- update to 2.6.9:
* Remove unused function prototype crypto_adjust_frame_parameters
* Log SSL alerts more prominently
* Document tls-exit option mainly as test option
* Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
* Fix check_session_buf_not_used using wrong index
* Add missing check for nl_socket_alloc failure
* Add check for nice in cmake config
* Remove compat versionhelpers.h and remove cmake/configure check for it
* Extend the error message when TLS 1.0 PRF fails
* Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
* Check PRF availability on initialisation and add --force-tls-key-material-export
* Make it more explicit and visible when pkg-config is not found
* Clarify that the tls-crypt-v2-verify has a very limited env set
* Implement the --tls-export-cert feature
* Remove conditional text for Apache2 linking exception
* Remove --tls-export-cert
* Remove superfluous x509_write_pem()
* sample-keys: renew for the next 10 years
* GHA: clean up libressl builds with newer libressl
* configure.ac: Remove unused AC_TYPE_SIGNAL macro
* documentation: remove reference to removed option --show-proxy-settings
* unit_tests: remove includes for mock_msg.h
* documentation: improve documentation of --x509-track
* NTLM: add length check to add_security_buffer
* NTLM: increase size of phase 2 response we can handle
* proxy-options.rst: Add proper documentation for --http-proxy-user-pass
* buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
* --http-proxy-user-pass: allow to specify in either order with --http-proxy
* README.cmake.md: Document minimum required CMake version for --preset
OBS-URL: https://build.opensuse.org/request/show/1146252
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=201
- update to 2.6.7:
* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
use a send buffer after it has been free()d in some circumstances,
causing some free()d memory to be sent to the peer. All configurations
using TLS (e.g. not using --secret) are affected by this issue.
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
restore --fragment configuration in some circumstances, leading to a
division by zero when --fragment is used. On platforms where division
by zero is fatal, this will cause an OpenVPN crash.
* DCO: warn if DATA_V1 packets are sent by the other side - this a hard
incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4
server, and the only fix is to use --disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be removed
because the original author did not agree to relicensing the code with
the new linking exception added. This was a somewhat obsolete feature
anyway as it only worked with OpenSSL 1.x, which is end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a
combination that used to work without cipher negotiation (pre 2.6 on
both ends), but would fail in non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are listed
(this is due the internal enumeration in OpenSSL being a bit weird,
omitting X448 and X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new 2.6
option, with no backend support implemented yet on any platform, and it
turns out that no platform supported it at all - so remove option again)
* warn user if INFO control message too long, do not forward to management
client (safeguard against protocol-violating server implementations)
* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the
OBS-URL: https://build.opensuse.org/request/show/1126537
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=197
- update to 2.6.6:
* configure.ac: fix typ0 in LIBCAPNG_CFALGS
* Avoid unused function warning/error on FreeBSD (and potientially others)
* fix warning with gcc 12.2.0 (compiler bug?)
* Fix CR_RESPONSE mangaement message using wrong key_id
* Print a more user-friendly error when tls-crypt-v2 client auth fails
* Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
* Revert commit 423ced962d
* Implement using --peer-fingerprint without CA certificates
* show extra info for OpenSSL errors
* dist: add more missing files only used in the MSVC build
* dist: Include all documentation in distribution
* unit_tests: Add missing cert_data.h to source list for unit tests
* test_tls_crypt: Improve mock() usage to be more portable
* Remove old Travis CI related files
* options: Do not hide variables from parent scope
* pkcs11_openssl: Disable unused code
* route: Fix overriding return value of add_route3
OBS-URL: https://build.opensuse.org/request/show/1104114
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=195
- update to 2.6.5:
* apctl (windows): generate driver-specific names (if using tapctl
to create additional tap/wintun/dco devices, and not using
--name) (Github #337)
* interactive service (windows): do not force target desktop for
openvpn.exe - this has no impact for normal use, but enables
running of OpenVPN in a scripted way when no user is logged on
(for example, via task scheduler) (Github OpenVPN/openvpn-gui#626)
* fix use-after-free with EVP_CIPHER_free
* fix building with MSVC from release tarball (missing version.m4.in)
* dco-win: repair use of --dev-node to select specific DCO drivers
(Github #336)
* fix missing malloc() return check in dco_freebsd.c
* windows: correctly handle unicode names for "exit event"
* fix memleak in client-connect example plugin
* fix fortify build problem in keying-material-exporter-demo plugin
* fix memleak in dco_linux.c/dco_get_peer_stats_multi() - this will
leak a small amount of memory every 15s on DCO enabled servers,
leading to noticeable memory waste for long-running processes.
