From 52de9bf7fbd2aa588159e601c5467d42ff0270ade9c9d0dabfa94faa7dca5e67 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Sat, 3 Oct 2009 01:40:21 +0000 Subject: [PATCH] Accepting request 21597 from network Copy from network/openvpn based on submit request 21597 from user mtomaschewski OBS-URL: https://build.opensuse.org/request/show/21597 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=13 --- openvpn.changes | 5 + openvpn.init | 4 +- openvpn.spec | 236 +----------------------------------------------- 3 files changed, 10 insertions(+), 235 deletions(-) diff --git a/openvpn.changes b/openvpn.changes index e6df306..2f412de 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 2 15:14:51 CEST 2009 - mt@suse.de + +- Added network-remotefs to init script dependencies (bnc#522279). + ------------------------------------------------------------------- Wed Jun 10 10:24:06 CEST 2009 - mt@suse.de diff --git a/openvpn.init b/openvpn.init index aba13fc..2a04034 100644 --- a/openvpn.init +++ b/openvpn.init @@ -15,9 +15,9 @@ ### BEGIN INIT INFO # Provides: openvpn # Required-Start: $local_fs $remote_fs $network -# Should-Start: $syslog $time $named +# Should-Start: $syslog $time $named network-remotefs # Required-Stop: $local_fs $remote_fs $network -# Should-Stop: $syslog $time $named +# Should-Stop: $syslog $time $named network-remotefs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: OpenVPN tunnel diff --git a/openvpn.spec b/openvpn.spec index cd32ab9..7d72c9a 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -28,7 +28,7 @@ AutoReqProv: on PreReq: %insserv_prereq %fillup_prereq %endif Version: 2.1.0.18 -Release: 1 +Release: 2 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface Source: http://openvpn.net/release/openvpn-%{upstream_version}.tar.gz Source1: http://openvpn.net/signatures/openvpn-%{upstream_version}.tar.gz.asc @@ -72,7 +72,7 @@ Authors: James Yonan %package down-root-plugin -License: GPL v2 or later; LGPL v2.1 or later +License: GPL v2 or later ; LGPL v2.1 or later Summary: OpenVPN down-root plugin Group: Productivity/Networking/Security AutoReqProv: on @@ -97,7 +97,7 @@ Authors: James Yonan %package auth-pam-plugin -License: GPL v2 or later; LGPL v2.1 or later +License: GPL v2 or later ; LGPL v2.1 or later Summary: OpenVPN auth-pam plugin Group: Productivity/Networking/Security AutoReqProv: on @@ -221,233 +221,3 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %{plugin_libdir}/openvpn-auth-pam.so %changelog -* Wed Jun 10 2009 mt@suse.de -- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289). -- Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558). -- Adopted spec file and patches, improved init script. -- Disabled installation of easy-rsa for Windows. -* Tue Feb 17 2009 mt@suse.de -- Improved init script to show config name in action messages - and allow to specify a config name in the second argument. -* Mon Dec 01 2008 mt@suse.de -- Removed restart_on_update rpm install hook that may break the - update process, e.g. when openvpn asks for auth data or the - update process is running over the tunnel (bnc#450390). -* Tue Oct 28 2008 mt@suse.de -- Fixed init script to handle pid files correctly (bnc#435421). -* Thu May 29 2008 mt@suse.de -- Added $time $named to Should-Start in the init script to avoid - time related certificate errors and name resolving problems. -- Added iproute2 to BuildRequires to avoid openvpn rely on PATH. -* Mon May 26 2008 mt@suse.de -- Reverted init script changes adding startproc, since they break - user auth query and multiple tunnels (bnc#394360, bnc#394353). -* Thu May 22 2008 mt@suse.de -- Added -lpam to LDFLAGS of openvpn, because linking the openvpn - auth-pam plugin against pam is not sufficient. Many pam modules - that are loaded by pam during the authentication process are not - linked against pam and contain undefined symbols, causing the - authentication to fail (bnc#334773). -- Replaced patch loading plugins from /usr/%%_lib/openvpn/plugin/lib - with -rpath linker flags (bnc#334773). -- Fixed init script to use startproc to return 0 when started twice. -* Tue Feb 19 2008 mt@suse.de -- Fixed spec file to not set pie flags when building plugins -* Thu Jan 17 2008 mt@suse.de -- Bug #334773: Enabled build of down-root and auth-pam plugins, - sub-packaged as openvpn-auth-pam-plugin/down-root-plugin. -- Added patch to load plugins from /usr/%%_lib/openvpn/plugin/lib - first, when the plugin name is specified as basename only. -- Added patch adoptiong plugin path informations in openvpn.8. -- Added patch to build plugins with RPM_OPT_FLAGS. -- Fixed init script to use Should-Start/Stop LSB info tags. -- Bug #343106: Enabled iproute2 support / usage -* Mon Jun 04 2007 mt@suse.de -- fixed easy-rsa installation (no exec in doc directory) -- improved spec to use configure directory variables and - cleaned up macro calls in RPM pre/post scripts. -- fixed openvpn binary check in the init script. -* Fri Oct 27 2006 mt@suse.de -- upstream 2.0.9, Windows related fixes only - * Windows installer updated with OpenSSL 0.9.7l DLLs to fix - published vulnerabilities. - * Fixed TAP-Win32 bug that caused BSOD on Windows Vista - (Henry Nestler). The TAP-Win32 driver has now been - upgraded to version 8.4. -* Wed Sep 