)]}'
{"id":"openvpn~1184","triplet_id":"openvpn~release%2F2.6~I6752dcd5aff3e5cea2b439366479e86751a1c403","project":"openvpn","branch":"release/2.6","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2025-09-17 09:59:40.000000000","reason":"Change was submitted"},"1000002":{"account":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"last_update":"2025-09-17 09:59:40.000000000","reason":"Change was submitted"},"1000001":{"account":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"last_update":"2025-09-17 09:59:40.000000000","reason":"Change was submitted"},"1000030":{"account":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"last_update":"2025-09-16 15:21:48.000000000","reason":"removed on reply"}},"hashtags":[],"change_id":"I6752dcd5aff3e5cea2b439366479e86751a1c403","subject":"Check message id/acked ids too when doing sessionid cookie checks","status":"MERGED","created":"2025-09-15 10:16:14.000000000","updated":"2025-09-17 09:59:40.000000000","submitted":"2025-09-17 09:59:40.000000000","submitter":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"total_comment_count":1,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"1184","meta_rev_id":"cefcd21d2b3d33080a5d0d9a2ce941759f8b86f8","_number":1184,"virtual_id_number":1184,"owner":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},{"value":0,"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0}},"removable_reviewers":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."}],"reviewers":{"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}],"REVIEWER":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2025-09-15 10:16:14.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"state":"REVIEWER"},{"updated":"2025-09-15 10:16:14.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"state":"REVIEWER"},{"updated":"2025-09-15 10:16:15.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2025-09-15 10:16:15.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"state":"REVIEWER"}],"messages":[{"id":"7006ac89d57ff20dc185af48760361e1283c975c","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-15 10:16:14.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"440debc4ebe6a81ecf4d9826d89dda08e6de9f19","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-09-15 10:17:14.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"bb7903de80bc1c4473a92ef00a32bf957822b637","author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"date":"2025-09-16 15:21:48.000000000","message":"Patch Set 1: Code-Review+2","accounts_in_message":[],"_revision_number":1},{"id":"cefcd21d2b3d33080a5d0d9a2ce941759f8b86f8","tag":"autogenerated:gerrit:merged","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-09-17 09:59:40.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":2}],"current_revision_number":2,"current_revision":"68c01720eecc1772b3f648b9e043e396d943f632","revisions":{"2bde8a54b5a4f8af9d698e6fdaf4a6ad2017463c":{"kind":"REWORK","_number":1,"created":"2025-09-15 10:16:14.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/84/1184/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/84/1184/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/1 \u0026\u0026 git checkout -b change-1184 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/84/1184/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"d383d6ed6270b8d1f95716d08e9da3dd0d712f2d","subject":"win: replace wmic invocation with powershell"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-08-19 21:22:09.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-15 10:15:56.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids are 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nAlso remove a few duplicated free_tls_pre_decrypt_state in test_ssl.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\nAcked-by: MaxF \u003cmax@max-fillinger.net\u003e\nMessage-Id: \u003c20250819212214.16218-1-gert@greenie.muc.de\u003e\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32626.html\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n"},"branch":"refs/heads/release/2.6"},"68c01720eecc1772b3f648b9e043e396d943f632":{"kind":"NO_CODE_CHANGE","_number":2,"created":"2025-09-17 09:59:40.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/84/1184/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/84/1184/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/2 \u0026\u0026 git checkout -b change-1184 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/84/1184/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/84/1184/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"d383d6ed6270b8d1f95716d08e9da3dd0d712f2d","subject":"win: replace wmic invocation with powershell"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-09-16 15:52:50.000000000","tz":120},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2025-09-17 09:41:45.000000000","tz":120},"subject":"Check message id/acked ids too when doing sessionid cookie checks","message":"Check message id/acked ids too when doing sessionid cookie checks\n\nThis fixes that control packets on a floating client can trigger\ncreating a new session in special circumstances:\n\nTo trigger this circumstance a connection needs to\n\n- starts on IP A\n- successfully floats to IP B by data packet\n- then has a control packet from IP A before any\n  data packet can trigger the float back to IP A\n\nand all of this needs to happen in the 60s time\nthat hmac cookie is valid in the default\nconfiguration.\n\nIn this scenario we would trigger a new connection as the HMAC\nsession id would be valid.\n\nThis patch adds checking also of the message-id and acked ids to\ndiscern packet from the initial three-way handshake where these\nids are 0 or 1 from any later packet.\n\nThis will now trigger (at verb 4 or higher) a messaged like:\n\n   Packet (P_ACK_V1) with invalid or missing SID\n\ninstead.\n\nAlso remove a few duplicated free_tls_pre_decrypt_state in test_ssl.\n\nReported-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\nTested-By: Walter Doekes \u003cwalter.openvpn@wjd.nu\u003e\n\nChange-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\nAcked-by: MaxF \u003cmax@max-fillinger.net\u003e\nGerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1184\nMessage-Id: \u003c20250916155258.6864-1-gert@greenie.muc.de\u003e\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32990.html\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n(backported from commit 518e122b42739b0dbb54e7169a8a3aadb4773125)\n"},"branch":"refs/heads/release/2.6"}},"requirements":[],"submit_records":[],"submit_requirements":[]}