* dco_linux.c: properly close dco version file (fd leak)
OBS-URL: https://build.opensuse.org/request/show/1093055
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=193
- Update to 2.6.4:
* DCO: support kernel-triggered key rotation (avoid IV reuse after
2^32 packets). This is the userland side, accepting a message
from kernel, and initiating a TLS renegotiation. As of release,
* fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323)
* fix compile error on TARGET_ANDROID
* fix typo in help text
* manpage updates (--topology)
* encoding of non-ASCII windows error messages in log + management fixed
- Update openvpn.keyring
OBS-URL: https://build.opensuse.org/request/show/1086749
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=191
- update to 2.6.3:
* For full changelog please refer to:
https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
* implement byte counter statistics for DCO Linux (p2mp server
and client)
* implement byte counter statistics for DCO Windows (client only)
* '--dns server <n> address ...' now permits up to 8 v4 or v6
addresses
* fix a few cases of possibly undefined behaviour detected by ASAN
* add more unit tests for Windows cryptoapi interface
* Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
will dynamically create a tls-crypt key that is used for
renegotiation. This ensure that only the previously authenticated
peer can do trigger renegotiation and complete renegotiations.
* Keying Material Exporters (RFC 5705) based key generation
* As part of the cipher negotiation OpenVPN will automatically prefer
the RFC5705 based key material generation to the current custom
OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
* OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
has been made to check or implement all the requirements/
recommendation of FIPS 140-2. This just allows OpenVPN to be run on
a system that be configured OpenSSL in FIPS mode.
* mlock will now check if enough memlock-able memory has been reserved,
and if less than 100MB RAM are available, use setrlimit() to upgrade
the limit. See Trac #1390. Not available on OpenSolaris.
* The --peer-fingerprint option has been introduced to give users an
easy to use alternative to the tls-verify for matching the fingerprint
of the peer. The option takes use a number of allowed SHA256
certificate fingerprints.
* When --peer-fingerprint is used, the --ca and --capath option become
OBS-URL: https://build.opensuse.org/request/show/1082779
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=189
- update to 2.5.9:
* Optional ciphers in --data-ciphers Ciphers in --data-ciphers
can now be prefixed with a ? to mark those as optional and only
use them if the SSL library supports them.
* when compiling from a git checkout, put proper branch names into
windows builds
* do not include auth-token in pulled-option digest (interferes
with persist-tun when auth-token is in use, GH #200).
* fix corner case that might lead to leaked file descriptor
* fix parser bug (parse_line()) that can lead to buffer overflows
on malformed command line or server ccd file handling.
Not exploitable.
* pull-filter: ignore leading spaces in option names (work around
server side bug with erroneous extra spaces)
* push: do not add leading spaces to "out of renegotiations" pushed
auth-token fix NULL pointer crash on "openvpn --show-tls" with
mbedtls
OBS-URL: https://build.opensuse.org/request/show/1068619
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=187
- update to 2.5.8:
* allow running a default configuration with TLS libraries without BF-CBC
(even if TLS cipher negotiation would not actually use BF-CBC, the
long-term compatibility "default cipher BF-CBC" would trigger an error
on such TLS libraries)
* ``--auth-nocache'' was not always correctly clearing username+password
after a renegotiation
* ensure that auth-token received from server is cleared if requested
by the management interface ("forget password" or automatically
via ``--management-forget-disconnect'')
* in a setup without username+password, but with auth-token and
auth-token-username pushed by the server, OpenVPN would start asking
for username+password on token expiry. Fix.
