commit 37b5e500dd07b9f521a45bf4726fa6b3ddfc01bff60d7fb31cc2a43c7d3ae303 Author: OBS User unknown Date: Mon Jan 15 23:28:38 2007 +0000 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/openvpn-2.0.9.tar.gz b/openvpn-2.0.9.tar.gz new file mode 100644 index 0000000..5b3b636 --- /dev/null +++ b/openvpn-2.0.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:347c551e7c88affc1f4b7a4b715080253c9298dcc512ed29fe8ca5cd26d015d9 +size 669076 diff --git a/openvpn-2.0.9.tar.gz.asc b/openvpn-2.0.9.tar.gz.asc new file mode 100644 index 0000000..4049e70 --- /dev/null +++ b/openvpn-2.0.9.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.2.4 (GNU/Linux) + +iD8DBQBFH7kKHQtJlh+/UfMRAsIdAJ41usSP8OGmeaW+/7osfXhjiRCKIACfSzex +ilPdxBhlGGL833OuyqRUgLY= +=fiJg +-----END PGP SIGNATURE----- diff --git a/openvpn.README.SUSE b/openvpn.README.SUSE new file mode 100644 index 0000000..9b00425 --- /dev/null +++ b/openvpn.README.SUSE @@ -0,0 +1,7 @@ + +Notes about the OpenVPN package + +In a fresh installation, you will find an empty directory /etc/openvpn. +The directory is meant to contain *.conf files -- the openvpn init script +will automatically look for them there, so you can start/stop all tunnels with +"rcopenvpn (start|stop)", as well as start tham at boot time. diff --git a/openvpn.changes b/openvpn.changes new file mode 100644 index 0000000..bc392b1 --- /dev/null +++ b/openvpn.changes @@ -0,0 +1,259 @@ +------------------------------------------------------------------- +Fri Oct 27 10:40:59 CEST 2006 - mt@suse.de + +- upstream 2.0.9, Windows related fixes only + * Windows installer updated with OpenSSL 0.9.7l DLLs to fix + published vulnerabilities. + * Fixed TAP-Win32 bug that caused BSOD on Windows Vista + (Henry Nestler). The TAP-Win32 driver has now been + upgraded to version 8.4. + +------------------------------------------------------------------- +Wed Sep 27 14:34:48 CEST 2006 - poeml@suse.de + +- upstream 2.0.8 + * Windows installer updated with OpenSSL 0.9.7k DLLs to fix + RSA Signature Forgery (CVE-2006-4339). + * No changes to OpenVPN source code between 2.0.7 and 2.0.8. + +------------------------------------------------------------------- +Fri Jun 23 11:55:10 CEST 2006 - poeml@suse.de + +- upstream 2.0.7, with bug fixes: +* When deleting routes under Linux, use the route metric + as a differentiator to ensure that the route teardown + process only deletes the identical route which was originally + added via the "route" directive (Roy Marples). +* Fixed bug where --server directive in --dev tap mode + claimed that it would support subnets of /30 or less + but actually would only accept /29 or less. +* Extend byte counters to 64 bits (M. van Cuijk). +* Better sanity checking of --server and --server-bridge + IP pool ranges, so as not to hit the assertion at + pool.c:119 (2.0.5). +* Fixed bug where --daemon and --management-query-passwords + used together would cause OpenVPN to block prior to + daemonization. +* Fixed client/server race condition which could occur + when --auth-retry interact is set and the initially + provided auth-user-pass credentials are incorrect, + forcing a username/password re-query. +* Fixed bug where if --daemon and --management-hold are + used together, --user or --group options would be ignored. +* fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed + to clients from the server) +- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform + +------------------------------------------------------------------- +Wed Apr 19 13:10:56 CEST 2006 - poeml@suse.de + +- security fix (CVE-2006-1629): disallow "setenv" to be pushed to + clients from the server [#165123] + +------------------------------------------------------------------- +Wed Jan 25 21:39:08 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Thu Nov 3 15:25:01 CET 2005 - poeml@suse.de + +- update to 2.0.5, with two security fixes -- see below. [#132003] + 2005.11.02 -- Version 2.0.5 + * Fixed bug in Linux get_default_gateway function + introduced in 2.0.4, which would cause redirect-gateway + on Linux clients to fail. + * Restored easy-rsa/2.0 tree (backported from 2.1 beta + series) which accidentally disappeared in + 2.0.2 -> 2.0.4 transition. + 2005.11.01 -- Version 2.0.4 + * Security fix -- Affects non-Windows OpenVPN clients of + version 2.0 or higher which connect to a malicious or + compromised server. A format string