- update to 2.6.3:
* For full changelog please refer to:
https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
* implement byte counter statistics for DCO Linux (p2mp server
and client)
* implement byte counter statistics for DCO Windows (client only)
* '--dns server <n> address ...' now permits up to 8 v4 or v6
addresses
* fix a few cases of possibly undefined behaviour detected by ASAN
* add more unit tests for Windows cryptoapi interface
* Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
will dynamically create a tls-crypt key that is used for
renegotiation. This ensure that only the previously authenticated
peer can do trigger renegotiation and complete renegotiations.
* Keying Material Exporters (RFC 5705) based key generation
* As part of the cipher negotiation OpenVPN will automatically prefer
the RFC5705 based key material generation to the current custom
OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
* OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
has been made to check or implement all the requirements/
recommendation of FIPS 140-2. This just allows OpenVPN to be run on
a system that be configured OpenSSL in FIPS mode.
* mlock will now check if enough memlock-able memory has been reserved,
and if less than 100MB RAM are available, use setrlimit() to upgrade
the limit. See Trac #1390. Not available on OpenSolaris.
* The --peer-fingerprint option has been introduced to give users an
easy to use alternative to the tls-verify for matching the fingerprint
of the peer. The option takes use a number of allowed SHA256
certificate fingerprints.
* When --peer-fingerprint is used, the --ca and --capath option become
OBS-URL: https://build.opensuse.org/request/show/1082779
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=189
- update to 2.5.9:
* Optional ciphers in --data-ciphers Ciphers in --data-ciphers
can now be prefixed with a ? to mark those as optional and only
use them if the SSL library supports them.
* when compiling from a git checkout, put proper branch names into
windows builds
* do not include auth-token in pulled-option digest (interferes
with persist-tun when auth-token is in use, GH #200).
* fix corner case that might lead to leaked file descriptor
* fix parser bug (parse_line()) that can lead to buffer overflows
on malformed command line or server ccd file handling.
Not exploitable.
* pull-filter: ignore leading spaces in option names (work around
server side bug with erroneous extra spaces)
* push: do not add leading spaces to "out of renegotiations" pushed
auth-token fix NULL pointer crash on "openvpn --show-tls" with
mbedtls
OBS-URL: https://build.opensuse.org/request/show/1068619
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=187
- update to 2.5.8:
* allow running a default configuration with TLS libraries without BF-CBC
(even if TLS cipher negotiation would not actually use BF-CBC, the
long-term compatibility "default cipher BF-CBC" would trigger an error
on such TLS libraries)
* ``--auth-nocache'' was not always correctly clearing username+password
after a renegotiation
* ensure that auth-token received from server is cleared if requested
by the management interface ("forget password" or automatically
via ``--management-forget-disconnect'')
* in a setup without username+password, but with auth-token and
auth-token-username pushed by the server, OpenVPN would start asking
for username+password on token expiry. Fix.
* using ``--auth-token`` together with ``--management-client-auth``
(on the server) would lead to TLS keys getting out of sync and client
being disconnected. Fix.
* management interface would sometimes get stuck if client and server
try to write something simultaneously. Fix by allowing a limited
level of recursion in virtual_output_callback()
* fix management interface not returning ERROR:/SUCCESS: response
on "signal SIGxxx" commands when in HOLD state
* tls-crypt-v2: abort connection if client-key is too short
* make man page agree with actual code on replay-window backtrag log message
* remove useless empty line from CR_RESPONSE message
OBS-URL: https://build.opensuse.org/request/show/1036732
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=181
- update to 2.5.7:
* Limited OpenSSL 3.0 support
* print OpenSSL error stack if decoding PKCS12 file fails
* fix omission of cipher-negotiation.rst in tarballs
* fix errno handling on Windows (Windows has different classes of
error codes, GetLastError() and C runtime errno, these should now
be handled correctly)
* fix PATH_MAX build failure in auth-pam.c
* fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
* fix overlong path names, leading to missing pkcs11-helper patch
in tarball
OBS-URL: https://build.opensuse.org/request/show/980821
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=177
* bsc#1197341, CVE-2022-0547: possible authentication bypass in
external authentication plug-in
* Fix "--mtu-disc maybe|yes" on Linux
* Fix $common_name variable passed to scripts when
username-as-common-name is in effect.
* Fix potential memory leaks in add_route() and add_route_ipv6().
* Apply connect-retry backoff only to one side of the connection
in p2p mode.
* repair "--inactive" handling with a 'bytes' parameter larger
than 2 Gbytes.