* using ``--auth-token`` together with ``--management-client-auth``
(on the server) would lead to TLS keys getting out of sync and client
being disconnected. Fix.
* management interface would sometimes get stuck if client and server
try to write something simultaneously. Fix by allowing a limited
level of recursion in virtual_output_callback()
* fix management interface not returning ERROR:/SUCCESS: response
on "signal SIGxxx" commands when in HOLD state
* tls-crypt-v2: abort connection if client-key is too short
* make man page agree with actual code on replay-window backtrag log message
* remove useless empty line from CR_RESPONSE message
OBS-URL: https://build.opensuse.org/request/show/1036732
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=181
- update to 2.5.7:
* Limited OpenSSL 3.0 support
* print OpenSSL error stack if decoding PKCS12 file fails
* fix omission of cipher-negotiation.rst in tarballs
* fix errno handling on Windows (Windows has different classes of
error codes, GetLastError() and C runtime errno, these should now
be handled correctly)
* fix PATH_MAX build failure in auth-pam.c
* fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
* fix overlong path names, leading to missing pkcs11-helper patch
in tarball
OBS-URL: https://build.opensuse.org/request/show/980821
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=177
* bsc#1197341, CVE-2022-0547: possible authentication bypass in
external authentication plug-in
* Fix "--mtu-disc maybe|yes" on Linux
* Fix $common_name variable passed to scripts when
username-as-common-name is in effect.
* Fix potential memory leaks in add_route() and add_route_ipv6().
* Apply connect-retry backoff only to one side of the connection
in p2p mode.
* repair "--inactive" handling with a 'bytes' parameter larger
than 2 Gbytes.
* new plugin (sample-plugin/defer/multi-auth.c) to help testing
with multiple parallel plugins that succeed/fail in
direct/deferred mode.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=175
- update to 2.5.5:
* SWEET32/64bit cipher deprecation change was postponed to 2.7
* improve "make check" to notice if "openvpn --show-cipher" crashes
* improve argv unit tests
* ensure unit tests work with mbedTLS builds without BF-CBC ciphers
* include "--push-remove" in the output of "openvpn --help"
* fix error in iptables syntax in example firewall.sh script
* fix "resolvconf -p" invocation in example "up" script
* fix "common_name" environment for script calls when
"--username-as-common-name" is in effect (Trac #1434)
* move "push-peer-info" documentation from "server options" to "client"
* correct "foreign_option_{n}" typo in manpage
* README.down-root: fix plugin module name
OBS-URL: https://build.opensuse.org/request/show/940795
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=171
Upstream has meanwhile solved this differently and the two
implementations interfere (boo#1193017).
- Obsoleted SLE patches up to this point:
* openvpn-CVE-2020-15078.patch
* openvpn-CVE-2020-11810.patch
* openvpn-CVE-2018-7544.patch
* openvpn-CVE-2018-9336.patch
(bsc#1085803, CVE-2018-7544)
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=170
- update to 2.5.4:
* fix prompting for password on windows console if stderr redirection
is in use - this breaks 2.5.x on Win11/ARM, and might also break
on Win11/adm64 when released.
* fix setting MAC address on TAP adapters (--lladdr) to use sitnl
(was overlooked, and still used "ifconfig" calls)
* various improvements for man page building (rst2man/rst2html etc)
* minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
at least one platform strictly checking this)
* fix minor memory leak under certain conditions in add_route() and
add_route_ipv6()
* documentation improvements
* copyright updates where needed
* better error reporting when win32 console access fails
OBS-URL: https://build.opensuse.org/request/show/928265
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=168
* Removal of BF-CBC support in default configuration
*** POSSIBLE INCOMPATIBILITY ***
See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
* Connections setup is now much faster
* Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
* Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
* Client-specific tls-crypt keys (--tls-crypt-v2)
* Improved Data channel cipher negotiation
* HMAC based auth-token support for seamless reconnects to
standalone servers or a group of servers
* Asynchronous (deferred) authentication support for auth-pam
plugin
* Asynchronous (deferred) support for client-connect scripts and
plugins
* Support IPv4 configs with /31 netmasks
* 802.1q VLAN support on TAP servers
* Support IPv6-only tunnels
* New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
* Support Virtual Routing and Forwarding (VRF)
* Netlink integration (OpenVPN no longer needs to execute
ifconfig/route or ip commands)
* Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
crypto self-test of newer openvpn versions.
Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=165
- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/898085
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=92
- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/896403
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=160
- update to 2.4.10:
- OpenVPN client will now announce the acceptable ciphers to the server
(IV_CIPHER=...), so NCP cipher negotiation works better
- Parse static challenge response in auth-pam plugin
- Accept empty password and/or response in auth-pam plugin
- Log serial number of revoked certificate
- Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
- Fix auth-token not being updated if auth-nocache is set
(this should fix all remaining client-side bugs for the combination
"auth-nocache in client-config" + "auth-token in use on the server")
- Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
- Fix error detection / abort in --inetd corner case (#350)
- Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
- Fix handling of 'route remote_host' for IPv6 transport case
(#1247 and #1332)
- Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
- A number of documentation improvements / clarification fixes.
- Fix line number reporting on config file errors after <inline> segments
- Fix fatal error at switching remotes (#629)
- socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
- Switch "ks->authenticated" assertion failure to returning false (#1270)
- refresh 0001-preform-deferred-authentication-in-the-background.patch
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
OBS-URL: https://build.opensuse.org/request/show/860796
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
- update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
* Allow unicode search string in --cryptoapicert option (Windows)
* Skip expired certificates in Windows certificate store (Windows) (trac #966)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
* fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
This can be used to disrupt service to a freshly connected client (no session
keys negotiated yet). It can not be used to inject or steal VPN traffic.
CVE-2020-11810).
* fix combination of async push (deferred auth) and NCP (trac #1259)
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* mbedTLS: Make sure TLS session survives move (trac #880)
* Fix OpenSSL private key passphrase notices
* Fix building with --enable-async-push in FreeBSD (trac #1256)
* Fix broken fragmentation logic when using NCP (trac #1140)
OBS-URL: https://build.opensuse.org/request/show/833769
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=154
- Modernize openvpn.service
* /var/run has been obsoleted since a long time.
* on reload, send HUP signal directly rather than relying on
killproc to look for the main process.
- Explicitly requires sysvinit-tools as some of the tools shipped by
this package are used in various places regardless of whether
openvpn is built for systemd or non systemd systems.
For the context: sysvinit-tools was pulled in by systemd since 2014
but it's no longer the case so better to be safe than sorry.
OBS-URL: https://build.opensuse.org/request/show/829828
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=152
Include SR#758278 also
- Update to version 2.4.8:
* mbedtls: fix segfault by calling mbedtls_cipher_free() in
cipher_ctx_free()
* cleanup: Remove RPM openvpn.spec build approach
* docs: Update INSTALL
* build: Package missing mock_msg.h
* Increase listen() backlog queue to 32
* Force combinationation of --socks-proxy and --proto UDP to use
IPv4.
* Wrong FILETYPE in .rc files
* Do not set pkcs11-helper 'safe fork mode'
* tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
* Fix various compiler warnings
* Fix regression, reinstate LibreSSL support.
* man: correct the description of --capath and --crl-verify
regarding CRLs
* Fix typo in NTLM proxy debug message
* Ignore --pull-filter for --mode server
* openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
* Better error message when script fails due to script-security
setting
* Correct the return value of cryptoapi RSA signature callbacks
* Handle PSS padding in cryptoapicert
* cmocka: use relative paths
* Fix documentation of tls-verify script argument
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
Allow OBS to shortcut through the -mini flavors.
OBS-URL: https://build.opensuse.org/request/show/764916
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=146
- Drop use of $FIRST_ARG in openvpn.spec
The use of $FIRST_ARG was probably required because of the
%service_* rpm macros were playing tricks with the shell positional
parameters. This is bad practice and error prones so let's assume
that no macros should do that anymore and hence it's safe to assume
that positional parameters remains unchanged after any rpm macro
call.
