Sync from SUSE:SLFO:1.1 openvpn revision f996ae19e997230c9cd097f15109ce41

openvpn-2.6.14.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEV+lQSddqo5p0Q5YDUzpoYFKfI8UFAmftKAQACgkQUzpoYFKf
-I8U6jBAAkE9eRWgXki+826vZtyGNR1WgFrtX6dd3mBd9A9fv+ygWRkuNhDo3OHYj
-XGHcgAYjNI+ueOgS0UlVnJE+1P8YCcqNjhakyWO2XhwJwAIydgsMjDrSkefwY4zC
-k1OqGK+DAueaAMISFh91MON1HSOAfa4zPB2PvqZ1u5uIFHL+f4Hh2hHj74YV7X+I
-rr7jED5XGjvWy2H60JEeZlpNj+jzydz2yWvoZCab4Ae71CDE5GU2q2qt+HsQpdlo
-7tzlic97X9pqXN540MDb2pZoxmt+8uTtZn9UOAJ02IbjZRaNf2hmpgfJd6Xh1Wke
-m9loEuhjjVDZfO78Tx9a9uLloEQgxYmhftunc7gZbXcBhCrgtrhPNawff7XIA2Qw
-fVmJxJejaSG9YL0ecVI4Ef2GY5yxB11gOVIjQMuNLeBRsvd7r3n/Mn0J+3qtobyT
-Wr1A4auv+HpeCRwias+OeMmYezCjTsrkq3VLy85r7+KW5kb82b4IjEZkRqJhVxbn
-KXvHNhUBNnZ8SfYp5Fb1r+458bZ5nBG/KXexqS0Twe+VQGe70x/p/FarfrBP+NVe
-0DXA9RpPY0RQscmqWJK1EZhD3YOtZ8x0RUnRkQKH74JIxElxdUcmKR0kwJcdj0aq
-HFit6eAlRzhZukmEa9A0TshBcrNlmQ3BjPg8diIrYB60f5ZW9g8=
-=qqV2
------END PGP SIGNATURE-----

openvpn-2.6.8.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmVXQWEACgkQQdIJZcLo
+LccHgw/8CluyqqSi46O+YIRBjJ29N7w9LV9Jt/nwwgNsOUbN4FkRRJpoGSMGdbo3
+2eOkDVnXisphl9aMiYmO4NDFSVgvFswC/UjZ0EKpyjAezYtN8Q7gj5XXOi7ENvWw
+tKQtnjUS/wV6N/ujCVYWo8EpZnh15vIkxo7BTjDjHRWiNjXioa89/AxqzN0vO0h6
+yeNJ65RPVp5RFow2DiyzsRdtIh/dP+TfupAUqcpFc2cvRZ2bXMcj5OV+khjsdYh7
+y5/xqCHbb41EJwy8d2iK4SXlggVfRDtuyqfJ3hCuPdHOe6NBZRgCZ5FcTqUJckkN
+ngYRViC33BHtcRKQQcoxSmhg1tjA1n2Yrt+xsrwCkw/M8OY+AS0ys4uiKYxCDN5I
+DcGTc9lE2xHHFur4ZUmOVQofRq8yRAQgik5nxMfur+tNpLGEW44eBjTYR3fzUjhO
+oNDxZv8oy0jZEelqvUTK2tRMdzxDlyOV8g7A8nXYcbJpAoaEaZsQ2C2Dbn1SgtZ/
+cmWMIXghFTnsTl70pbUZ8saHWAGb3d+AzwhET7BYQ7TBqNQMNzVaJ0O8aFEGPQzK
+4CyMzSD2x4Tnsl56BsvdVsihDBFhnfICrpXzO/QzTsbPb5xkooEuUhVWacMgJ74I
+Z2jDNGM67aDTOpHtgxluKZh1njes0SSGbLPDJIG6RG7TPcX3nE4=
+=kOZ8
+-----END PGP SIGNATURE-----

