openvpn/openvpn.spec

#
# spec file for package openvpn (Version 2.0.9)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#

# norootforbuild

Name:           openvpn
BuildRequires:  lzo-devel openssl-devel
URL:            http://openvpn.sourceforge.net/
License:        GNU General Public License (GPL), GNU Library General Public License v. 2.0 and 2.1 (LGPL)
Group:          Productivity/Networking/Security
Autoreqprov:    on
%if 0%{?suse_version}
PreReq:         %insserv_prereq %fillup_prereq
%endif
Version:        2.0.9
Release:        1
Summary:        Create VPN over Wireless and Ethernet Networks using a Tun Device
Source:         http://openvpn.net/release/openvpn-%{version}.tar.gz
Source1:        http://openvpn.net/signatures/openvpn-%{version}.tar.gz.asc
Source2:        openvpn.init
Source3:        openvpn.README.SUSE
BuildRoot:      %{_tmppath}/%{name}-%{version}-build

%description
Create VPN over wireless and ethernet networks using a tun device.



Authors:
--------
    James Yonan <jim@yonan.net>

%prep
%setup

%build
autoreconf -fi
export CFLAGS="$RPM_OPT_FLAGS -Wall"
export LDFLAGS=
# build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
CFLAGS="$CFLAGS -fPIE"
LDFLAGS="$LDFLAGS -pie"
%endif
./configure --prefix=/usr --enable-pthread \
	--mandir=%_mandir --with-lzo-headers=%_includedir/lzo
make

%install
rm -rf $RPM_BUILD_ROOT
make DESTDIR=$RPM_BUILD_ROOT install
mkdir -p $RPM_BUILD_ROOT/etc/openvpn
mkdir -p $RPM_BUILD_ROOT/var/run/openvpn
install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/etc/init.d/openvpn
ln -sv ../../etc/init.d/openvpn $RPM_BUILD_ROOT/usr/sbin/rcopenvpn
cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE
rm -f easy-rsa/build-key-server.orig

%clean
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi

%post
%{fillup_and_insserv -f}
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820

%preun
%stop_on_removal openvpn
%endif

%postun
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820
%restart_on_update openvpn
%endif
%insserv_cleanup

%files
%defattr(-,root,root)
%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS PORTS README
%doc README.SUSE
%doc contrib
%doc easy-rsa
%doc management
%doc sample-config-files
%doc sample-keys
%doc sample-scripts
%doc suse
/usr/sbin/openvpn
%doc %{_mandir}/man8/openvpn.8.gz
%config(noreplace) /etc/openvpn/
%config /etc/init.d/openvpn
/usr/sbin/rcopenvpn
%dir /var/run/openvpn