OBS-URL: https://build.opensuse.org/request/show/678070
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=139
- Update to 2.4.6:
* CVE-2018-9336, bsc#1090839: Fix potential double-free() in
Interactive Service
* Delete the IPv6 route to the "connected" network on tun close
* Management: warn about password only when the option is in use
* Avoid overflow in wakeup time computation
- Remove --askpass again, because it was also asking for a password
when none was needed. As a workaround for keys that need a
password, the "askpass" statement should be added to the config
file (bsc#1078026).
- Use Type=notify in openvpn.service to reflect what openvpn is
actually doing.
- Import the new signing key from upstream.
- Remove obsolete configure switch --enable-password-save .
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
OBS-URL: https://build.opensuse.org/request/show/601900
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=81
* CVE-2018-9336, bsc#1090839: Fix potential double-free() in
Interactive Service
* Delete the IPv6 route to the "connected" network on tun close
* Management: warn about password only when the option is in use
* Avoid overflow in wakeup time computation
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=136
when none was needed. As a workaround for keys that need a
password, the "askpass" statement should be added to the config
file (bsc#1078026).
- Use Type=notify in openvpn.service to reflect what openvpn is
actually doing.
- Import the new signing key from upstream.
- Remove obsolete configure switch --enable-password-save .
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=134
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
- Update to 2.4.3 (bsc#1045489)
- Ignore auth-nocache for auth-user-pass if auth-token is pushed
- crypto: Enable SHA256 fingerprint checking in --verify-hash
- copyright: Update GPLv2 license texts
- auth-token with auth-nocache fix broke --disable-crypto builds
- OpenSSL: don't use direct access to the internal of X509
- OpenSSL: don't use direct access to the internal of EVP_PKEY
- OpenSSL: don't use direct access to the internal of RSA
- OpenSSL: don't use direct access to the internal of DSA
- OpenSSL: force meth->name as non-const when we free() it
- OpenSSL: don't use direct access to the internal of EVP_MD_CTX
- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
- OpenSSL: don't use direct access to the internal of HMAC_CTX
- Fix NCP behaviour on TLS reconnect.
- Remove erroneous limitation on max number of args for --plugin
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
- Fix potential 1-byte overread in TCP option parsing.
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
- refactor my_strupr
- Fix 2 memory leaks in proxy authentication routine
- Fix memory leak in add_option() for option 'connection'
- Ensure option array p[] is always NULL-terminated
- Fix a null-pointer dereference in establish_http_proxy_passthru()
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
- Fix an unaligned access on OpenBSD/sparc64
- Missing include for socket-flags TCP_NODELAY on OpenBSD
- Make openvpn-plugin.h self-contained again.
- Pass correct buffer size to GetModuleFileNameW()
- Log the negotiated (NCP) cipher
OBS-URL: https://build.opensuse.org/request/show/505857
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=124
- Update tp 2.4.2
- auth-token: Ensure tokens are always wiped on de-auth
- Make --cipher/--auth none more explicit on the risks
- Use SHA256 for the internal digest, instead of MD5
- Deprecate --ns-cert-type
- Deprecate --no-iv
- Support --block-outside-dns on multiple tunnels
- Limit --reneg-bytes to 64MB when using small block ciphers
- Fix --tls-version-max in mbed TLS builds
Details changelogs are avilable in
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[*0001-preform-deferred-authentication-in-the-background.patch
*openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
*openvpn-fips140-2.3.2.patch]
- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2
- cleanup the spec file
OBS-URL: https://build.opensuse.org/request/show/501452
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=75
- auth-token: Ensure tokens are always wiped on de-auth
- Make --cipher/--auth none more explicit on the risks
- Use SHA256 for the internal digest, instead of MD5
- Deprecate --ns-cert-type
- Deprecate --no-iv
- Support --block-outside-dns on multiple tunnels
- Limit --reneg-bytes to 64MB when using small block ciphers
- Fix --tls-version-max in mbed TLS builds
Details changelogs are avilable in
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[*0001-preform-deferred-authentication-in-the-background.patch
*openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
*openvpn-fips140-2.3.2.patch]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=118
- Preform deferred authentication in the background to not
cause main daemon processing delays when the underlying pam mechanism (e.g.
ldap) needs longer to response (bsc#959511).
