File openvpn.changes of Package openvpn
xxxxxxxxxx1
-------------------------------------------------------------------2
Fri Jan 27 09:38:27 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>3
4
- bsc#1202792: --enable-iproute2 added back as default option. 5
6
-------------------------------------------------------------------7
Tue Apr 26 15:56:42 UTC 2022 - Reinhard Max <max@suse.com>8
9
- bsc#1123557: --suppress-timestamps isn't needed by default.10
11
-------------------------------------------------------------------12
Wed Mar 23 09:10:31 UTC 2022 - Reinhard Max <max@suse.com>13
14
- update to 2.5.6:15
* bsc#1197341, CVE-2022-0547: possible authentication bypass in16
external authentication plug-in17
* Fix "--mtu-disc maybe|yes" on Linux18
* Fix $common_name variable passed to scripts when19
username-as-common-name is in effect.20
* Fix potential memory leaks in add_route() and add_route_ipv6().21
* Apply connect-retry backoff only to one side of the connection22
in p2p mode.23
* repair "--inactive" handling with a 'bytes' parameter larger24
than 2 Gbytes.25
* new plugin (sample-plugin/defer/multi-auth.c) to help testing26
with multiple parallel plugins that succeed/fail in27
direct/deferred mode.28
29
-------------------------------------------------------------------30
Thu Feb 10 13:36:16 UTC 2022 - Reinhard Max <max@suse.com>31
32
- Fix license tag in spec file.33
34
-------------------------------------------------------------------35
Wed Dec 15 21:21:35 UTC 2021 - Dirk Müller <dmueller@suse.com>36
37
- update to 2.5.5:38
* SWEET32/64bit cipher deprecation change was postponed to 2.739
* improve "make check" to notice if "openvpn --show-cipher" crashes40
* improve argv unit tests41
* ensure unit tests work with mbedTLS builds without BF-CBC ciphers42
* include "--push-remove" in the output of "openvpn --help"43
* fix error in iptables syntax in example firewall.sh script44
* fix "resolvconf -p" invocation in example "up" script45
* fix "common_name" environment for script calls when46
"--username-as-common-name" is in effect (Trac #1434)47
* move "push-peer-info" documentation from "server options" to "client"48
* correct "foreign_option_{n}" typo in manpage49
* README.down-root: fix plugin module name50
51
-------------------------------------------------------------------52
Wed Dec 8 14:40:22 UTC 2021 - Reinhard Max <max@suse.com>53
54
- Drop 0001-preform-deferred-authentication-in-the-background.patch55
Upstream has meanwhile solved this differently and the two56
implementations interfere (boo#1193017).57
- Obsoleted SLE patches up to this point:58
* openvpn-CVE-2020-15078.patch59
* openvpn-CVE-2020-11810.patch60
* openvpn-CVE-2018-7544.patch61
* openvpn-CVE-2018-9336.patch62
63
-------------------------------------------------------------------64
Sat Dec 4 15:52:46 UTC 2021 - Jan Engelhardt <jengelh@inai.de>65
66
- Avoid bashisms and use POSIX sh syntax.67
- Use more efficient find commands.68
- Trim marketing filler words from description.69
70
-------------------------------------------------------------------71
Sat Oct 16 10:05:25 UTC 2021 - Dirk Müller <dmueller@suse.com>72
73
- update to 2.5.4:74
* fix prompting for password on windows console if stderr redirection75
is in use - this breaks 2.5.x on Win11/ARM, and might also break76
on Win11/adm64 when released.77
* fix setting MAC address on TAP adapters (--lladdr) to use sitnl78
(was overlooked, and still used "ifconfig" calls)79
* various improvements for man page building (rst2man/rst2html etc)80
* minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on81
at least one platform strictly checking this)82
* fix minor memory leak under certain conditions in add_route() and83
add_route_ipv6()84
* documentation improvements85
* copyright updates where needed86
* better error reporting when win32 console access fails87
88
-------------------------------------------------------------------89
Thu Aug 5 14:07:14 UTC 2021 - Reinhard Max <max@suse.com>90
91
- Update to 2.5.3:92
93
* Removal of BF-CBC support in default configuration94
*** POSSIBLE INCOMPATIBILITY ***95
See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).96
97
* Connections setup is now much faster98
* Support ChaCha20-Poly1305 cipher in the OpenVPN data channel99
* Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer100
* Client-specific tls-crypt keys (--tls-crypt-v2)101
* Improved Data channel cipher negotiation102
* HMAC based auth-token support for seamless reconnects to103
standalone servers or a group of servers104
* Asynchronous (deferred) authentication support for auth-pam105
plugin106
* Asynchronous (deferred) support for client-connect scripts and107
plugins108
* Support IPv4 configs with /31 netmasks109
* 802.1q VLAN support on TAP servers110
* Support IPv6-only tunnels111
* New option --block-ipv6 to reject all IPv6 packets (ICMPv6)112
* Support Virtual Routing and Forwarding (VRF)113
* Netlink integration (OpenVPN no longer needs to execute114
ifconfig/route or ip commands)115
* Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch116
117
- bsc#1062157: The fix for bsc#934237 causes problems with the118
crypto self-test of newer openvpn versions.119
Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .120
121
-------------------------------------------------------------------122
Mon May 31 15:29:08 UTC 2021 - Dirk Müller <dmueller@suse.com>123
124
- update to 2.4.11 (bsc#1185279):125
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements126
127
* This bug allows - under very specific circumstances - to trick a server using128
delayed authentication (plugin or management) into returning a PUSH_REPLY129
before the AUTH_FAILED message, which can possibly be used to gather130
information about a VPN setup.131
* In combination with "--auth-gen-token" or an user-specific token auth132
solution it can be possible to get access to a VPN with an133
otherwise-invalid account.134
* Fix potential NULL ptr crash if compiled with DMALLOC135
- drop sysv init support, it hasn't build successfully in ages136
and is build-disabled in devel project137
138
-------------------------------------------------------------------139
Sun Apr 25 19:24:56 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>140
141
- update 'rcopenvpn' to work without /etc/rc.status (boo#1185273)142
143
-------------------------------------------------------------------144
Wed Jan 6 17:15:13 UTC 2021 - Dirk Müller <dmueller@suse.com>145
146
- update to 2.4.10:147
- OpenVPN client will now announce the acceptable ciphers to the server148
(IV_CIPHER=...), so NCP cipher negotiation works better149
- Parse static challenge response in auth-pam plugin150
- Accept empty password and/or response in auth-pam plugin151
- Log serial number of revoked certificate152
- Fix tls_ctx_client/server_new leaving error on OpenSSL error stack153
- Fix auth-token not being updated if auth-nocache is set154
(this should fix all remaining client-side bugs for the combination155
"auth-nocache in client-config" + "auth-token in use on the server")156
- Fix stack overflow in OpenSolaris and *BSD NEXTADDR()157
- Fix error detection / abort in --inetd corner case (#350)158
- Fix TUNSETGROUP compatibility with very old Linux systems (#1152)159
- Fix handling of 'route remote_host' for IPv6 transport case160
(#1247 and #1332)161
- Fix --show-gateway for IPv6 on NetBSD/i386 (#734)162
- A number of documentation improvements / clarification fixes.163
- Fix line number reporting on config file errors after <inline> segments164
- Fix fatal error at switching remotes (#629)165
- socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)166
- Switch "ks->authenticated" assertion failure to returning false (#1270)167
168
- refresh 0001-preform-deferred-authentication-in-the-background.patch169
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10170
171
-------------------------------------------------------------------172
Fri Sep 11 11:52:54 UTC 2020 - Dirk Mueller <dmueller@suse.com>173
174
- update to 2.4.9 (CVE-2020-11810, bsc#1169925O):175
* Allow unicode search string in --cryptoapicert option (Windows)176
* Skip expired certificates in Windows certificate store (Windows) (trac #966)177
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)178
* fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").179
This can be used to disrupt service to a freshly connected client (no session180
keys negotiated yet). It can not be used to inject or steal VPN traffic.181
CVE-2020-11810).182
