On Tue, Sep 6, 2016 at 5:11 AM, David Woodhouse <dwmw2@infradead.org> wrote:
>
> On Sun, 2016-09-04 at 14:07 +0200, Felix Schwarz wrote:
> > Am 04.09.2016 um 13:31 schrieb Jeff Layton:
> > > I sent a patch for this about a year ago. Look in the archives for this
> > > list for:
> > >
> > > [PATCH] vpnc: skip parsing responder lifetime payload
> > >
> > > Unfortunately, vpnc itself is not being actively maintained so it has
> > > not been merged.
> >
> > This is really an unfortunate situation. As far as I'm concerned (Fedora
> > "maintainer") I have a hard to verifying correctness of the patches floating
> > around and as there is little/no technical discussion about the effects
> > (security?) I'm very hesitant to put "random" patches in a Fedora package.
> > I guess many of you remember Debian's openssl debacle.
I use vpnc heavily and have encountered several bugs in it. Often,
it's exactly the situation that you describe: I find a years-old patch
from this mailing list that *seems* to fix or at least suppress the
bug, and build my own personal packages to fix it, with little
understanding of the security implications.
One of the well-known bugs is the issue of incorrect endianness in DPD
sequence numbers. Mihai Maties's patch to fix it is extremely simple
(
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2010-December/003492.html),
and the lack of this patch seems to be the source of a substantial
fraction of the vpnc bug reports in various distros and forums.
One of these patches seems
> > As a way forward I could envision a github repo where someone brave enough
> > could collect these patches and tries to get other people to comment if these
> > patches are safe or not (adding Reviewed-by/Acked-by tags in git). Maybe this
> > could provide a way to establish a new "upstream" where at least the most
> > common problems are fixed.
> >
> > If I see some kind of community and at least a basic review process I guess
> > Fedora could also import these patches.
>
> I'm almost tempted to suggest that we add IPSec support to OpenConnect
> and start to retire vpnc completely.
>
> I thought about it before, but decided it wasn't a good idea. But that
> was a while ago.
That would be an ideal solution in my opinion.
In addition to the security and maintainability issues, vpnc users
would also get the more modern command line interface, ocproxy
interface, and better debugging features of OpenConnect. (I'm
constantly wrangling new corporate VPNs, so being able to quickly
understand and diagnose non-standard behavior is a big plus for me!)
Dan
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel http://www.unix-ag.uni-kl.de/~massar/vpnc/