vulnerability + in the foreign_option function in options.c could + potentially allow a malicious or compromised server + to execute arbitrary code on the client. Only + non-Windows clients are affected. The vulnerability + only exists if (a) the client's TLS negotiation with + the server succeeds, (b) the server is malicious or + has been compromised such that it is configured to + push a maliciously crafted options string to the client, + and (c) the client indicates its willingness to accept + pushed options from the server by having "pull" or + "client" in its configuration file (Credit: Vade79). + CVE-2005-3393 + * Security fix -- Potential DoS vulnerability on the + server in TCP mode. If the TCP server accept() call + returns an error status, the resulting exception handler + may attempt to indirect through a NULL pointer, causing + a segfault. Affects all OpenVPN 2.0 versions. + CVE-2005-3409 + * Fix attempt of assertion at multi.c:1586 (note that + this precise line number will vary across different + versions of OpenVPN). + * Added ".PHONY: plugin" to Makefile.am to work around + "make dist" issue. + * Fixed double fork issue that occurs when --management-hold + is used. + * Moved TUN/TAP read/write log messages from --verb 8 to 6. + * Warn when multiple clients having the same common name or + username usurp each other when --duplicate-cn is not used. + * Modified Windows and Linux versions of get_default_gateway + to return the route with the smallest metric + if multiple 0.0.0.0/0.0.0.0 entries are present. + 2005.09.25 -- Version 2.0.3-rc1 + * openvpn_plugin_abort_v1 function wasn't being properly + registered on Windows. + * Fixed a bug where --mode server --proto tcp-server --cipher none + operation could cause tunnel packet truncation. + +------------------------------------------------------------------- +Tue Aug 30 15:05:08 CEST 2005 - poeml@suse.de + +- update to 2.0.2 [#106258] relevant changes: + * Fixed bug where "--proto tcp-server --mode p2p --management + host port" would cause the management port to not respond until + the OpenVPN peer connects. + * Modified pkitool script to be /bin/sh compatible (Johnny Lam). + +------------------------------------------------------------------- +Tue Aug 23 13:56:27 CEST 2005 - poeml@suse.de + +- update to 2.0.1 [#106258] + * Security Fix -- DoS attack against server when run with "verb 0" and + without "tls-auth". If a client connection to the server fails + certificate verification, the OpenSSL error queue is not properly + flushed, which can result in another unrelated client instance on the + server seeing the error and responding to it, resulting in disconnection + of the unrelated client (CAN-2005-2531). + * Security Fix -- DoS attack against server by authenticated client. + This bug presents a potential DoS attack vector against the server + which can only be initiated by a connected and authenticated client. + If the client sends a packet which fails to decrypt on the server, + the OpenSSL error queue is not properly flushed, which can result in + another unrelated client instance on the server seeing the error and + responding to it, resulting in disconnection of the unrelated client + (CAN-2005-2532). + * Security Fix -- DoS attack against server by authenticated client. + A malicious client in "dev tap" ethernet bridging mode could + theoretically flood the server with packets appearing to come from + hundreds of thousands of different MAC addresses, causing the OpenVPN + process to deplete system virtual memory as it expands its internal + routing table. A --max-routes-per-client directive has been added + (default=256) to limit the maximum number of routes in OpenVPN's + internal routing table which can be associated with a given client + (CAN-2005-2533). + * Security Fix -- DoS attack against server by authenticated client. + If two or more client machines try to connect to the server at the + same time via TCP, using the same client certificate, and when + --duplicate-cn is not enabled on the server, a race condition can + crash the server with "Assertion failed at mtcp.c:411" + (CAN-2005-2534). + * Fixed server bug where under certain circumstances, the client instance + object deletion function would try to delete iroutes which had never been + added in the first place, triggering "Assertion failed at mroute.c:349". + * Added --auth-retry