* fix combination of async push (deferred auth) and NCP (trac #1259)183
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)184
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs185
* mbedTLS: Make sure TLS session survives move (trac #880)186
* Fix OpenSSL private key passphrase notices187
* Fix building with --enable-async-push in FreeBSD (trac #1256)188
* Fix broken fragmentation logic when using NCP (trac #1140)189
190
-------------------------------------------------------------------191
Wed Aug 26 17:12:44 UTC 2020 - Franck Bui <fbui@suse.com>192
193
- Modernize openvpn.service194
* /var/run has been obsoleted since a long time.195
* on reload, send HUP signal directly rather than relying on196
killproc to look for the main process.197
198
-------------------------------------------------------------------199
Wed Aug 26 17:00:43 UTC 2020 - Franck Bui <fbui@suse.com>200
201
- Explicitly requires sysvinit-tools as some of the tools shipped by202
this package are used in various places regardless of whether203
openvpn is built for systemd or non systemd systems.204
205
For the context: sysvinit-tools was pulled in by systemd since 2014206
but it's no longer the case so better to be safe than sorry.207
208
-------------------------------------------------------------------209
Wed Mar 4 07:30:38 UTC 2020 - Fabian Vogt <fabian@ritter-vogt.de>210
211
- Fix inconsistency in openvpn.service:212
* It uses the unescape instance name as config file basename,213
so use that in the description as well214
215
-------------------------------------------------------------------216
Fri Jan 24 11:22:01 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>217
218
- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to219
shortcut through the -mini flavors.220
- Use %systemd_ordering instead of systemd_requires: in fact,221
systemd is not a hard requirement for openvpn. But in case a222
system is being installed with systemd, we want systemd to be223
there before openvpn is being installed.224
225
-------------------------------------------------------------------226
Tue Jan 7 21:28:42 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>227
228
- Update to version 2.4.8:229
* mbedtls: fix segfault by calling mbedtls_cipher_free() in230
cipher_ctx_free()231
* cleanup: Remove RPM openvpn.spec build approach232
* docs: Update INSTALL233
* build: Package missing mock_msg.h234
* Increase listen() backlog queue to 32235
* Force combinationation of --socks-proxy and --proto UDP to use236
IPv4.237
* Wrong FILETYPE in .rc files238
* Do not set pkcs11-helper 'safe fork mode'239
* tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.240
* Fix various compiler warnings241
* Fix regression, reinstate LibreSSL support.242
* man: correct the description of --capath and --crl-verify243
regarding CRLs244
* Fix typo in NTLM proxy debug message245
* Ignore --pull-filter for --mode server246
* openssl: Fix compilation without deprecated OpenSSL 1.1 APIs247
* Better error message when script fails due to script-security248
setting249
* Correct the return value of cryptoapi RSA signature callbacks250
* Handle PSS padding in cryptoapicert251
* cmocka: use relative paths252
* Fix documentation of tls-verify script argument253
254
-------------------------------------------------------------------255
Thu Dec 19 15:30:15 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>256
257
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:258
Allow OBS to shortcut through the -mini flavors.259
260
-------------------------------------------------------------------261
Wed Sep 18 06:52:56 UTC 2019 - Michal Hrusecky <michal.hrusecky@opensuse.org>262
263
- Add p11kit build time dependency for pkcs providers autodetection264
265
-------------------------------------------------------------------266
Mon Jul 29 07:43:00 UTC 2019 - Reinhard Max <max@suse.com>267
268
- Clarify in the service file that the reload action doesn't work269
when dropping root privileges (boo#1142830).270
271
-------------------------------------------------------------------272
Tue Jun 25 19:15:00 UTC 2019 - Michael Ströder <michael@stroeder.com>273
274
- Updated openvpn.keyring with public key downloaded from275
https://swupdate.openvpn.net/community/keys/security-key-2019.asc276
277
-------------------------------------------------------------------278
Thu Feb 21 18:26:42 UTC 2019 - Franck Bui <fbui@suse.com>279
280
- Drop use of $FIRST_ARG in openvpn.spec281
282
The use of $FIRST_ARG was probably required because of the283
%service_* rpm macros were playing tricks with the shell positional284
parameters. This is bad practice and error prones so let's assume285
that no macros should do that anymore and hence it's safe to assume286
that positional parameters remains unchanged after any rpm macro287
call.288
289
-------------------------------------------------------------------290
Wed Feb 20 21:22:25 UTC 2019 - Michael Ströder <michael@stroeder.com>291
292
- Update to 2.4.7:293
Adam Ciarcin?ski (1):294
* Fix subnet topology on NetBSD (2.4).295
Antonio Quartulli (3):296
* add support for %lu in argv_printf and prevent ASSERT297
* buffer_list: add functions documentation298
* ifconfig-ipv6(-push): allow using hostnames299
Arne Schwabe (7):300
* Properly free tuntap struct on android when emulating persist-tun301
* Add OpenSSL compat definition for RSA_meth_set_sign302
* Add support for tls-ciphersuites for TLS 1.3303
* Add better support for showing TLS 1.3 ciphersuites in --show-tls304
* Use right function to set TLS1.3 restrictions in show-tls305
* Add message explaining early TLS client hello failure306
* Fallback to password authentication when auth-token fails307
Christian Ehrhardt (1):308
* systemd: extend CapabilityBoundingSet for auth_pam309
David Sommerseth (1):310
* plugin: Export base64 encode and decode functions311
Gert Doering (3):312
* Add %d, %u and %lu tests to test_argv unit tests.313
* Fix combination of --dev tap and --topology subnet across multiple platforms.314
* Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.315
Gert van Dijk (1):316
* Minor reliability layer documentation fixes317
James Bekkema (1):318
* Resolves small IV_GUI_VER typo in the documentation.319
Jonathan K. Bullard (1):320
* Clarify and expand management interface documentation321
Lev Stipakov (5):322
* Refactor NCP-negotiable options handling323
* init.c: refine functions names and description324
* interactive.c: fix usage of potentially uninitialized variable325
* options.c: fix broken unary minus usage326
* Remove extra token after #endif327
Richard van den Berg via Openvpn-devel (1):328
* Fix error message when using RHEL init script329
Samy Mahmoudi (1):330
* man: correct a --redirection-gateway option flag331
Selva Nair (7):332
* Replace M_DEBUG with D_LOW as the former is too verbose333
* Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'334
* Bump version of openvpn plugin argument structs to 5335
* Move get system directory to a separate function336
* Enable dhcp on tap adapter using interactive service337
* Pass the hash without the DigestInfo header to NCryptSignHash()338
* White-list pull-filter and script-security in interactive service339
Simon Rozman (2):340
* Add Interactive Service developer documentation341
* Detect TAP interfaces with root-enumerated hardware ID342
Steffan Karger (7):343
* man: add security considerations to --compress section344
* mbedtls: print warning if random personalisation fails345
* Fix memory leak after sighup346
* travis: add OpenSSL 1.1 Windows build347
* Fix --disable-crypto build348
* Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'349
* buffer_list_aggregate_separator(): simplify code350
351
-------------------------------------------------------------------352
Fri Apr 27 12:25:19 UTC 2018 - max@suse.com353
354
- Update to 2.4.6:355
* CVE-2018-9336, bsc#1090839: Fix potential double-free() in356
Interactive Service357
* Delete the IPv6 route to the "connected" network on tun close358
* Management: warn about password only when the option is in use359
* Avoid overflow in wakeup time computation360
361
-------------------------------------------------------------------362
Tue Apr 10 14:29:18 UTC 2018 - max@suse.com363
364
- Remove --askpass again, because it was also asking for a password365
when none was needed. As a workaround for keys that need a366
password, the "askpass" statement should be added to the config367
file (bsc#1078026).368
- Use Type=notify in openvpn.service to reflect what openvpn is369