openvpn.changes

@@ -1,137 +1,3 @@
--------------------------------------------------------------------
-Fri Apr  4 20:24:19 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
-
-- update to 2.6.14:
-  * CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
-  * Linux DCO: repair source IP selection for --multihome
-- update to 2.6.13:
-  * on non-windows clients (MacOS, Linux, Unix) send "release" string from
-    uname() call as IV_PLAT_VER to server
-  * Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default
-    timeout of 90 seconds
-  * improve server-side handling of clients sending usernames or passwords
-    longer than USER_PASS_LEN
-  * purge proxy authentication credentials from memory after use
-- update to 2.6.12:
-  * the fix for CVE-2024-5594 (refuse control channel messages with
-    nonprintable characters) was too strict, breaking user configurations
-  * Http-proxy: fix bug preventing proxy credentials caching
-- update to 2.6.11:
-  * CVE-2024-5594: control channel: refuse control channel messages with
-    nonprintable characters in them. Security scope: a malicious openvpn
-    peer can send garbage to openvpn log, or cause high CPU load.
-  * CVE-2024-28882: only call schedule_exit() once (on a given peer).
-    Security scope: an authenticated client can make the server "keep the
-    session" even when the server has been told to disconnect this client
-  * Fix connect timeout when using SOCKS proxies
-  * Add bracket in fingerprint message and do not warn about missing
-    verification
-  * Remove "experimental" denotation for --fast-io
-  * Correctly document ifconfig_* variables passed to scripts
-  * Documentation: make section levels consistent
-  * Samples: Update sample configurations (remove compression & old cipher
-    settings, add more informative comments)
-- update keyring, as the old one doesn't verify anymore (and attach an url)
-- remove openvpn-CVE-2024-28882.patch and openvpn-CVE-2024-5594.patch, as
-  the latest version include fixes for the CVEs
-
--------------------------------------------------------------------
-Wed Jan 22 16:35:27 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
-
-- Drop rcFOO symlinks for CODE16 (PED-266).
-
--------------------------------------------------------------------
-Wed Jan 22 08:55:44 UTC 2025 - Rahul Jain <rahul.jain@suse.com>
-
-- FIX:VUL-0 CVE-2024-5594: openvpn: properly handle null bytes and 
-  invalid characters in control messages(bsc#1235147 CVE-2024-5594)
-  Patchname:openvpn-CVE-2024-5594.patch
-
--------------------------------------------------------------------
-Fri Dec 20 08:13:18 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
-
-- Set %_buildshell because of bashisms in build recipe
-- Replace over-the-top `find -exec rm` by just -delete
-
--------------------------------------------------------------------
-Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
-
-- Fix multiple exit notifications from authenticated clients will
-  extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
-  Patchname:openvpn-CVE-2024-28882.patch
-
--------------------------------------------------------------------
-Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
-
-- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
-  if libnl >= 3.4 is available
-
--------------------------------------------------------------------
-Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>
-
-- update to 2.6.10:
-  * t_client.sh can now run pre-tests and skip a test block if needed
-    (e.g. skip NTLM proxy tests if SSL library does not support MD4)
-  * Compression: minor bugfix in checking option consistency vs.
-    compiled-in algorithm support
-  * systemd unit files: remove obsolete syslog.target
-
--------------------------------------------------------------------
-Mon Feb 26 12:50:07 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
-
-- Use %autosetup macro. Allows to eliminate the usage of deprecated
-  PatchN.
-
--------------------------------------------------------------------
-Mon Feb 12 18:00:47 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>
-
-- update to 2.6.9:
-  * Remove unused function prototype crypto_adjust_frame_parameters
-  * Log SSL alerts more prominently
-  * Document tls-exit option mainly as test option
-  * Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
-  * Fix check_session_buf_not_used using wrong index
-  * Add missing check for nl_socket_alloc failure
-  * Add check for nice in cmake config
-  * Remove compat versionhelpers.h and remove cmake/configure check for it
-  * Extend the error message when TLS 1.0 PRF fails
-  * Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
-  * Check PRF availability on initialisation and add --force-tls-key-material-export
-  * Make it more explicit and visible when pkg-config is not found
-  * Clarify that the tls-crypt-v2-verify has a very limited env set
-  * Implement the --tls-export-cert feature
-  * Remove conditional text for Apache2 linking exception
-  * Remove --tls-export-cert
-  * Remove superfluous x509_write_pem()
-  * sample-keys: renew for the next 10 years
-  * GHA: clean up libressl builds with newer libressl
-  * configure.ac: Remove unused AC_TYPE_SIGNAL macro
-  * documentation: remove reference to removed option --show-proxy-settings
-  * unit_tests: remove includes for mock_msg.h
-  * documentation: improve documentation of --x509-track
-  * NTLM: add length check to add_security_buffer
-  * NTLM: increase size of phase 2 response we can handle
-  * proxy-options.rst: Add proper documentation for --http-proxy-user-pass
-  * buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
-  * --http-proxy-user-pass: allow to specify in either order with --http-proxy
-  * README.cmake.md: Document minimum required CMake version for --preset
-  * documentation: Update and fix documentation for --push-peer-info
-  * documentation: Fixes for previous fixes to --push-peer-info
-  * OpenBSD: repair --show-gateway
-  * get_default_gateway() HWADDR overhaul
-  * fix uncrustify complaints about previous patch
-  * preparing release 2.6.9
-  * dco-freebsd: dynamically re-allocate buffer if it's too small
-  * tun.c: don't attempt to delete DNS and WINS servers if they're not set
-  * vcpkg-ports/pkcs11-helper: bump to version 1.30
-  * Add support for mbedtls 3.X.Y
-  * Update README.mbedtls
-  * Disable TLS 1.3 support with mbed TLS
-  * Enable key export with mbed TLS 3.x.y
-  * protocol_dump: tls-crypt support
-  * Fix IPv6 route add/delete message log level
-  * fix(ssl): init peer_id when init tls_multi 
-
 -------------------------------------------------------------------
 Mon Nov 20 07:15:13 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 