option to prevent auth errors from being fatal + on the client side, and to permit username/password requeries in case + of error. Also controllable via new "auth-retry" management interface + command. See man page for more info. + * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 + * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' + would fail to build. + * Implement "make check" to perform loopback tests (Matthias Andree). +- drop obsolete patch which fixed finding lzo libraries + +------------------------------------------------------------------- +Tue Jun 28 14:27:17 CEST 2005 - mrueckert@suse.de + +- The previous patch didnt work with lzo1 based distros. Fixed. + +------------------------------------------------------------------- +Tue Jun 28 11:25:32 CEST 2005 - cthiel@suse.de + +- fixed build with lzo2 (added lzo2.diff) + +------------------------------------------------------------------- +Thu Jun 23 01:48:38 CEST 2005 - ro@suse.de + +- build with fPIE/pie + +------------------------------------------------------------------- +Thu Jun 2 18:01:18 CEST 2005 - hvogel@suse.de + +- lzo headers are in a subdirectory now + +------------------------------------------------------------------- +Tue Apr 19 10:28:32 CEST 2005 - cthiel@suse.de + +- update to 2.0 + +------------------------------------------------------------------- +Thu Feb 17 21:57:20 CET 2005 - poeml@suse.de + +- update to 2.0_rc14 +- add README.SUSE + +------------------------------------------------------------------- +Fri Jan 28 10:52:55 CET 2005 - poeml@suse.de + +- update to 2.0_rc10 + +------------------------------------------------------------------- +Wed Dec 29 14:10:20 CET 2004 - poeml@suse.de + +- update to 2.0_rc6 + +------------------------------------------------------------------- +Wed Dec 29 10:35:28 CET 2004 - poeml@suse.de + +- update to 2.0_rc1 (closing #45979) + IMPORTANT: OpenVPN's default port number is now 1194, based on an + official port number assignment by IANA. OpenVPN 2.0-beta16 and + earlier used 5000 as the default port. + -> see http://openvpn.net/20notes.html +- remove lzo sources, which come in a separate package since 9.2 + +------------------------------------------------------------------- +Mon Jul 26 15:43:00 CEST 2004 - poeml@suse.de + +- update to 1.6_rc4 +- bzip2 sources + +------------------------------------------------------------------- +Sun Jan 11 11:33:35 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Tue Dec 16 16:07:29 CET 2003 - wengel@suse.de + +- update to version 1.5.0 + +------------------------------------------------------------------- +Sun Sep 7 18:41:23 CEST 2003 - poeml@suse.de + +- add an init script +- use RPM_OPT_FLAGS +- add /var/run/openvpn directory for pid files + +------------------------------------------------------------------- +Thu Jul 31 14:24:14 CEST 2003 - wengel@suse.de + +- update to new version -> 1.4.2 + +------------------------------------------------------------------- +Tue May 27 10:45:35 CEST 2003 - coolo@suse.de + +- use BuildRoot +- package a bit more straightforward + +------------------------------------------------------------------- +Mon May 19 08:41:42 CEST 2003 - wengel@suse.de + +- update to version 1.4.1 + +------------------------------------------------------------------- +Mon Jan 20 17:05:53 CET 2003 - wengel@suse.de + +- initial package + diff --git a/openvpn.init b/openvpn.init new file mode 100644 index 0000000..7d4b928 --- /dev/null +++ b/openvpn.init @@ -0,0 +1,157 @@ +#! /bin/sh +# Copyright (c) 2003 SuSE Linux AG +# +# Author: Peter Poeml +# +# inspired by the init script contributed to the OpenVPN project by +# Douglas Keller +# +# /etc/init.d/openvpn +# and its symbolic link +# /usr/sbin/rcopenvpn +# +### BEGIN INIT INFO +# Provides: openvpn +# Required-Start: $local_fs $remote_fs $network +# X-UnitedLinux-Should-Start: $syslog +# Required-Stop: $local_fs $remote_fs $network +# X-UnitedLinux-Should-Stop: $syslog +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: OpenVPN tunnel +# Description: Start OpenVPN tunnel +### END INIT INFO + + +# test -s /etc/sysconfig/openvpn && \ +# . /etc/sysconfig/openvpn + +DAEMON="OpenVPN" +openvpn=/usr/sbin/openvpn +confdir=/etc/openvpn +piddir=/var/run/openvpn +test -d $piddir || mkdir $piddir + +test -x $openvpn || exit 5 + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status +. /etc/rc.status + +# First reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - insufficient privilege +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signalling is not supported) are +# considered a success. + +shopt -s nullglob +ret=true + +case "$1" in + start) + echo -n "Starting $DAEMON " + + /sbin/modprobe tun &>/dev/null + + for conf in $confdir/*.conf; do + pidfile=$(basename ${conf%%.conf}).pid + $openvpn --daemon \ + --writepid $piddir/$pidfile \ + --config $conf \ + --cd $confdir \ + || ret=false + done + + # Remember status and be verbose + $ret + rc_status -v + ;; + stop) + echo -n "Shutting down $DAEMON " + + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + for i in $piddir/*.pid; do + killproc -p $i -TERM $openvpn || ret=false + done + + # Remember status and be verbose + $ret + rc_status -v + ;; + try-restart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + sleep 3 + $0 start + + # Remember status and be quiet + rc_status + ;; + reload) + for i in $piddir/*.pid; do + killproc -p $i -HUP $openvpn || ret=false + done + rc_status -v + ;; + reopen) + for i in $piddir/*.pid; do + killproc -p $i -USR1 $openvpn || ret=false + done + rc_status -v + ;; + status) + echo -n "Checking for $DAEMON: " + running=false + for i in $piddir/*.pid; do + running=true + killproc -p $i -USR2 $openvpn || { rv=$?; ret=false; } + done + if $running; then + $ret + rc_status -v + echo Status written to /var/log/messages + else + rc_failed 3 + rc_status -v + fi + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|reload|reopen}" + exit 1 +esac +rc_exit diff --git a/openvpn.spec b/openvpn.spec new file mode 100644 index 0000000..8f98da2 --- /dev/null +++ b/openvpn.spec @@ -0,0 +1,285 @@ +# +# spec file for package openvpn (Version 2.0.9) +# +# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# This file and all modifications and additions to the pristine +# package are under the same license as the package itself. +# +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +Name: openvpn +BuildRequires: lzo-devel openssl-devel +URL: http://openvpn.sourceforge.net/ +License: GNU General Public License (GPL), GNU Library General Public License v. 2.0 and 2.1 (LGPL) +Group: Productivity/Networking/Security +Autoreqprov: on +%if 0%{?suse_version} +PreReq: %insserv_prereq %fillup_prereq +%endif +Version: 2.0.9 +Release: 1 +Summary: Create VPN over Wireless and Ethernet Networks using a Tun Device +Source: http://openvpn.net/release/openvpn-%{version}.tar.gz +Source1: http://openvpn.net/signatures/openvpn-%{version}.tar.gz.asc +Source2: openvpn.init +Source3: openvpn.README.SUSE +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +Create VPN over wireless and ethernet networks using a tun device. + + + +Authors: +-------- + James Yonan + +%prep +%setup + +%build +autoreconf -fi +export CFLAGS="$RPM_OPT_FLAGS -Wall" +export LDFLAGS= +# build with fPIE/pie on SUSE 10.0 or newer, or on any other platform +%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 +CFLAGS="$CFLAGS -fPIE" +LDFLAGS="$LDFLAGS -pie" +%endif +./configure --prefix=/usr --enable-pthread \ + --mandir=%_mandir --with-lzo-headers=%_includedir/lzo +make + +%install +rm -rf $RPM_BUILD_ROOT +make DESTDIR=$RPM_BUILD_ROOT install +mkdir -p $RPM_BUILD_ROOT/etc/openvpn +mkdir -p $RPM_BUILD_ROOT/var/run/openvpn +install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/etc/init.d/openvpn +ln -sv ../../etc/init.d/openvpn $RPM_BUILD_ROOT/usr/sbin/rcopenvpn +cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE +rm -f easy-rsa/build-key-server.orig + +%clean +if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi + +%post +%{fillup_and_insserv -f} +%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 + +%preun +%stop_on_removal openvpn +%endif + +%postun +%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 +%restart_on_update openvpn +%endif +%insserv_cleanup + +%files +%defattr(-,root,root) +%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS PORTS README +%doc README.SUSE +%doc contrib +%doc easy-rsa +%doc management +%doc sample-config-files +%doc sample-keys +%doc sample-scripts +%doc suse +/usr/sbin/openvpn +%doc %{_mandir}/man8/openvpn.8.gz +%config(noreplace) /etc/openvpn/ +%config /etc/init.d/openvpn +/usr/sbin/rcopenvpn +%dir /var/run/openvpn + +%changelog -n openvpn +* Fri Oct 27 2006 - mt@suse.de +- upstream 2.0.9, Windows related fixes