actually doing.370
- Import the new signing key from upstream.371
- Remove obsolete configure switch --enable-password-save .372
373
-------------------------------------------------------------------374
Tue Mar 13 01:32:52 UTC 2018 - avindra@opensuse.org375
376
- Update to 2.4.5377
* New features378
+ The new option --tls-cert-profile can be used to restrict the379
set of allowed crypto algorithms in TLS certificates in mbed380
TLS builds. The default profile is 'legacy' for now, which381
allows SHA1+, RSA-1024+ and any elliptic curve certificates.382
The default will be changed to the 'preferred' profile in the383
future, which requires SHA2+, RSA-2048+ and any curve.384
+ openvpnserv: Add support for multi-instances (to support385
multiple parallel OpenVPN installations, like EduVPN and386
regular OpenVPN)387
+ Use P_DATA_V2 for server->client packets too (better packet388
alignment)389
+ improve management interface documentation390
(bsc#1085803, CVE-2018-7544)391
+ rework registry key handling for OpenVPN service, notably392
making most registry values optional, falling back to393
reasonable defaults394
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make395
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android396
clients)397
* Bug fixes398
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+399
+ Fix lots of compiler warnings (format string, type casts, ...)400
+ reload HTTP proxy credentials when moving to the next401
connection profile402
+ Fix build with LibreSSL (multiple times)403
+ Remove non-useful warning on pushed tun-ipv6 option.404
+ autoconf: Fix engine checks for openssl 1.1405
+ lz4: Rebase compat-lz4 against upstream v1.7.5406
+ lz4: Fix broken builds when pkg-config is not present but407
system library is408
+ Fix '--bind ipv6only'409
+ Allow learning iroutes with network made up of all 0s410
- Includes 2.4.4411
* Bug fixes412
+ Fix issues when a pushed cipher via the Negotiable Crypto413
Parameters (NCP) is rejected by the remote side414
+ Ignore --keysize when NCP have resulted in a changed cipher415
+ Configurations using --auth-nocache and the management416
interface to provide user credentials (like NetworkManager)417
on client side with servers implementing authentication418
tokens (for example, using --auth-gen-token) will now behave419
correctly and not query the user for an, to them, unknown420
authentication token on renegotiations of the tunnel.421
+ Invalid or corrupt SOCKS port number when changing the proxy422
via the management interface.423
+ man page should now have proper escaping of hyphen/minus424
characters and other minor corrections.425
* User-visible Changes426
+ Linux servers with systemd which use the openvpn-server@.service427
unit file for server configurations will now utilize the428
automatic restart feature in systemd. If the OpenVPN server429
process dies unexpectedly, systemd will ensure the OpenVPN430
configuration will be restarted automatically.431
* Deprecated432
+ --no-replay (will be removed in 2.5)433
+ --keysize (will be removed in 2.6)434
* Security435
+ CVE-2017-12166: Fix bounds check for configurations using436
--key-method 1. Before this fix, attackers could send a437
malformed packet to trigger a stack overflow. This is438
considered to be a low risk issue, as --key-method 2 has439
been the default since 2.0 (released on 2005-04-17). This440
option is already deprecated in v2.4 and will be completely441
removed in v2.5.442
- Rebase openvpn-fips140-2.3.2.patch443
- Drop 0002-Fix-bounds-check-in-read_key.patch444
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255445
- Partial cleanup with spec-cleaner446
447
-------------------------------------------------------------------448
Tue Feb 13 17:49:09 UTC 2018 - max@suse.com449
450
- Add --askpass to ExecStart, so that the user name and password451
are correctly being queried from the user.452
(bsc#1078026, boo#985798, boo#1031748)453
- Use %service_add/del macros throughout (bsc#1038406).454
455
-------------------------------------------------------------------456
Thu Nov 23 13:52:15 UTC 2017 - rbrown@suse.com457
458
- Replace references to /var/adm/fillup-templates with new 459
%_fillupdir macro (boo#1069468)460
461
-------------------------------------------------------------------462
Tue Oct 10 14:10:30 CEST 2017 - ndas@suse.de463
464
- Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877).465
[+ 0002-Fix-bounds-check-in-read_key.patch]466
467
-------------------------------------------------------------------468
Fri Aug 11 13:43:39 UTC 2017 - sebix+novell.com@sebix.at469
470
- Do not package empty /usr/lib64/tmpfiles.d471
472
-------------------------------------------------------------------473
Fri Jun 23 11:47:38 CEST 2017 - ndas@suse.de474
475
- Update to 2.4.3 (bsc#1045489)476
- Ignore auth-nocache for auth-user-pass if auth-token is pushed477
- crypto: Enable SHA256 fingerprint checking in --verify-hash478
- copyright: Update GPLv2 license texts479
- auth-token with auth-nocache fix broke --disable-crypto builds480
- OpenSSL: don't use direct access to the internal of X509481
- OpenSSL: don't use direct access to the internal of EVP_PKEY482
- OpenSSL: don't use direct access to the internal of RSA483
- OpenSSL: don't use direct access to the internal of DSA484
- OpenSSL: force meth->name as non-const when we free() it485
- OpenSSL: don't use direct access to the internal of EVP_MD_CTX486
- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX487
- OpenSSL: don't use direct access to the internal of HMAC_CTX488
- Fix NCP behaviour on TLS reconnect.489
- Remove erroneous limitation on max number of args for --plugin490
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.491
- Fix potential 1-byte overread in TCP option parsing.492
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.493
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)494
- refactor my_strupr495
- Fix 2 memory leaks in proxy authentication routine496
- Fix memory leak in add_option() for option 'connection'497
- Ensure option array p[] is always NULL-terminated498
- Fix a null-pointer dereference in establish_http_proxy_passthru()499
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data500
- Fix an unaligned access on OpenBSD/sparc64501
- Missing include for socket-flags TCP_NODELAY on OpenBSD502
- Make openvpn-plugin.h self-contained again.503
- Pass correct buffer size to GetModuleFileNameW()504
- Log the negotiated (NCP) cipher505
- Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)506
- Skip tls-crypt unit tests if required crypto mode not supported507
- openssl: fix overflow check for long --tls-cipher option508
- Add a DSA test key/cert pair to sample-keys509
- Fix mbedtls fingerprint calculation510
- mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)511
- mbedtls: require C-string compatible types for --x509-username-field512
- Fix remote-triggerable memory leaks (CVE-2017-7521)513
- Restrict --x509-alt-username extension types514
- Fix potential double-free in --x509-alt-username (CVE-2017-7521)515
- Fix gateway detection with OpenBSD routing domains516
517
-------------------------------------------------------------------518
Wed Jun 14 12:05:14 CEST 2017 - ndas@suse.de519
520
- use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223)521
522
-------------------------------------------------------------------523
Tue Jun 6 14:59:29 CEST 2017 - ndas@suse.de524
525
- Update to 2.4.2526
- auth-token: Ensure tokens are always wiped on de-auth527
- Make --cipher/--auth none more explicit on the risks528
- Use SHA256 for the internal digest, instead of MD5529
- Deprecate --ns-cert-type530
- Deprecate --no-iv531
- Support --block-outside-dns on multiple tunnels532
- Limit --reneg-bytes to 64MB when using small block ciphers533
- Fix --tls-version-max in mbed TLS builds534
Details changelogs are avilable in 535
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24536
[*0001-preform-deferred-authentication-in-the-background.patch537
*openvpn-2.3.x-fixed-multiple-low-severity-issues.patch538
*openvpn-fips140-2.3.2.patch]539
- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2540
- cleanup the spec file541
542
-------------------------------------------------------------------543
Fri Apr 21 14:55:09 CEST 2017 - ndas@suse.de544
545
- Preform deferred authentication in the background to not546
cause main daemon processing delays when the underlying pam mechanism (e.g.547
ldap) needs longer to response (bsc#959511).548