%changelog -n openvpn
* Fri Oct 27 2006 - mt@suse.de
- upstream 2.0.9, Windows related fixes only
  * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
  published vulnerabilities.
  * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
  (Henry Nestler).  The TAP-Win32 driver has now been
  upgraded to version 8.4.
* Wed Sep 27 2006 - poeml@suse.de
- upstream 2.0.8
  * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
  RSA Signature Forgery (CVE-2006-4339).
  * No changes to OpenVPN source code between 2.0.7 and 2.0.8.
* Fri Jun 23 2006 - poeml@suse.de
- upstream 2.0.7, with bug fixes:
  * When deleting routes under Linux, use the route metric
  as a differentiator to ensure that the route teardown
  process only deletes the identical route which was originally
  added via the "route" directive (Roy Marples).
  * Fixed bug where --server directive in --dev tap mode
  claimed that it would support subnets of /30 or less
  but actually would only accept /29 or less.
  * Extend byte counters to 64 bits (M. van Cuijk).
  * Better sanity checking of --server and --server-bridge
  IP pool ranges, so as not to hit the assertion at
  pool.c:119 (2.0.5).
  * Fixed bug where --daemon and --management-query-passwords
  used together would cause OpenVPN to block prior to
  daemonization.
  * Fixed client/server race condition which could occur
  when --auth-retry interact is set and the initially
  provided auth-user-pass credentials are incorrect,
  forcing a username/password re-query.
  * Fixed bug where if --daemon and --management-hold are
  used together, --user or --group options would be ignored.
  * fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed
  to clients from the server)
- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
* Wed Apr 19 2006 - poeml@suse.de
- security fix (CVE-2006-1629): disallow "setenv" to be pushed to
  clients from the server [#165123]
* Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
* Thu Nov 03 2005 - poeml@suse.de
- update to 2.0.5, with two security fixes -- see below. [#132003]
  2005.11.02 -- Version 2.0.5
  * Fixed bug in Linux get_default_gateway function
  introduced in 2.0.4, which would cause redirect-gateway
  on Linux clients to fail.
  * Restored easy-rsa/2.0 tree (backported from 2.1 beta
  series) which accidentally disappeared in
  2.0.2 -> 2.0.4 transition.
  2005.11.01 -- Version 2.0.4
  * Security fix -- Affects non-Windows OpenVPN clients of
  version 2.0 or higher which connect to a malicious or
  compromised server.  A format string vulnerability
  in the foreign_option function in options.c could
  potentially allow a malicious or compromised server
  to execute arbitrary code on the client.  Only
  non-Windows clients are affected.  The vulnerability
  only exists if (a) the client's TLS negotiation with
  the server succeeds, (b) the server is malicious or
  has been compromised such that it is configured to
  push a maliciously crafted options string to the client,
  and (c) the client indicates its willingness to accept
  pushed options from the server by having "pull" or
  "client" in its configuration file (Credit: Vade79).
  CVE-2005-3393
  * Security fix -- Potential DoS vulnerability on the
  server in TCP mode.  If the TCP server accept() call
  returns an error status, the resulting exception handler
  may attempt to indirect through a NULL pointer, causing
  a segfault.  Affects all OpenVPN 2.0 versions.
  CVE-2005-3409
  * Fix attempt of assertion at multi.c:1586 (note that
  this precise line number will vary across different
  versions of OpenVPN).
  * Added ".PHONY: plugin" to Makefile.am to work around
  "make dist" issue.
  * Fixed double fork issue that occurs when --management-hold
  is used.
  * Moved TUN/TAP read/write log messages from --verb 8 to 6.
  * Warn when multiple clients having the same common name or
  username usurp each other when --duplicate-cn is not used.
  * Modified Windows and Linux versions of get_default_gateway
  to return the route with the smallest metric
  if multiple 0.0.0.0/0.0.0.0 entries are present.
  2005.09.25 -- Version 2.0.3-rc1
  * openvpn_plugin_abort_v1 function wasn't being properly
  registered on Windows.
  * Fixed a bug where --mode server --proto tcp-server --cipher none
  operation could cause tunnel packet truncation.
* Tue Aug 30 2005 - poeml@suse.de
- update to 2.0.2 [#106258] relevant changes:
  * Fixed bug where "--proto tcp-server --mode p2p --management
  host port" would cause the management port to not respond until
  the OpenVPN peer connects.
  * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
* Tue Aug 23 2005 - poeml@suse.de
- update to 2.0.1 [#106258]
  * Security Fix -- DoS attack against server when run with "verb 0" and
  without "tls-auth".  If a client connection to the server fails
  certificate verification, the OpenSSL error queue is not properly
  flushed, which can result in another unrelated client instance on the
  server seeing the error and responding to it, resulting in disconnection
  of the unrelated client (CAN-2005-2531).
  * Security Fix -- DoS attack against server by authenticated client.
  This bug presents a potential DoS attack vector against the server
  which can only be initiated by a connected and authenticated client.
  If the client sends a packet which fails to decrypt on the server,
  the OpenSSL error queue is not properly flushed, which can result in
  another unrelated client instance on the server seeing the error and
  responding to it, resulting in disconnection of the unrelated client
  (CAN-2005-2532).
  * Security Fix -- DoS attack against server by authenticated client.
  A malicious client in "dev tap" ethernet bridging mode could
  theoretically flood the server with packets appearing to come from
  hundreds of thousands of different MAC addresses, causing the OpenVPN
  process to deplete system virtual memory as it expands its internal
  routing table.  A --max-routes-per-client directive has been added
  (default=256) to limit the maximum number of routes in OpenVPN's
  internal routing table which can be associated with a given client
  (CAN-2005-2533).
  * Security Fix -- DoS attack against server by authenticated client.
  If two or more client machines try to connect to the server at the
  same time via TCP, using the same client certificate, and when
    --duplicate-cn is not enabled on the server, a race condition can
  crash the server with "Assertion failed at mtcp.c:411"
  (CAN-2005-2534).
  * Fixed server bug where under certain circumstances, the client instance
  object deletion function would try to delete iroutes which had never been
  added in the first place, triggering "Assertion failed at mroute.c:349".
  * Added --auth-retry option to prevent auth errors from being fatal
  on the client side, and to permit username/password requeries in case
  of error.  Also controllable via new "auth-retry" management interface
  command.  See man page for more info.
  * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
  * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
  would fail to build.
  * Implement "make check" to perform loopback tests (Matthias Andree).
- drop obsolete patch which fixed finding lzo libraries
* Tue Jun 28 2005 - mrueckert@suse.de
- The previous patch didnt work with lzo1 based distros. Fixed.
* Tue Jun 28 2005 - cthiel@suse.de
- fixed build with lzo2 (added lzo2.diff)
* Thu Jun 23 2005 - ro@suse.de
- build with fPIE/pie
* Thu Jun 02 2005 - hvogel@suse.de
- lzo headers are in a subdirectory now
* Tue Apr 19 2005 - cthiel@suse.de
- update to 2.0
* Thu Feb 17 2005 - poeml@suse.de
- update to 2.0_rc14
- add README.SUSE
* Fri Jan 28 2005 - poeml@suse.de
- update to 2.0_rc10
* Wed Dec 29 2004 - poeml@suse.de
- update to 2.0_rc6
* Wed Dec 29 2004 - poeml@suse.de
- update to 2.0_rc1 (closing #45979)
  IMPORTANT: OpenVPN's default port number is now 1194, based on an
  official port number assignment by IANA.  OpenVPN 2.0-beta16 and
  earlier used 5000 as the default port.
  -> see http://openvpn.net/20notes.html
- remove lzo sources, which come in a separate package since 9.2
* Mon Jul 26 2004 - poeml@suse.de
- update to 1.6_rc4
- bzip2 sources
* Sun Jan 11 2004 - adrian@suse.de
- build as user
* Tue Dec 16 2003 - wengel@suse.de
- update to version 1.5.0
* Sun Sep 07 2003 - poeml@suse.de
- add an init script
- use RPM_OPT_FLAGS
- add /var/run/openvpn directory for pid files
* Thu Jul 31 2003 - wengel@suse.de
- update to new version -> 1.4.2
* Tue May 27 2003 - coolo@suse.de
- use BuildRoot
- package a bit more straightforward
* Mon May 19 2003 - wengel@suse.de
- update to version 1.4.1
* Mon Jan 20 2003 - wengel@suse.de
- initial package