Autore: wirelessduck Data: To: dng Oggetto: Re: [DNG] Openvpn CVE fix in devuan chimaera
> On 25 Jul 2022, at 01:19, Mark Hindley <mark@???> wrote:
>
> Hi,
>
>> On Mon, Jul 25, 2022 at 12:46:09AM +1000, wirelessduck--- via Dng wrote:
>> I saw https://bugs.debian.org/1008015 on the Debian BTS which mentions
>> it was found in openvpn/2.5.1-3, openvpn/2.5.5-1 and fixed in
>> openvpn/2.5.6-1.
>>
>> Devuan chimaera still has openvpn/2.5.1-3+devuan1. Debian bullseye is
>> also still showing openvpn/2.5.1-3 on packages.debian.org/openvpn.
>>
>> How can I check to see if this patch has been applied to the devuan
>> package?
>
> It hasn't, because it hasn't been backported, only fixed upstream in 2.5.6 and 2.4.12.
> It might be possible to do, but is considered a low-priority in Debian[1] and
> doesn't have a DSA.
From my reading of the bug it seems to only affect cases where multiple auth plugins are used together? I would agree that sounds low priority and unlikely to be used in most setups.
>> Also, where do I look to see the differences between debian and devuan
>> packages? I checked git.devuan.org in the suites/unstable branch of
>> devuan/openvpn but that just looks like merge from Debian without any
>> extra patches applied.
>
> That branch is the correct place. If you run
>
> git diff debian/master..suites/unstable
>
> you will get the changes.
>
> Mark
>
> [1] https://tracker.debian.org/pkg/openvpn