[+ 0001-preform-deferred-authentication-in-the-background.patch]549
- Added fix for possible heap overflow on read accessing getaddrinfo 550
result (bsc#959714).551
[+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]552
- Added a patch to fix multiple low severity issues (bsc#934237).553
[+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]554
555
-------------------------------------------------------------------556
Sun Jan 22 15:21:17 UTC 2017 - mrueckert@suse.de557
558
- silence warning about %{_rundir}/openvpn559
- for non systemd case: just package the %{_rundir}/openvpn in560
the package561
- for systemd case: call systemd-tmpfiles and own the dir as562
%ghost in the filelist563
564
-------------------------------------------------------------------565
Sun Jan 22 14:51:44 UTC 2017 - mrueckert@suse.de566
567
- refreshed patches to apply cleanly again568
openvpn-2.3-plugin-man.dif569
openvpn-fips140-2.3.2.patch570
571
-------------------------------------------------------------------572
Sun Jan 22 14:47:39 UTC 2017 - mrueckert@suse.de573
574
- update to 2.3.14575
- update year in copyright message576
- Document the --auth-token option577
- Repair topology subnet on FreeBSD 11578
- Repair topology subnet on OpenBSD579
- Drop recursively routed packets580
- Support --block-outside-dns on multiple tunnels581
- When parsing '--setenv opt xx ..' make sure a third parameter582
is present583
- Map restart signals from event loop to SIGTERM during584
exit-notification wait585
- Correctly state the default dhcp server address in man page586
- Clean up format_hex_ex()587
- enabled pkcs11 support588
589
-------------------------------------------------------------------590
Sat Dec 3 21:26:52 UTC 2016 - michael@stroeder.com591
592
- update to 2.3.13593
- removed obsolete patch files openvpn-2.3.0-man-dot.diff and594
openvpn-fips140-AES-cipher-in-config-template.patch595
596
2016.11.02 -- Version 2.3.13597
Arne Schwabe (2):598
* Use AES ciphers in our sample configuration files and add a few modern 2.4 examples599
* Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer600
David Sommerseth (4):601
* t_client.sh: Make OpenVPN write PID file to avoid various sudo issues602
* t_client.sh: Add support for Kerberos/ksu603
* t_client.sh: Improve detection if the OpenVPN process did start during tests604
* t_client.sh: Add prepare/cleanup possibilties for each test case605
Gert Doering (5):606
* Do not abort t_client run if OpenVPN instance does not start.607
* Fix t_client runs on OpenSolaris608
* make t_client robust against sudoers misconfiguration609
* add POSTINIT_CMD_suf to t_client.sh and sample config610
* Fix --multihome for IPv6 on 64bit BSD systems.611
Ilya Shipitsin (1):612
* skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto613
Lev Stipakov (2):614
* Exclude peer-id from pulled options digest615
* Fix compilation in pedantic mode616
Samuli Seppänen (1):617
* Automatically cache expected IPs for t_client.sh on the first run618
Steffan Karger (6):619
* Fix unittests for out-of-source builds620
* Make gnu89 support explicit621
* cleanup: remove code duplication in msg_test()622
* Update cipher-related man page text623
* Limit --reneg-bytes to 64MB when using small block ciphers624
* Add a revoked cert to the sample keys625
626
2016.08.23 -- Version 2.3.12627
Arne Schwabe (2):628
* Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.629
* Move ASSERT so external-key with OpenSSL works again630
David Sommerseth (3):631
* Only build and run cmocka unit tests if its submodule is initialized632
* Another fix related to unit test framework633
* Remove NOP function and callers634
Dorian Harmans (1):635
* Add CHACHA20-POLY1305 ciphersuite IANA name translations.636
Ivo Manca (1):637
* Plug memory leak in mbedTLS backend638
Jeffrey Cutter (1):639
* Update contrib/pull-resolv-conf/client.up for no DOMAIN640
Jens Neuhalfen (2):641
* Add unit testing support via cmocka642
* Add a test for auth-pam searchandreplace643
Josh Cepek (1):644
* Push an IPv6 CIDR mask used by the server, not the pool's size645
Leon Klingele (1):646
* Add link to bug tracker647
Samuli Seppänen (2):648
* Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes649
* Clarify the fact that build instructions in README are for release tarballs650
Selva Nair (4):651
* Make error non-fatal while deleting address using netsh652
* Make block-outside-dns work with persist-tun653
* Ignore SIGUSR1/SIGHUP during exit notification654
* Promptly close the netcmd_semaphore handle after use655
Steffan Karger (4):656
* Fix polarssl / mbedtls builds657
* Don't limit max incoming message size based on c2->frame658
* Fix '--cipher none --cipher' crash659
* Discourage using 64-bit block ciphers660
661
-------------------------------------------------------------------662
Mon Nov 28 16:33:34 UTC 2016 - matwey.kornilov@gmail.com663
664
- Require iproute2 explicitly. openvpn uses /bin/ip from iproute2,665
so it should be installed666
667
-------------------------------------------------------------------668
Thu Sep 8 13:26:16 UTC 2016 - astieger@suse.com669
670
- Add an example for a FIPS 140-2 approved cipher configuration to671
the sample configuration files. Fixes bsc#988522672
adding openvpn-fips140-AES-cipher-in-config-template.patch673
- remove gpg-offline signature verification, now a source service674
675
-------------------------------------------------------------------676
Tue May 10 16:16:02 UTC 2016 - idonmez@suse.com677
678
- Update to version 2.3.11679
* Fixed port-share bug with DoS potential680
* Fix buffer overflow by user supplied data681
* Fix undefined signed shift overflow682
* Ensure input read using systemd-ask-password is null terminated683
* Support reading the challenge-response from console684
* hardening: add safe FD_SET() wrapper openvpn_fd_set()685
* Restrict default TLS cipher list686
- Add BuildRequires on xz for SLE11687
688
-------------------------------------------------------------------689
Mon Jan 4 17:22:37 UTC 2016 - idonmez@suse.com690
691
- Update to version 2.3.10692
* Warn user if their certificate has expired693
* Fix regression in setups without a client certificate694
695
-------------------------------------------------------------------696
Wed Dec 16 14:30:49 UTC 2015 - idonmez@suse.com697
698
- Update to version 2.3.9699
* Show extra-certs in current parameters.700
* Do not set the buffer size by default but rely on the operation system default.701
* Remove --enable-password-save option702
* Detect config lines that are too long and give a warning/error703
* Log serial number of revoked certificate704
* Avoid partial authentication state when using --disabled in CCD configs705
* Replace unaligned 16bit access to TCP MSS value with bytewise access706
* Fix possible heap overflow on read accessing getaddrinfo() result.707
* Fix isatty() check for good. (obsoletes revert-daemonize.patch)708
* Client-side part for server restart notification709
* Fix privilege drop if first connection attempt fails710
* Support for username-only auth file.711
* Increase control channel packet size for faster handshakes712
* hardening: add insurance to exit on a failed ASSERT()713
* Fix memory leak in auth-pam plugin714
* Fix (potential) memory leak in init_route_list()715
* Fix unintialized variable in plugin_vlog()716
* Add macro to ensure we exit on fatal errors717
* Fix memory leak in add_option() by simplifying get_ipv6_addr718
* openssl: properly check return value of RAND_bytes()719
* Fix rand_bytes return value checking720
* Fix "White space before end tags can break the config parser"721
722
-------------------------------------------------------------------723
Thu Dec 3 14:07:17 UTC 2015 - mt@suse.com724
725
- Adjust /var/run to _rundir macro value in openvpn@.service too.726
727
-------------------------------------------------------------------728
Thu Aug 20 08:43:33 UTC 2015 - mt@suse.com729
730
- Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS.731
- Moved openvpn-plugin.h into a devel package, removed .gitignore732
733
-------------------------------------------------------------------734
Thu Aug 13 08:29:35 UTC 2015 - idonmez@suse.com735
736
- Add revert-daemonize.patch, looks like under systemd the stdin737
and stdout are not TTYs by default. This reverts to previous738
behaviour fixing bsc#941569739
740
-------------------------------------------------------------------741
Wed Aug 5 12:03:33 UTC 2015 - idonmez@suse.com742
743
- Update to version 2.3.8744