only + * Windows installer updated with OpenSSL 0.9.7l DLLs to fix + published vulnerabilities. + * Fixed TAP-Win32 bug that caused BSOD on Windows Vista + (Henry Nestler). The TAP-Win32 driver has now been + upgraded to version 8.4. +* Wed Sep 27 2006 - poeml@suse.de +- upstream 2.0.8 + * Windows installer updated with OpenSSL 0.9.7k DLLs to fix + RSA Signature Forgery (CVE-2006-4339). + * No changes to OpenVPN source code between 2.0.7 and 2.0.8. +* Fri Jun 23 2006 - poeml@suse.de +- upstream 2.0.7, with bug fixes: + * When deleting routes under Linux, use the route metric + as a differentiator to ensure that the route teardown + process only deletes the identical route which was originally + added via the "route" directive (Roy Marples). + * Fixed bug where --server directive in --dev tap mode + claimed that it would support subnets of /30 or less + but actually would only accept /29 or less. + * Extend byte counters to 64 bits (M. van Cuijk). + * Better sanity checking of --server and --server-bridge + IP pool ranges, so as not to hit the assertion at + pool.c:119 (2.0.5). + * Fixed bug where --daemon and --management-query-passwords + used together would cause OpenVPN to block prior to + daemonization. + * Fixed client/server race condition which could occur + when --auth-retry interact is set and the initially + provided auth-user-pass credentials are incorrect, + forcing a username/password re-query. + * Fixed bug where if --daemon and --management-hold are + used together, --user or --group options would be ignored. + * fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed + to clients from the server) +- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform +* Wed Apr 19 2006 - poeml@suse.de +- security fix (CVE-2006-1629): disallow "setenv" to be pushed to + clients from the server [#165123] +* Wed Jan 25 2006 - mls@suse.de +- converted neededforbuild to BuildRequires +* Thu Nov 03 2005 - poeml@suse.de +- update to 2.0.5, with two security fixes -- see below. [#132003] + 2005.11.02 -- Version 2.0.5 + * Fixed bug in Linux get_default_gateway function + introduced in 2.0.4, which would cause redirect-gateway + on Linux clients to fail. + * Restored easy-rsa/2.0 tree (backported from 2.1 beta + series) which accidentally disappeared in + 2.0.2 -> 2.0.4 transition. + 2005.11.01 -- Version 2.0.4 + * Security fix -- Affects non-Windows OpenVPN clients of + version 2.0 or higher which connect to a malicious or + compromised server. A format string vulnerability + in the foreign_option function in options.c could + potentially allow a malicious or compromised server + to execute arbitrary code on the client. Only + non-Windows clients are affected. The vulnerability + only exists if (a) the client's TLS negotiation with + the server succeeds, (b) the server is malicious or + has been compromised such that it is configured to + push a maliciously crafted options string to the client, + and (c) the client indicates its willingness to accept + pushed options from the server by having "pull" or + "client" in its configuration file (Credit: Vade79). + CVE-2005-3393 + * Security fix -- Potential DoS vulnerability on the + server in TCP mode. If the TCP server accept() call + returns an error status, the resulting exception handler + may attempt to indirect through a NULL pointer, causing + a segfault. Affects all OpenVPN 2.0 versions. + CVE-2005-3409 + * Fix attempt of assertion at multi.c:1586 (note that + this precise line number will vary across different + versions of OpenVPN). + * Added ".PHONY: plugin" to Makefile.am to work around + "make dist" issue. + * Fixed double fork issue that occurs when --management-hold + is used. + * Moved TUN/TAP read/write log messages from --verb 8 to 6. + * Warn when multiple clients having the same common name or + username usurp each other when --duplicate-cn is not used. + * Modified Windows and Linux versions of get_default_gateway + to return the route with the smallest metric + if multiple 0.0.0.0/0.0.0.0 entries are present. + 2005.09.25 -- Version 2.0.3-rc1 + * openvpn_plugin_abort_v1 function wasn't being properly + registered on Windows. + * Fixed a bug where --mode server --proto tcp-server --cipher none + operation could cause tunnel packet truncation. +* Tue Aug 30 2005 - poeml@suse.de +- update to 2.0.2 [#106258] relevant changes: + * Fixed bug where "--proto