* new plugin (sample-plugin/defer/multi-auth.c) to help testing
with multiple parallel plugins that succeed/fail in
direct/deferred mode.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=175
- update to 2.5.5:
* SWEET32/64bit cipher deprecation change was postponed to 2.7
* improve "make check" to notice if "openvpn --show-cipher" crashes
* improve argv unit tests
* ensure unit tests work with mbedTLS builds without BF-CBC ciphers
* include "--push-remove" in the output of "openvpn --help"
* fix error in iptables syntax in example firewall.sh script
* fix "resolvconf -p" invocation in example "up" script
* fix "common_name" environment for script calls when
"--username-as-common-name" is in effect (Trac #1434)
* move "push-peer-info" documentation from "server options" to "client"
* correct "foreign_option_{n}" typo in manpage
* README.down-root: fix plugin module name
OBS-URL: https://build.opensuse.org/request/show/940795
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=171
Upstream has meanwhile solved this differently and the two
implementations interfere (boo#1193017).
- Obsoleted SLE patches up to this point:
* openvpn-CVE-2020-15078.patch
* openvpn-CVE-2020-11810.patch
* openvpn-CVE-2018-7544.patch
* openvpn-CVE-2018-9336.patch
(bsc#1085803, CVE-2018-7544)
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=170
- update to 2.5.4:
* fix prompting for password on windows console if stderr redirection
is in use - this breaks 2.5.x on Win11/ARM, and might also break
on Win11/adm64 when released.
* fix setting MAC address on TAP adapters (--lladdr) to use sitnl
(was overlooked, and still used "ifconfig" calls)
* various improvements for man page building (rst2man/rst2html etc)
* minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
at least one platform strictly checking this)
* fix minor memory leak under certain conditions in add_route() and
add_route_ipv6()
* documentation improvements
* copyright updates where needed
* better error reporting when win32 console access fails
OBS-URL: https://build.opensuse.org/request/show/928265
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=168
* Removal of BF-CBC support in default configuration
*** POSSIBLE INCOMPATIBILITY ***
See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
* Connections setup is now much faster
* Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
* Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
* Client-specific tls-crypt keys (--tls-crypt-v2)
* Improved Data channel cipher negotiation
* HMAC based auth-token support for seamless reconnects to
standalone servers or a group of servers
* Asynchronous (deferred) authentication support for auth-pam
plugin
* Asynchronous (deferred) support for client-connect scripts and
plugins
* Support IPv4 configs with /31 netmasks
* 802.1q VLAN support on TAP servers
* Support IPv6-only tunnels
* New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
* Support Virtual Routing and Forwarding (VRF)
* Netlink integration (OpenVPN no longer needs to execute
ifconfig/route or ip commands)
* Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
crypto self-test of newer openvpn versions.
Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=165
- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/898085
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=92
- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/896403
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=160
- update to 2.4.10:
- OpenVPN client will now announce the acceptable ciphers to the server
(IV_CIPHER=...), so NCP cipher negotiation works better
- Parse static challenge response in auth-pam plugin
- Accept empty password and/or response in auth-pam plugin
- Log serial number of revoked certificate
- Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
- Fix auth-token not being updated if auth-nocache is set
(this should fix all remaining client-side bugs for the combination
"auth-nocache in client-config" + "auth-token in use on the server")
- Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
- Fix error detection / abort in --inetd corner case (#350)
- Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
- Fix handling of 'route remote_host' for IPv6 transport case
(#1247 and #1332)
- Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
- A number of documentation improvements / clarification fixes.
- Fix line number reporting on config file errors after <inline> segments
- Fix fatal error at switching remotes (#629)
- socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
- Switch "ks->authenticated" assertion failure to returning false (#1270)
- refresh 0001-preform-deferred-authentication-in-the-background.patch
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
OBS-URL: https://build.opensuse.org/request/show/860796
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
- update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
* Allow unicode search string in --cryptoapicert option (Windows)
* Skip expired certificates in Windows certificate store (Windows) (trac #966)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
* fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
This can be used to disrupt service to a freshly connected client (no session
keys negotiated yet). It can not be used to inject or steal VPN traffic.
CVE-2020-11810).
* fix combination of async push (deferred auth) and NCP (trac #1259)
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* mbedTLS: Make sure TLS session survives move (trac #880)
* Fix OpenSSL private key passphrase notices
* Fix building with --enable-async-push in FreeBSD (trac #1256)
* Fix broken fragmentation logic when using NCP (trac #1140)
OBS-URL: https://build.opensuse.org/request/show/833769
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=154
- Modernize openvpn.service
* /var/run has been obsoleted since a long time.
* on reload, send HUP signal directly rather than relying on
killproc to look for the main process.
- Explicitly requires sysvinit-tools as some of the tools shipped by
this package are used in various places regardless of whether
openvpn is built for systemd or non systemd systems.
For the context: sysvinit-tools was pulled in by systemd since 2014
but it's no longer the case so better to be safe than sorry.
OBS-URL: https://build.opensuse.org/request/show/829828
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=152