* Report missing endtags of inline files as warnings745
* Fix commit e473b7c if an inline file happens to have a746
line break exactly at buffer limit747
* Produce a meaningful error message if --daemon gets in the way of748
asking for passwords.749
* Document --daemon changes and consequences (--askpass, --auth-nocache)750
* Del ipv6 addr on close of linux tun interface751
* Fix --askpass not allowing for password input via stdin752
* Write pid file immediately after daemonizing753
* Fix regression: query password before becoming daemon754
* Fix using management interface to get passwords755
* Fix overflow check in openvpn_decrypt()756
757
-------------------------------------------------------------------758
Tue Jun 9 15:51:06 UTC 2015 - idonmez@suse.com759
760
- Update to version 2.3.7761
* down-root plugin: Replaced system() calls with execve()762
* sockets: Remove the limitation of --tcp-nodelay to be server-only763
* pkcs11: Load p11-kit-proxy.so module by default764
* New approach to handle peer-id related changes to link-mtu765
* Fix incorrect use of get_ipv6_addr() for iroute options766
* Print helpful error message on --mktun/--rmtun if not available767
* Explain effect of --topology subnet on --ifconfig768
* Add note about file permissions and --crl-verify to manpage769
* Repair --dev null breakage caused by db950be85d37770
* Correct note about DNS randomization in openvpn.8771
* Disallow usage of --server-poll-timeout in --secret key mode772
* Slightly enhance documentation about --cipher773
* On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()774
* Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()775
* Fix --redirect-private in --dev tap mode776
* Updated manpage for --rport and --lport777
* Properly escape dashes on the man-page778
* Improve documentation in --script-security section of the man-page779
* Really fix '--cipher none' regression780
* Set tls-version-max to 1.1 if cryptoapicert is used781
* Account for peer-id in frame size calculation782
* Disable SSL compression783
* Fix frame size calculation for non-CBC modes.784
* Allow for CN/username of 64 characters (fixes off-by-one)785
* Re-enable TLS version negotiation by default786
* Remove size limit for files inlined in config787
* Improve --tls-cipher and --show-tls man page description788
* Re-read auth-user-pass file on (re)connect if required789
* Clarify --capath option in manpage790
* Call daemon() before initializing crypto library791
792
-------------------------------------------------------------------793
Mon Mar 2 08:26:08 UTC 2015 - mt@suse.de794
795
- Fixed to use correct sha digest data length and in fips mode,796
use aes instead of the disallowed blowfish crypto (boo#914166).797
- Fixed to provide actual plugin/doc dirs in openvpn(8) man page.798
799
-------------------------------------------------------------------800
Mon Dec 1 19:37:29 UTC 2014 - mt@suse.de801
802
- Update to version 2.3.6 fixing a denial-of-service vulnerability803
where an authenticated client could stop the server by triggering804
a server-side ASSERT (bnc#907764,CVE-2014-8104).805
See ChangeLog file for a complete list of changes.806
807
-------------------------------------------------------------------808
Thu Oct 30 12:28:48 UTC 2014 - idonmez@suse.com809
810
- Update to version 2.3.5811
* See included changelog812
- Depend on systemd-devel for the daemon check functionality813
814
-------------------------------------------------------------------815
Mon Aug 25 09:12:08 UTC 2014 - idonmez@suse.com816
817
- Update to version 2.3.4818
* Add support for client-cert-not-required for PolarSSL.819
* Introduce safety check for http proxy options.820
821
-------------------------------------------------------------------822
Mon May 26 15:41:34 UTC 2014 - crrodriguez@opensuse.org823
824
- Build with large file support in 32 bit systems. 825
826
-------------------------------------------------------------------827
Sun May 11 07:58:52 UTC 2014 - coolo@suse.com828
829
- use %_rundir for %ghost directory - leaving /var/run everywhere830
else831
832
-------------------------------------------------------------------833
Tue Jan 14 10:43:19 UTC 2014 - mt@suse.de834
835
- Updated README.SUSE, documented also the rcopenvpn compatibility836
wrapper script (bnc#848070).837
838
-------------------------------------------------------------------839
Thu Jan 9 14:14:19 UTC 2014 - meissner@suse.com840
841
- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in842
some internal checking routines. This allows operation in FIPS 140-2843
mode.844
845
-------------------------------------------------------------------846
Tue Dec 17 15:26:16 UTC 2013 - mt@suse.de847
848
- Readded rcopenvpn helper script under systemd (bnc#848070)849
850
-------------------------------------------------------------------851
Thu Oct 31 18:45:02 UTC 2013 - mt@suse.de852
853
- Fixed invalid mode in exec bit removal call from doc files854
855
-------------------------------------------------------------------856
Tue Aug 27 16:28:52 UTC 2013 - lmuelle@suse.com857
858
- Add a section about how to control all or a named configuration with the859
help of systemctl to the README.SUSE file.860
861
-------------------------------------------------------------------862
Mon Jun 3 22:09:09 UTC 2013 - mrdocs@opensuse.org863
864
- Update to 2.3.2865
+Fixes since 2.3.0866
- Remove dead code path and putenv functionality867
- Remove unused function xor868
- Move static prototype definition from header into c file869
- Remove unused function no_tap_ifconfig870
- fix build with automake 1.13(.1)871
- Fix corner case in NTLM authentication (trac #172)872
- Update README.IPv6 to match what is in 2.3.0873
- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.874
- Permit pool size of /64.../112 for ifconfig-ipv6-pool875
- Add MIN() compatibility macro876
- Fix directly connected routes for "topology subnet" on Solaris.877
- close more file descriptors on exec878
- Ignore UTF-8 byte order mark879
- reintroduce --no-name-remapping option880
- make --tls-remote compatible with pre 2.3 configs881
- add new option for X.509 name verification882
- add man page patch for missing options883
- Fix parameter listing in non-debug builds at verb 4884
- (updated) [PATCH] Warn when using verb levels >=7 without debug885
- Enable TCP_NODELAY configuration on FreeBSD.886
- Updated README887
- Cleaned up and updated INSTALL888
- PolarSSL-1.2 support889
- Improve PolarSSL key_state_read_{cipher, plain}text messages890
- Improve verify_callback messages891
- Config compatibility patch. Added translate_cipher_name.892
- Switch to IANA names for TLS ciphers.893
- Fixed autoconf script to properly detect missing pkcs11 with polarssl.894
- Use constant time memcmp when comparing HMACs in openvpn_decrypt.895
896
-------------------------------------------------------------------897
Mon May 6 11:13:49 UTC 2013 - mt@suse.de898
899
- Try to migrate openvpn.service autostart to openvpn@<CONF>.service900
instance enablement.901
902
-------------------------------------------------------------------903
Tue Apr 23 13:20:48 UTC 2013 - mt@suse.de904
905
- Fixed to enable systemd support in configure906
- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group.907
- Added openvpn.target file allowing to handle all instances at once.908
- Fixed to install the service template correctly as openvpn@.service.909
Use "systemctl enable openvpn@foo.service" to enable instance using910
/etc/openvpn/foo.conf.911
- Disabled systemd variant of restart on update rpm macro, adopted other912
macros to use openvpn.target to e.g. stop all instances on uninstall.913
914
-------------------------------------------------------------------915
Tue Mar 26 14:38:48 UTC 2013 - aj@suse.com916
917
- Remove _unitdir definition, it is provided by systemd.918
- Install service file without x permissions919
920
-------------------------------------------------------------------921
Mon Mar 25 14:55:35 UTC 2013 - p.drouand@gmail.com922
923
Update to version 2.3.0:924
* Full IPv6 support925
* SSL layer modularised, enabling easier implementation for other SSL libraries926
* PolarSSL support as a drop-in replacement for OpenSSL927
* New plug-in API providing direct certificate access, improved logging API928
and easier to extend in the future929
* Added 'dev_type' environment variable to scripts and plug-ins - which is930
set to 'TUN' or 'TAP'931
* New feature: --management-external-key - to provide access to the encryption932