[+ 0001-preform-deferred-authentication-in-the-background.patch]
- Added fix for possible heap overflow on read accessing getaddrinfo
result (bsc#959714).
[+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]
- Added a patch to fix multiple low severity issues (bsc#934237).
[+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]
OBS-URL: https://build.opensuse.org/request/show/489820
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=115
- silence warning about %{_rundir}/openvpn
- for non systemd case: just package the %{_rundir}/openvpn in
the package
- for systemd case: call systemd-tmpfiles and own the dir as
%ghost in the filelist
- refreshed patches to apply cleanly again
openvpn-2.3-plugin-man.dif
openvpn-fips140-2.3.2.patch
- update to 2.3.14
- update year in copyright message
- Document the --auth-token option
- Repair topology subnet on FreeBSD 11
- Repair topology subnet on OpenBSD
- Drop recursively routed packets
- Support --block-outside-dns on multiple tunnels
- When parsing '--setenv opt xx ..' make sure a third parameter
is present
- Map restart signals from event loop to SIGTERM during
exit-notification wait
- Correctly state the default dhcp server address in man page
- Clean up format_hex_ex()
- enabled pkcs11 support
OBS-URL: https://build.opensuse.org/request/show/451851
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=113
- Update to version 2.3.11
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data
* Fix undefined signed shift overflow
* Ensure input read using systemd-ask-password is null terminated
* Support reading the challenge-response from console
* hardening: add safe FD_SET() wrapper openvpn_fd_set()
* Restrict default TLS cipher list
- Add BuildRequires on xz for SLE11
OBS-URL: https://build.opensuse.org/request/show/394676
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=105
- Update to version 2.3.10
* Warn user if their certificate has expired
* Fix regression in setups without a client certificate
- Update to version 2.3.9
* Show extra-certs in current parameters.
* Do not set the buffer size by default but rely on the operation system default.
* Remove --enable-password-save option
* Detect config lines that are too long and give a warning/error
* Log serial number of revoked certificate
* Avoid partial authentication state when using --disabled in CCD configs
* Replace unaligned 16bit access to TCP MSS value with bytewise access
* Fix possible heap overflow on read accessing getaddrinfo() result.
* Fix isatty() check for good. (obsoletes revert-daemonize.patch)
* Client-side part for server restart notification
* Fix privilege drop if first connection attempt fails
* Support for username-only auth file.
* Increase control channel packet size for faster handshakes
* hardening: add insurance to exit on a failed ASSERT()
* Fix memory leak in auth-pam plugin
* Fix (potential) memory leak in init_route_list()
* Fix unintialized variable in plugin_vlog()
* Add macro to ensure we exit on fatal errors
* Fix memory leak in add_option() by simplifying get_ipv6_addr
* openssl: properly check return value of RAND_bytes()
* Fix rand_bytes return value checking
* Fix "White space before end tags can break the config parser"
OBS-URL: https://build.opensuse.org/request/show/351949
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=103
- Update to version 2.3.8
* Report missing endtags of inline files as warnings
* Fix commit e473b7c if an inline file happens to have a
line break exactly at buffer limit
* Produce a meaningful error message if --daemon gets in the way of
asking for passwords.
