security update in Fedora EPEL 7 for openvpn

Status: stable 2 years ago

Updates to the latest upstream OpenVPN 2.4.3, containing security updates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521. This update also re-enables automatic restart of OpenVPN on the next updates. For this update, the restart needs to be done manually.

How to install

sudo dnf upgrade --advisory=FEDORA-EPEL-2017-79e30f9d33

Comments 9

This update has been submitted for testing by dsommers.

This update has been pushed to testing.

Tested as VPN server

karma: +1

This update has been submitted for stable by bodhi.

Is there a specific reason you enabled auto restart (again)? Will it restart all server profiles from /etc/openvpn-server that are enabled with systemctl?

It may be a bit tricky for us, as we generally install updates, but then choose a later time to restart the OpenVPN server processes... Is it possible to disable this behavior?

In any case, thanks for the heads up, will consider this on the next update.

This update has been pushed to stable.

@fkooman, Fun fact: I got complaints that updates didn't restart the openvpn services.

Yes, it should restart all profiles on the server. It is not something we can change now; the cat is already out of the bag. So the next update will restart the service anyhow, also if we add some "tunable feature" in the next update - it will be restarted regardless.

But I can look at adding a "don't restart" feature. For example something like checking if a file named /etc/openvpn/server/.update-no-restart exists or not. I'm not saying that's how it will be, but that is one plausible solution.

So to the longer answer why this was changed. When I cleaned up the .spec file, a lot of moving parts had to be changed at the same time (otherwise we wouldn't be finished with the clean up until after the next 5-6 updates). A lot of the changes involved moving over to standardized RPM macros for doing a lot of things. So I chose to ensure we don't break running services needlessly on automated updates until the dust had settled a bit. And now it felt like the right time to do what most users expects.

But I can look at adding a "don't restart" feature.

That would be cool, but maybe you don't need to invest time in this if I'm to only one who wants this, something can be said for both approaches. I think also Debian always restarts daemons on update, but not completely sure...

And now it felt like the right time to do what most users expects.

Fair enough. I guess installing updates outside maintenance windows without rebooting/restarting can be unstable/dangerous anyway. So we'll live :-)

Thanks for the explanation!

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 2
unstable threshold: -1
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago

Related Bugs 2

00 #1463644 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 [epel-all]
0+1 #1463647 openvpn-2.4.3 is available

Automated Test Results