keys via the management interface933
* New feature: --x509-track option, more fine grained access to X.509 fields934
in scripts and plug-ins935
* New feature: --client-nat support936
* New feature: --mark which can mark encrypted packets from the tunnel, suitable 937
for more advanced routing and firewalling938
* New feature: --management-query-proxy - manage proxy settings via the management939
interface (supercedes --http-proxy-fallback)940
* New feature: --stale-routes-check, which cleans up the internal routing table941
* New feature: --x509-username-field, where other X.509v3 fields can be used for942
the authentication instead of Common Name943
* Improved client-kill management interface command944
* Improved UTF-8 support - and added --compat-names to provide backwards compatibility945
with older scripts/plug-ins946
* Improved auth-pam with COMMONNAME support, passing the certificate's common947
name in the PAM conversation948
* More options can now be used inside <connection> blocks949
* Completely new build system, enabling easier cross-compilation and Windows builds950
* Much of the code has been better documented951
* Many documentation updates952
* Plenty of bug fixes and other code clean-ups953
- Add systemd native support for OpenSUSE > 12.1954
- Adapt patchs to upstream release:955
* openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif956
* openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff957
- Remove obsolete patchs; fixed or merged on upstream release:958
* 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch959
* openvpn-2.1-plugin-build.dif960
* openvpn-2.1-systemd-passwd.patch961
- Rebase specfile to upstream changes:962
* easy-rsa is not provided anymore with main package963
* remove %clean section964
* autoreconf -fi is no needed965
- Update openvpn.keyring file for upstream release asc key966
967
-------------------------------------------------------------------968
Mon Jan 28 13:59:07 UTC 2013 - mt@suse.com969
970
- Join openvpn.service systemd cgroup in start when needed, e.g.971
when starting with further parameters. (bnc#781106)972
973
-------------------------------------------------------------------974
Thu Nov 29 18:19:40 CET 2012 - sbrabec@suse.cz975
976
- Verify GPG signature.977
978
-------------------------------------------------------------------979
Fri Sep 21 12:18:32 UTC 2012 - coolo@suse.com980
981
- fix ciaran's previous license entry. the license has a SUSE prefix982
983
-------------------------------------------------------------------984
Thu Sep 20 10:50:23 UTC 2012 - mt@suse.com985
986
- Fixed openvpn init script to not map reopen to reload so the987
reopen code is without any effect (bnc#781106).988
- Added requested OPENVPN_AUTOSTART variable allowing to provide989
an optional list of config names started by default (bnc#692440).990
991
-------------------------------------------------------------------992
Wed Aug 22 14:50:39 UTC 2012 - cfarrell@suse.com993
994
- license update: GPL-2.0-with-openssl-exception and LGPL-2.1995
openssl has an openssl exception (also, it is GPL-2.0 only)996
997
-------------------------------------------------------------------998
Thu Mar 29 09:45:56 UTC 2012 - mt@suse.com999
1000
- Fixed SLES build readding Group tags to sub-packages in spec,1001
not require libselinux-devel on SLE-10 and datadir/doc cleanup.1002
1003
-------------------------------------------------------------------1004
Wed Feb 15 15:21:32 UTC 2012 - mt@suse.com1005
1006
- Updated to openvpn-2.2.2:1007
- Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.21008
- Pkcs11 support built into the Windows version1009
- Fixed a bug in the Windows TAP-driver1010
1011
-------------------------------------------------------------------1012
Thu Dec 8 08:40:17 UTC 2011 - aj@suse.de1013
1014
- Fix source URLs.1015
1016
-------------------------------------------------------------------1017
Fri Dec 2 16:24:00 UTC 2011 - coolo@suse.com1018
1019
- add automake as buildrequire to avoid implicit dependency1020
1021
-------------------------------------------------------------------1022
Mon Aug 29 18:05:30 UTC 2011 - mt@suse.com1023
1024
- Marked /var/run/openvpn as ghost (bnc#710270), man page and1025
other rpmlint warning fixes1026
1027
-------------------------------------------------------------------1028
Tue Aug 23 15:41:00 UTC 2011 - crrodriguez@opensuse.org1029
1030
- BuildRequires libselinux-devel1031
- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent 1032
upstream as https://community.openvpn.net/openvpn/ticket/1571033
1034
-------------------------------------------------------------------1035
Mon Aug 22 09:55:44 UTC 2011 - fcrozat@novell.com1036
1037
- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to1038
support systemd password query (bnc#675406)1039
1040
-------------------------------------------------------------------1041
Mon Jul 11 14:38:45 UTC 2011 - mt@suse.de1042
1043
- Updated to openvpn-2.2.1, a new version series providing several1044
new features. This version fixes build issues and provides1045
updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125),1046
- Adopted spec file, enabled saving password in a file and to1047
specify an alternative username in x509 cert.1048
- Removed X-Interactive from init script again, as systemd isn't1049
able to use it correctly [any more?] (bnc#675406). We will1050
address it later and probably use /bin/systemd-ask-password.1051
1052
-------------------------------------------------------------------1053
Tue Mar 15 21:05:23 UTC 2011 - crrodriguez@opensuse.org1054
1055
- KVPNC is unable to parse openvpn version [bnc#679153]1056
1057
-------------------------------------------------------------------1058
Thu Feb 17 10:59:23 UTC 2011 - mt@suse.de1059
1060
- Added X-Interactive: true LSB tag to the init script.1061
1062
-------------------------------------------------------------------1063
Tue Nov 16 09:45:46 UTC 2010 - mt@suse.de1064
1065
- Updated to openvpn 2.1.4, providing several bug fixes and1066
improvements, such as:1067
* Fix of a problem with special case route targets1068
* Try to ensure, that the tun/tap interface gets closed on1069
non-graceful aborts.1070
* Several AUTH_FAILED reporting fixes causing the connection1071
to fail without any error indication.1072
* Enable exponential backoff in reliability layer retransmits.1073
* Proxy improvements1074
Please review the ChangeLog file for a complete and exact list.1075
1076
-------------------------------------------------------------------1077
Wed Sep 8 16:34:21 UTC 2010 - cristian.rodriguez@opensuse.org1078
1079
- Do not include build date in binaries 1080
1081
-------------------------------------------------------------------1082
Tue Jun 15 09:31:56 UTC 2010 - mt@suse.de1083
1084
- Improved netconfig based client up and down sample scripts.1085
1086
-------------------------------------------------------------------1087
Fri Jun 11 17:07:11 CEST 2010 - anschneider@exsuse.de1088
1089
- Added netconfig based client up and down scripts to samples.1090
1091
-------------------------------------------------------------------1092
Thu Mar 11 08:51:39 UTC 2010 - mt@suse.de1093
1094
- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20:1095
* Fixed a couple issues in sample plugins auth-pam.c and1096
down-root.c.1097
(1) Fail gracefully rather than segfault if calloc returns NULL.1098
(2) The openvpn_plugin_abort_v1 function can potentially be1099
called with handle == NULL. Add code to detect this case,1100
and if so, avoid dereferencing pointers derived from handle1101
(Thanks to David Sommerseth for finding this bug).1102
* Documented "multihome" option in the man page.1103
* Added a hard failure when peer provides a certificate chain1104
with depth > 16. Previously, a warning was issued.1105
* Added additional session renegotiation hardening. OpenVPN has1106
always required that mid-session renegotiations build up a new1107
SSL/TLS session from scratch. While the client certificate1108
common name is already locked against changes in mid-session1109
TLS renegotiations, we now extend this locking to the1110
auth-user-pass username as well as all certificate content in1111
the full client certificate chain.1112
- Improved openvpn init script adding messages giving a hint about1113
pid write failure and to look into the log messages (bnc#559041).1114
- Added -fno-strict-aliasing to compile flags in the spec file.1115
1116
-------------------------------------------------------------------1117