tcp-server --mode p2p --management + host port" would cause the management port to not respond until + the OpenVPN peer connects. + * Modified pkitool script to be /bin/sh compatible (Johnny Lam). +* Tue Aug 23 2005 - poeml@suse.de +- update to 2.0.1 [#106258] + * Security Fix -- DoS attack against server when run with "verb 0" and + without "tls-auth". If a client connection to the server fails + certificate verification, the OpenSSL error queue is not properly + flushed, which can result in another unrelated client instance on the + server seeing the error and responding to it, resulting in disconnection + of the unrelated client (CAN-2005-2531). + * Security Fix -- DoS attack against server by authenticated client. + This bug presents a potential DoS attack vector against the server + which can only be initiated by a connected and authenticated client. + If the client sends a packet which fails to decrypt on the server, + the OpenSSL error queue is not properly flushed, which can result in + another unrelated client instance on the server seeing the error and + responding to it, resulting in disconnection of the unrelated client + (CAN-2005-2532). + * Security Fix -- DoS attack against server by authenticated client. + A malicious client in "dev tap" ethernet bridging mode could + theoretically flood the server with packets appearing to come from + hundreds of thousands of different MAC addresses, causing the OpenVPN + process to deplete system virtual memory as it expands its internal + routing table. A --max-routes-per-client directive has been added + (default=256) to limit the maximum number of routes in OpenVPN's + internal routing table which can be associated with a given client + (CAN-2005-2533). + * Security Fix -- DoS attack against server by authenticated client. + If two or more client machines try to connect to the server at the + same time via TCP, using the same client certificate, and when + --duplicate-cn is not enabled on the server, a race condition can + crash the server with "Assertion failed at mtcp.c:411" + (CAN-2005-2534). + * Fixed server bug where under certain circumstances, the client instance + object deletion function would try to delete iroutes which had never been + added in the first place, triggering "Assertion failed at mroute.c:349". + * Added --auth-retry option to prevent auth errors from being fatal + on the client side, and to permit username/password requeries in case + of error. Also controllable via new "auth-retry" management interface + command. See man page for more info. + * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 + * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' + would fail to build. + * Implement "make check" to perform loopback tests (Matthias Andree). +- drop obsolete patch which fixed finding lzo libraries +* Tue Jun 28 2005 - mrueckert@suse.de +- The previous patch didnt work with lzo1 based distros. Fixed. +* Tue Jun 28 2005 - cthiel@suse.de +- fixed build with lzo2 (added lzo2.diff) +* Thu Jun 23 2005 - ro@suse.de +- build with fPIE/pie +* Thu Jun 02 2005 - hvogel@suse.de +- lzo headers are in a subdirectory now +* Tue Apr 19 2005 - cthiel@suse.de +- update to 2.0 +* Thu Feb 17 2005 - poeml@suse.de +- update to 2.0_rc14 +- add README.SUSE +* Fri Jan 28 2005 - poeml@suse.de +- update to 2.0_rc10 +* Wed Dec 29 2004 - poeml@suse.de +- update to 2.0_rc6 +* Wed Dec 29 2004 - poeml@suse.de +- update to 2.0_rc1 (closing #45979) + IMPORTANT: OpenVPN's default port number is now 1194, based on an + official port number assignment by IANA. OpenVPN 2.0-beta16 and + earlier used 5000 as the default port. + -> see http://openvpn.net/20notes.html +- remove lzo sources, which come in a separate package since 9.2 +* Mon Jul 26 2004 - poeml@suse.de +- update to 1.6_rc4 +- bzip2 sources +* Sun Jan 11 2004 - adrian@suse.de +- build as user +* Tue Dec 16 2003 - wengel@suse.de +- update to version 1.5.0 +* Sun Sep 07 2003 - poeml@suse.de +- add an init script +- use RPM_OPT_FLAGS +- add /var/run/openvpn directory for pid files +* Thu Jul 31 2003 - wengel@suse.de +- update to new version -> 1.4.2 +* Tue May 27 2003 - coolo@suse.de +- use BuildRoot +- package a bit more straightforward +* Mon May 19 2003 - wengel@suse.de +- update to version 1.4.1 +* Mon Jan 20 2003 - wengel@suse.de +- initial package diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4