SECURITY update to openvpn-2.7.2
fix race condition in TLS handshake that could lead to leaking of packet
data from a previous handshake under specific circumstances
(CVE-2026-40215)
fix server ASSERT() on receiving a suitably malformed packet with
a valid tls-crypt-v2 key (CVE-2026-35058)
Other changes: https://github.com/OpenVPN/openvpn/blob/v2.7.2/Changes.rst
ok naddy@
Simplify PKCS7_get_issuer_and_serial()
The i variable is unused. Likewise for the first assignment to ri.
Instead of an incomplete check that idx is in range, which still
results in a NULL deref if idx < 0, check if ri is not NULL before
accessing, as sk_value() checks the index correctly.
ok jsing kenjiro
lang/gawk: do not pick up gettext-tools in configure
configure picks up xgettext and it is then used during the build, but
to no effect.
Reported by jca@
Drop -Winline from CDIAGFLAGS it breaks on sparc64
On sparc64 ssh/unittests/kex fails to build with:
usr.bin/ssh/libcrux_mlkem768_sha3.h:8196: warning: inlining failed
in call to 'libcrux_ml_kem_polynomial_ZERO_89_ea':
--param max-inline-insns-single limit reached
OK djm@ (long time ago) reminded by tb@
Fix orc riscv64-specific code paths
orc previously failed to build because of inconsistent #ifdefs that
exposed Linux-only calls. While here hook up call to
(__builtin)__clear_cache and correct default assumptions (the 'V'
extension can't be assumed, on any OS).
Prompted by a report from matthieu@, maintainer timeout, ok sthen@
add missing build dep. it wouldn't build without the build dep being
available, so no need for a REVISION bump.
noticed by myself and naddy on arm64 and amd64 bulk package builds.
OK sthen@
x86: rename and clean up __copy_from_user_inatomic_nocache()
From Linus Torvalds
03fd014cd9f3a3d173740ab9c5cbede82fd6322c in linux-6.18.y/6.18.24
5de7bcaadf160c1716b20a263cf8f5b06f658959 in mainline linux
drm/amdkfd: Fix queue preemption/eviction failures by aligning control stack size to GPU page size
From Donet Tom
647fb0dc3818733024fc96c1df1ec3af806b0256 in linux-6.18.y/6.18.24
78746a474e92fc7aaed12219bec7c78ae1bd6156 in mainline linux
Fix difftime() result when it is passed a negative value
We need to cast the result of bitwise AND to time_t before the cast
to double in the HI and LO macros. Otherwise, we get a very large
positive floating point value instead of a negative value.
Reported by Xuntao Chi
drm/amdgpu: Handle GPU page faults correctly on non-4K page systems
From Donet Tom
6a9f2683c66dc54d3598589684c0b3c5cb2862ad in linux-6.18.y/6.18.24
4e9597f22a3cb8600c72fc266eaac57981d834c8 in mainline linux
pf_purge_states() may trip assert(st->timeout == PFTM_UNLINKED)
in pf_free_state(). Once member ->timeout in pf_state structure
reaches PFTM_UNLINKED value, then the ->timeout member must not
not be updated. This diff reminds pfsync(4) to follow PFTM_UNLINKED
rule too. The pfsync(4) currently may accidentally update ->timeout
member while state is being purged, causing pf_purge_states() to
trip the assert.
Issue was kindly reported by Stuart Henderson.
OK @bluhm
fix tx dma segment size
i thought it was weird that an MI driver like ix(4) is using an MD
number like PAGE_SIZE for the maximum segment size in its tx dma
maps. the manual says tx segments can be 16k (and goes into a 16bit
field), so let's try using the documented value here.
the rx descs also use 16 * 1024 as a magic number here, so it's in
keeping with other code in the same driver.
tested by me on arm64 and sparc64 (which has 8k pages)
tested by and ok jan@
SECURITY update to openvpn-2.6.20
fix race condition in TLS handshake that could lead to leaking of packet
data from a previous handshake under specific circumstances
(CVE-2026-40215)
fix server ASSERT() on receiving a suitably malformed packet with
a valid tls-crypt-v2 key (CVE-2026-35058)
Other changes: https://github.com/OpenVPN/openvpn/blob/v2.6.20/Changes.rst