* Document --daemon changes and consequences (--askpass, --auth-nocache)
* Del ipv6 addr on close of linux tun interface
* Fix --askpass not allowing for password input via stdin
* Write pid file immediately after daemonizing
* Fix regression: query password before becoming daemon
* Fix using management interface to get passwords
* Fix overflow check in openvpn_decrypt()
OBS-URL: https://build.opensuse.org/request/show/320680
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=94
- Update to version 2.3.7
* down-root plugin: Replaced system() calls with execve()
* sockets: Remove the limitation of --tcp-nodelay to be server-only
* pkcs11: Load p11-kit-proxy.so module by default
* New approach to handle peer-id related changes to link-mtu
* Fix incorrect use of get_ipv6_addr() for iroute options
* Print helpful error message on --mktun/--rmtun if not available
* Explain effect of --topology subnet on --ifconfig
* Add note about file permissions and --crl-verify to manpage
* Repair --dev null breakage caused by db950be85d37
* Correct note about DNS randomization in openvpn.8
* Disallow usage of --server-poll-timeout in --secret key mode
* Slightly enhance documentation about --cipher
* On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()
* Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()
* Fix --redirect-private in --dev tap mode
* Updated manpage for --rport and --lport
* Properly escape dashes on the man-page
* Improve documentation in --script-security section of the man-page
* Really fix '--cipher none' regression
* Set tls-version-max to 1.1 if cryptoapicert is used
* Account for peer-id in frame size calculation
* Disable SSL compression
* Fix frame size calculation for non-CBC modes.
* Allow for CN/username of 64 characters (fixes off-by-one)
* Re-enable TLS version negotiation by default
* Remove size limit for files inlined in config
* Improve --tls-cipher and --show-tls man page description
* Re-read auth-user-pass file on (re)connect if required
* Clarify --capath option in manpage
OBS-URL: https://build.opensuse.org/request/show/313671
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=92
- Fixed to enable systemd support in configure
- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group.
- Added openvpn.target file allowing to handle all instances at once.
- Fixed to install the service template correctly as openvpn@.service.
Use "systemctl enable openvpn@foo.service" to enable instance using
/etc/openvpn/foo.conf.
- Disabled systemd variant of restart on update rpm macro, adopted other
macros to use openvpn.target to e.g. stop all instances on uninstall.
OBS-URL: https://build.opensuse.org/request/show/173037
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=46
- Fixed to install the service template correctly as openvpn@.service.
Use "systemctl enable openvpn@foo.service" to enable instance using
/etc/openvpn/foo.conf.
- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group.
- Disabled all systemd post install macros trying to use not existing
openvpn.service file.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=57
Verify GPG signature: Perform build-time offline GPG verification.
Please verify that included keyring matches your needs.
For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System.
See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO.
If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO:
you can link or aggregate gpg-offline from
devel:tools:building or use following trick with "osc meta prjconf":
--- Cut here ----
%if 0%{?suse_version} <= 1220
Substitute: gpg-offline
%endif
Macros:
%gpg_verify(dnf) \
%if 0%{?suse_version} > 1220\
echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\
gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\
%else\
echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\
%endif\
%nil
----------------- (forwarded request 143916 from sbrabec)
OBS-URL: https://build.opensuse.org/request/show/144034
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=42
Verify GPG signature: Perform build-time offline GPG verification.
Please verify that included keyring matches your needs.
For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System.
See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO.
If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO:
you can link or aggregate gpg-offline from
devel:tools:building or use following trick with "osc meta prjconf":
--- Cut here ----
%if 0%{?suse_version} <= 1220
Substitute: gpg-offline
%endif
Macros:
%gpg_verify(dnf) \
%if 0%{?suse_version} > 1220\
echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\
gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\
%else\
echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\
%endif\
%nil
-----------------
OBS-URL: https://build.opensuse.org/request/show/143916
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=48
new features. This version fixes build issues and provides
updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125),
- Adopted spec file, enabled saving password in a file and to
specify an alternative username in x509 cert.
- Removed X-Interactive from init script again, as systemd isn't
able to use it correctly [any more?] (bnc#675406). We will
address it later and probably use /bin/systemd-ask-password.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=25
improvements, such as:
* Fix of a problem with special case route targets
* Try to ensure, that the tun/tap interface gets closed on
non-graceful aborts.
* Several AUTH_FAILED reporting fixes causing the connection
to fail without any error indication.
* Enable exponential backoff in reliability layer retransmits.
* Proxy improvements
Please review the ChangeLog file for a complete and exact list.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=19