Fri Dec 17 23:00:46 CET 2009 - mt@suse.de1118
1119
- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and1120
option handling provided by the from server (bnc#552440).1121
For complete list of changes, see ChangeLog file, here just1122
the IMO most important:1123
* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using1124
the redirect-gateway option by itself, without any extra1125
parameters, would cause the option to be ignored.1126
* Optimized PUSH_REQUEST handshake sequence to shave several1127
seconds off of a typical client connection initiation.1128
* The maximum number of "route" directives (specified in the1129
config file or pulled from a server) can now be configured1130
via the new "max-routes" directive.1131
* Eliminated the limitation on the number of options that can1132
be pushed to clients, including routes. Previously, all1133
pushed options needed to fit within a 1024 byte options1134
string.1135
* Added --server-poll-timeout option : when polling possible1136
remote servers to connect to in a round-robin fashion,1137
spend no more than n seconds waiting for a response before1138
trying the next server.1139
* Added the ability for the server to provide a custom reason1140
string when an AUTH_FAILED message is returned to the client.1141
This string can be set by the server-side managment interface1142
and read by the client-side management interface.1143
* client-kill management interface command, when issued on server,1144
will now send a RESTART message to client. This feature is1145
intended to make UDP clients respond the same as TCP clients1146
in the case where the server issues a RESTART message in order1147
to force the client to reconnect and pull a new options/route1148
list.1149
1150
-------------------------------------------------------------------1151
Fri Oct 2 15:14:51 CEST 2009 - mt@suse.de1152
1153
- Added network-remotefs to init script dependencies (bnc#522279).1154
1155
-------------------------------------------------------------------1156
Wed Jun 10 10:24:06 CEST 2009 - mt@suse.de1157
1158
- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289).1159
- Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558).1160
- Adopted spec file and patches, improved init script.1161
- Disabled installation of easy-rsa for Windows.1162
1163
-------------------------------------------------------------------1164
Tue Feb 17 18:22:23 CET 2009 - mt@suse.de1165
1166
- Improved init script to show config name in action messages1167
and allow to specify a config name in the second argument.1168
1169
-------------------------------------------------------------------1170
Mon Dec 1 10:58:12 CET 2008 - mt@suse.de1171
1172
- Removed restart_on_update rpm install hook that may break the1173
update process, e.g. when openvpn asks for auth data or the1174
update process is running over the tunnel (bnc#450390).1175
1176
-------------------------------------------------------------------1177
Tue Oct 28 12:13:45 CET 2008 - mt@suse.de1178
1179
- Fixed init script to handle pid files correctly (bnc#435421).1180
1181
-------------------------------------------------------------------1182
Thu May 29 15:16:03 CEST 2008 - mt@suse.de1183
1184
- Added $time $named to Should-Start in the init script to avoid1185
time related certificate errors and name resolving problems.1186
- Added iproute2 to BuildRequires to avoid openvpn rely on PATH.1187
1188
-------------------------------------------------------------------1189
Mon May 26 07:53:38 CEST 2008 - mt@suse.de1190
1191
- Reverted init script changes adding startproc, since they break1192
user auth query and multiple tunnels (bnc#394360, bnc#394353).1193
1194
-------------------------------------------------------------------1195
Thu May 22 18:21:59 CEST 2008 - mt@suse.de1196
1197
- Added -lpam to LDFLAGS of openvpn, because linking the openvpn1198
auth-pam plugin against pam is not sufficient. Many pam modules1199
that are loaded by pam during the authentication process are not1200
linked against pam and contain undefined symbols, causing the1201
authentication to fail (bnc#334773).1202
- Replaced patch loading plugins from /usr/%_lib/openvpn/plugin/lib1203
with -rpath linker flags (bnc#334773).1204
- Fixed init script to use startproc to return 0 when started twice.1205
1206
-------------------------------------------------------------------1207
Tue Feb 19 11:32:55 CET 2008 - mt@suse.de1208
1209
- Fixed spec file to not set pie flags when building plugins1210
1211
-------------------------------------------------------------------1212
Thu Jan 17 19:44:41 CET 2008 - mt@suse.de1213
1214
- Bug #334773: Enabled build of down-root and auth-pam plugins,1215
sub-packaged as openvpn-auth-pam-plugin/down-root-plugin.1216
- Added patch to load plugins from /usr/%_lib/openvpn/plugin/lib1217
first, when the plugin name is specified as basename only.1218
- Added patch adoptiong plugin path informations in openvpn.8.1219
- Added patch to build plugins with RPM_OPT_FLAGS.1220
- Fixed init script to use Should-Start/Stop LSB info tags.1221
- Bug #343106: Enabled iproute2 support / usage1222
1223
-------------------------------------------------------------------1224
Mon Jun 4 10:14:03 CEST 2007 - mt@suse.de1225
1226
- fixed easy-rsa installation (no exec in doc directory)1227
- improved spec to use configure directory variables and1228
cleaned up macro calls in RPM pre/post scripts.1229
- fixed openvpn binary check in the init script.1230
1231
-------------------------------------------------------------------1232
Fri Oct 27 10:40:59 CEST 2006 - mt@suse.de1233
1234
- upstream 2.0.9, Windows related fixes only1235
* Windows installer updated with OpenSSL 0.9.7l DLLs to fix1236
published vulnerabilities.1237
* Fixed TAP-Win32 bug that caused BSOD on Windows Vista1238
(Henry Nestler). The TAP-Win32 driver has now been1239
upgraded to version 8.4.1240
1241
-------------------------------------------------------------------1242
Wed Sep 27 14:34:48 CEST 2006 - poeml@suse.de1243
1244
- upstream 2.0.81245
* Windows installer updated with OpenSSL 0.9.7k DLLs to fix1246
RSA Signature Forgery (CVE-2006-4339).1247
* No changes to OpenVPN source code between 2.0.7 and 2.0.8.1248
1249
-------------------------------------------------------------------1250
Fri Jun 23 11:55:10 CEST 2006 - poeml@suse.de1251
1252
- upstream 2.0.7, with bug fixes:1253
* When deleting routes under Linux, use the route metric1254
as a differentiator to ensure that the route teardown1255
process only deletes the identical route which was originally1256
added via the "route" directive (Roy Marples).1257
* Fixed bug where --server directive in --dev tap mode1258
claimed that it would support subnets of /30 or less1259
but actually would only accept /29 or less.1260
* Extend byte counters to 64 bits (M. van Cuijk).1261
* Better sanity checking of --server and --server-bridge1262
IP pool ranges, so as not to hit the assertion at1263
pool.c:119 (2.0.5).1264
* Fixed bug where --daemon and --management-query-passwords1265
used together would cause OpenVPN to block prior to1266
daemonization.1267
* Fixed client/server race condition which could occur1268
when --auth-retry interact is set and the initially1269
provided auth-user-pass credentials are incorrect,1270
forcing a username/password re-query.1271
* Fixed bug where if --daemon and --management-hold are1272
used together, --user or --group options would be ignored.1273
* fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed1274
to clients from the server)1275
- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform1276
1277
-------------------------------------------------------------------1278
Wed Apr 19 13:10:56 CEST 2006 - poeml@suse.de1279
1280
- security fix (CVE-2006-1629): disallow "setenv" to be pushed to1281
clients from the server [#165123]1282
1283
-------------------------------------------------------------------1284
Wed Jan 25 21:39:08 CET 2006 - mls@suse.de1285
1286
- converted neededforbuild to BuildRequires1287
1288
-------------------------------------------------------------------1289
Thu Nov 3 15:25:01 CET 2005 - poeml@suse.de1290
1291
- update to 2.0.5, with two security fixes -- see below. [#132003]1292
2005.11.02 -- Version 2.0.51293
* Fixed bug in Linux get_default_gateway function1294
introduced in 2.0.4, which would cause redirect-gateway1295
on Linux clients to fail.1296
* Restored easy-rsa/2.0 tree (backported from 2.1 beta1297
series) which accidentally disappeared in1298
