File openvpn-CVE-2018-7544.patch of Package openvpn.19454
@@ -2544,54 +2544,52 @@ the compression efficiency will be very
compression for a period of time until the next re-sample test.
+.B \-\-management socket\-name unix [pw\-file] \ \ \ \ \ (recommended)
.B \-\-management IP port [pw-file]
-Enable a TCP server on
-to handle daemon management functions.
-is a password file (password on first line)
-or "stdin" to prompt from standard input. The password
-provided will set the password which TCP clients will need
-to provide in order to access management functions.
-The management interface can also listen on a unix domain socket,
-for those platforms that support it. To use a unix domain socket, specify
-the unix socket pathname in place of
-to 'unix'. While the default behavior is to create a unix domain socket
-that may be connected to by any process, the
+Enable a management server on a
+Unix socket on those platforms supporting it, or on
+a designated TCP port.
+, if specified, is a password file where the password must be on first line.
+Instead of a filename it can use the keyword stdin which will prompt the user
+for a password to use when OpenVPN is starting.
+For unix sockets, the default behaviour is to create a unix domain socket
+that may be connected to by any process. Use the
-directives can be used to restrict access.
+directives to restrict access.
+The management interface provides a special mode where the TCP management link
+can operate over the tunnel itself. To enable this mode, set IP to
+Tunnel mode will cause the management interface to listen for a
+TCP connection on the local VPN address of the TUN/TAP interface.
+of enabling the management interface over TCP. In these cases you should
+make use of
+to password protect the management interface. Any user who can connect to this
+will be able to manage and control (and interfere with) the OpenVPN process.
+It is also strongly recommended to set IP to 127.0.0.1 (localhost) to restrict
+accessibility of the management server to local clients.
+While the management port is designed for programmatic control of OpenVPN by
+other applications, it is possible to telnet to the port, using a telnet client
+in "raw" mode. Once connected, type "help" for a list of commands.
+For detailed documentation on the management interface, see the
+file in the management folder of the OpenVPN source distribution.
-The management interface provides a special mode where the TCP
-management link can operate over the tunnel itself. To enable this mode,
-= "tunnel". Tunnel mode will cause the management interface
-to listen for a TCP connection on the local VPN address of the
-While the management port is designed for programmatic control
-of OpenVPN by other applications, it is possible to telnet
-to the port, using a telnet client in "raw" mode. Once connected,
-type "help" for a list of commands.
-For detailed documentation on the management interface, see
-the management\-notes.txt file in the
-the OpenVPN source distribution.
-It is strongly recommended that
-be set to 127.0.0.1
-(localhost) to restrict accessibility of the management
-server to local clients.
Management interface will connect as a TCP/unix domain client to
@@ -2175,6 +2175,14 @@ options_postprocess_verify_ce(const stru
msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
+ if (!(options->management_flags & MF_UNIX_SOCK)
+ && (!options->management_user_pass))
+ msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
+ "passwords is STRONGLY discouraged and considered insecure");