openvpn.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openvpn
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,12 +16,11 @@
 #
 
 
-%define _buildshell /bin/bash
 %if ! %{defined _rundir}
 %define _rundir %{_localstatedir}/run
 %endif
 Name:           openvpn
-Version:        2.6.14
+Version:        2.6.8
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        GPL-2.0-only WITH openvpn-openssl-exception
@@ -32,7 +31,7 @@ Source1:        https://swupdate.openvpn.org/community/releases/openvpn-%{versio
 Source3:        %{name}.README.SUSE
 Source4:        client-netconfig.up
 Source5:        client-netconfig.down
-Source7:        https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf554a3687412cffebdefe0a312f5f7b42f2b01e7#/%{name}.keyring
+Source7:        %{name}.keyring
 Source8:        %{name}.service
 Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
@@ -50,12 +49,10 @@ BuildRequires:  pam-devel
 BuildRequires:  pkcs11-helper-devel >= 1.11
 BuildRequires:  pkgconfig
 BuildRequires:  xz
-BuildRequires:  pkgconfig(libnl-genl-3.0)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires:       pkcs11-helper >= 1.11
-Recommends:     ovpn-dco-kmp
 %systemd_ordering
 
 %description
@@ -119,7 +116,8 @@ Requires:       %{name} = %{version}
 This package provides the header file to build external plugins.
 
 %prep
-%autosetup -p0
+%setup -q
+%patch1
 
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c
@@ -138,14 +136,8 @@ export LDFLAGS
 # usrmerge
 export IPROUTE="%{_sbindir}/ip"
 %endif
-libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel)
-if [[ $libnlversion == 3.[0-3].* ]] ; then
-  confopt=--enable-iproute2
-else
-  confopt=--enable-dco
-fi
 %configure \
-	$confopt			\
+	--enable-iproute2		\
 	--enable-x509-alt-username	\
 	--enable-pkcs11			\
 	--enable-systemd		\
@@ -158,7 +150,7 @@ fi
 
 %install
 %make_install
-find %{buildroot} -type f -name "*.la" -print -delete
+find %{buildroot} -type f -name "*.la" -print -exec rm -f {} +
 mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
 mkdir -p %{buildroot}/%{_rundir}/openvpn
 mkdir -p %{buildroot}/%{_datadir}/openvpn
@@ -168,9 +160,7 @@ rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service
 rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf
 install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
 install -D -m 644 %{SOURCE9} %{buildroot}/%{_unitdir}/%{name}.target
-%if 0%{?suse_version} < 1600
 install -D -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/rc%{name}
-%endif
 # tmpfiles.d
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -m 0644 %{SOURCE10} %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -180,7 +170,7 @@ install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down
 
 # we install docs via spec into _defaultdocdir/name/management-notes.txt
 rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
-find sample -name .gitignore -delete
+find sample -name .gitignore -exec rm -f {} +
 
 %pre
 %service_add_pre %{name}.target
@@ -213,9 +203,7 @@ find sample -name .gitignore -delete
 %{_unitdir}/%{name}.target
 %{_tmpfilesdir}/%{name}.conf
 %dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
-%if 0%{?suse_version} < 1600
 %{_sbindir}/rcopenvpn
-%endif
 %{_sbindir}/openvpn
 
 %files down-root-plugin