2.0.2 -> 2.0.4 transition.1299
2005.11.01 -- Version 2.0.41300
* Security fix -- Affects non-Windows OpenVPN clients of1301
version 2.0 or higher which connect to a malicious or1302
compromised server. A format string vulnerability1303
in the foreign_option function in options.c could1304
potentially allow a malicious or compromised server1305
to execute arbitrary code on the client. Only1306
non-Windows clients are affected. The vulnerability1307
only exists if (a) the client's TLS negotiation with1308
the server succeeds, (b) the server is malicious or1309
has been compromised such that it is configured to1310
push a maliciously crafted options string to the client,1311
and (c) the client indicates its willingness to accept1312
pushed options from the server by having "pull" or1313
"client" in its configuration file (Credit: Vade79).1314
CVE-2005-33931315
* Security fix -- Potential DoS vulnerability on the1316
server in TCP mode. If the TCP server accept() call1317
returns an error status, the resulting exception handler1318
may attempt to indirect through a NULL pointer, causing1319
a segfault. Affects all OpenVPN 2.0 versions.1320
CVE-2005-34091321
* Fix attempt of assertion at multi.c:1586 (note that1322
this precise line number will vary across different1323
versions of OpenVPN).1324
* Added ".PHONY: plugin" to Makefile.am to work around1325
"make dist" issue.1326
* Fixed double fork issue that occurs when --management-hold1327
is used.1328
* Moved TUN/TAP read/write log messages from --verb 8 to 6.1329
* Warn when multiple clients having the same common name or1330
username usurp each other when --duplicate-cn is not used.1331
* Modified Windows and Linux versions of get_default_gateway1332
to return the route with the smallest metric1333
if multiple 0.0.0.0/0.0.0.0 entries are present.1334
2005.09.25 -- Version 2.0.3-rc1 1335
* openvpn_plugin_abort_v1 function wasn't being properly1336
registered on Windows.1337
* Fixed a bug where --mode server --proto tcp-server --cipher none1338
operation could cause tunnel packet truncation.1339
1340
-------------------------------------------------------------------1341
Tue Aug 30 15:05:08 CEST 2005 - poeml@suse.de1342
1343
- update to 2.0.2 [#106258] relevant changes:1344
* Fixed bug where "--proto tcp-server --mode p2p --management1345
host port" would cause the management port to not respond until1346
the OpenVPN peer connects.1347
* Modified pkitool script to be /bin/sh compatible (Johnny Lam).1348
1349
-------------------------------------------------------------------1350
Tue Aug 23 13:56:27 CEST 2005 - poeml@suse.de1351
1352
- update to 2.0.1 [#106258]1353
* Security Fix -- DoS attack against server when run with "verb 0" and1354
without "tls-auth". If a client connection to the server fails1355
certificate verification, the OpenSSL error queue is not properly1356
flushed, which can result in another unrelated client instance on the1357
server seeing the error and responding to it, resulting in disconnection1358
of the unrelated client (CAN-2005-2531).1359
* Security Fix -- DoS attack against server by authenticated client.1360
This bug presents a potential DoS attack vector against the server1361
which can only be initiated by a connected and authenticated client.1362
If the client sends a packet which fails to decrypt on the server,1363
the OpenSSL error queue is not properly flushed, which can result in1364
another unrelated client instance on the server seeing the error and1365
responding to it, resulting in disconnection of the unrelated client1366
(CAN-2005-2532).1367
* Security Fix -- DoS attack against server by authenticated client.1368
A malicious client in "dev tap" ethernet bridging mode could1369
theoretically flood the server with packets appearing to come from1370
hundreds of thousands of different MAC addresses, causing the OpenVPN1371
process to deplete system virtual memory as it expands its internal1372
routing table. A --max-routes-per-client directive has been added1373
(default=256) to limit the maximum number of routes in OpenVPN's1374
internal routing table which can be associated with a given client1375
(CAN-2005-2533).1376
* Security Fix -- DoS attack against server by authenticated client.1377
If two or more client machines try to connect to the server at the1378
same time via TCP, using the same client certificate, and when1379
--duplicate-cn is not enabled on the server, a race condition can1380
crash the server with "Assertion failed at mtcp.c:411"1381
(CAN-2005-2534).1382
* Fixed server bug where under certain circumstances, the client instance1383
object deletion function would try to delete iroutes which had never been1384
added in the first place, triggering "Assertion failed at mroute.c:349".1385
* Added --auth-retry option to prevent auth errors from being fatal1386
on the client side, and to permit username/password requeries in case1387
of error. Also controllable via new "auth-retry" management interface1388
command. See man page for more info.1389
* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.01390
* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'1391
would fail to build.1392
* Implement "make check" to perform loopback tests (Matthias Andree).1393
- drop obsolete patch which fixed finding lzo libraries1394
1395
-------------------------------------------------------------------1396
Tue Jun 28 14:27:17 CEST 2005 - mrueckert@suse.de1397
1398
- The previous patch didnt work with lzo1 based distros. Fixed.1399
1400
-------------------------------------------------------------------1401
Tue Jun 28 11:25:32 CEST 2005 - cthiel@suse.de1402
1403
- fixed build with lzo2 (added lzo2.diff)1404
1405
-------------------------------------------------------------------1406
Thu Jun 23 01:48:38 CEST 2005 - ro@suse.de1407
1408
- build with fPIE/pie 1409
1410
-------------------------------------------------------------------1411
Thu Jun 2 18:01:18 CEST 2005 - hvogel@suse.de1412
1413
- lzo headers are in a subdirectory now1414
1415
-------------------------------------------------------------------1416
Tue Apr 19 10:28:32 CEST 2005 - cthiel@suse.de1417
1418
- update to 2.01419
1420
-------------------------------------------------------------------1421
Thu Feb 17 21:57:20 CET 2005 - poeml@suse.de1422
1423
- update to 2.0_rc141424
- add README.SUSE1425
1426
-------------------------------------------------------------------1427
Fri Jan 28 10:52:55 CET 2005 - poeml@suse.de1428
1429
- update to 2.0_rc101430
1431
-------------------------------------------------------------------1432
Wed Dec 29 14:10:20 CET 2004 - poeml@suse.de1433
1434
- update to 2.0_rc61435
1436
-------------------------------------------------------------------1437
Wed Dec 29 10:35:28 CET 2004 - poeml@suse.de1438
1439
- update to 2.0_rc1 (closing #45979)1440
IMPORTANT: OpenVPN's default port number is now 1194, based on an1441
official port number assignment by IANA. OpenVPN 2.0-beta16 and1442
earlier used 5000 as the default port.1443
-> see http://openvpn.net/20notes.html1444
- remove lzo sources, which come in a separate package since 9.21445
1446
-------------------------------------------------------------------1447
Mon Jul 26 15:43:00 CEST 2004 - poeml@suse.de1448
1449
- update to 1.6_rc41450
- bzip2 sources1451
1452
-------------------------------------------------------------------1453
Sun Jan 11 11:33:35 CET 2004 - adrian@suse.de1454
1455
- build as user1456
1457
-------------------------------------------------------------------1458
Tue Dec 16 16:07:29 CET 2003 - wengel@suse.de1459
1460
- update to version 1.5.01461
1462
-------------------------------------------------------------------1463
Sun Sep 7 18:41:23 CEST 2003 - poeml@suse.de1464
1465
- add an init script1466
- use RPM_OPT_FLAGS1467
- add /var/run/openvpn directory for pid files1468
1469
-------------------------------------------------------------------1470
Thu Jul 31 14:24:14 CEST 2003 - wengel@suse.de1471
1472
- update to new version -> 1.4.21473
1474
-------------------------------------------------------------------1475
Tue May 27 10:45:35 CEST 2003 - coolo@suse.de1476
1477
- use BuildRoot1478
- package a bit more straightforward1479
1480
-------------------------------------------------------------------1481
Mon May 19 08:41:42 CEST 2003 - wengel@suse.de1482
1483
- update to version 1.4.11484
1485
-------------------------------------------------------------------1486
Mon Jan 20 17:05:53 CET 2003 - wengel@suse.de1487
1488
- initial package1489
1490