of
On Wed, Jul 18, 2012 at 9:37 AM, Alon Bar-Lev wrote:
> Nobody disables the absolute path use.
> This patch permits relative use.
>
I'm sorry, I misunderstood. So a relative path will now be interpreted as
relative to the plugins directory specified a build time, rather than
whatever it is relati
Nobody disables the absolute path use.
This patch permits relative use.
On Wed, Jul 18, 2012 at 3:44 PM, Jonathan K. Bullard
wrote:
> On Tue, Jun 26, 2012 at 1:05 PM, Alon Bar-Lev wrote:
>>
>> Currently openvpn requires/endorses specifying full path in plugin
>> parameter. As build system alread
On Wed, Jul 18, 2012 at 4:34 PM, Alon Bar-Lev wrote:
> Hi!
>
> On Wed, Jul 18, 2012 at 2:44 PM, Heiko Hund wrote:
>> Hi Alon
>>
>> On Tuesday 26 June 2012 20:05:02 Alon Bar-Lev wrote:
>>> Currently openvpn requires/endorses specifying full path in plugin
>>> parameter.
>>
>> Specifying a custom f
Hi!
On Wed, Jul 18, 2012 at 2:44 PM, Heiko Hund wrote:
> Hi Alon
>
> On Tuesday 26 June 2012 20:05:02 Alon Bar-Lev wrote:
>> Currently openvpn requires/endorses specifying full path in plugin
>> parameter.
>
> Specifying a custom full path is probably something we need to ban in the
> (near) futu
On Tue, Jun 26, 2012 at 1:05 PM, Alon Bar-Lev wrote:
> Currently openvpn requires/endorses specifying full path in plugin
> parameter. As build system already aware of plugin location, it is
> possible to load plugin relative to this directory, so full path is not
> required nor more secured.
>
>
On Wednesday 18 July 2012 13:44:41 Heiko Hund wrote:
> code injection when openvpn is not running as another user or has access to
Scratch the "not" please, typo.
Heiko
--
Heiko Hund | Sr. Software Engineer | Tel +49-721-25516-237 | Fax -200
SOPHOS NSG | Amalienbadstr. 41 Bau 52 | 76227 Karlsruh
Hi Alon
On Tuesday 26 June 2012 20:05:02 Alon Bar-Lev wrote:
> Currently openvpn requires/endorses specifying full path in plugin
> parameter.
Specifying a custom full path is probably something we need to ban in the
(near) future, as it imposes an attack vector for privilege escalation by code
On Tue, Jun 26, 2012 at 8:05 PM, Alon Bar-Lev wrote:
> Currently openvpn requires/endorses specifying full path in plugin
> parameter. As build system already aware of plugin location, it is
> possible to load plugin relative to this directory, so full path is not
> required nor more secured.
>
>
10 matches
Mail list logo