27 2006 poeml@suse.de -- upstream 2.0.8 - * Windows installer updated with OpenSSL 0.9.7k DLLs to fix - RSA Signature Forgery (CVE-2006-4339). - * No changes to OpenVPN source code between 2.0.7 and 2.0.8. -* Fri Jun 23 2006 poeml@suse.de -- upstream 2.0.7, with bug fixes: - * When deleting routes under Linux, use the route metric - as a differentiator to ensure that the route teardown - process only deletes the identical route which was originally - added via the "route" directive (Roy Marples). - * Fixed bug where --server directive in --dev tap mode - claimed that it would support subnets of /30 or less - but actually would only accept /29 or less. - * Extend byte counters to 64 bits (M. van Cuijk). - * Better sanity checking of --server and --server-bridge - IP pool ranges, so as not to hit the assertion at - pool.c:119 (2.0.5). - * Fixed bug where --daemon and --management-query-passwords - used together would cause OpenVPN to block prior to - daemonization. - * Fixed client/server race condition which could occur - when --auth-retry interact is set and the initially - provided auth-user-pass credentials are incorrect, - forcing a username/password re-query. - * Fixed bug where if --daemon and --management-hold are - used together, --user or --group options would be ignored. - * fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed - to clients from the server) -- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform -* Wed Apr 19 2006 poeml@suse.de -- security fix (CVE-2006-1629): disallow "setenv" to be pushed to - clients from the server [#165123] -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Thu Nov 03 2005 poeml@suse.de -- update to 2.0.5, with two security fixes -- see below. [#132003] - 2005.11.02 -- Version 2.0.5 - * Fixed bug in Linux get_default_gateway function - introduced in 2.0.4, which would cause redirect-gateway - on Linux clients to fail. - * Restored easy-rsa/2.0 tree (backported from 2.1 beta - series) which accidentally disappeared in - 2.0.2 -> 2.0.4 transition. - 2005.11.01 -- Version 2.0.4 - * Security fix -- Affects non-Windows OpenVPN clients of - version 2.0 or higher which connect to a malicious or - compromised server. A format string vulnerability - in the foreign_option function in options.c could - potentially allow a malicious or compromised server - to execute arbitrary code on the client. Only - non-Windows clients are affected. The vulnerability - only exists if (a) the client's TLS negotiation with - the server succeeds, (b) the server is malicious or - has been compromised such that it is configured to - push a maliciously crafted options string to the client, - and (c) the client indicates its willingness to accept - pushed options from the server by having "pull" or - "client" in its configuration file (Credit: Vade79). - CVE-2005-3393 - * Security fix -- Potential DoS vulnerability on the - server in TCP mode. If the TCP server accept() call - returns an error status, the resulting exception handler - may attempt to indirect through a NULL pointer, causing - a segfault. Affects all OpenVPN 2.0 versions. - CVE-2005-3409 - * Fix attempt of assertion at multi.c:1586 (note that - this precise line number will vary across different - versions of OpenVPN). - * Added ".PHONY: plugin" to Makefile.am to work around - "make dist" issue. - * Fixed double fork issue that occurs when --management-hold - is used. - * Moved TUN/TAP read/write log messages from --verb 8 to 6. - * Warn when multiple clients having the same common name or - username usurp each other when --duplicate-cn is not used. - * Modified Windows and Linux versions of get_default_gateway - to return the route with the smallest metric - if multiple 0.0.0.0/0.0.0.0 entries are present. - 2005.09.25 -- Version 2.0.3-rc1 - * openvpn_plugin_abort_v1 function wasn't being properly - registered on Windows. - * Fixed a bug where --mode server --proto tcp-server --cipher none - operation could cause tunnel packet truncation. -* Tue Aug 30 2005 poeml@suse.de -- update to 2.0.2 [#106258] relevant changes: - * Fixed bug where "--proto tcp-server --mode p2p --management - host port" would cause the management port to not respond until - the OpenVPN peer connects. - * Modified pkitool script to be /bin/sh compatible (Johnny Lam). -* Tue Aug 23 2005 poeml@suse.de -- update to 2.0.1 [#106258] - * Security Fix -- DoS attack against server when run with "verb 0" and - without "tls-auth". If a client connection to the server fails - certificate verification, the OpenSSL error queue is not properly - flushed, which can result in another unrelated client instance on the - server seeing the error and responding to it, resulting in disconnection - of the unrelated client (CAN-2005-2531). - * Security Fix -- DoS attack against server by authenticated client. - This bug presents a potential DoS attack vector against the server - which can only be initiated by a connected and authenticated client. - If the client sends a packet which fails to decrypt on the server, - the OpenSSL error queue is not properly flushed, which can result in - another unrelated client instance on the server seeing the error and - responding to it, resulting in disconnection of the unrelated client - (CAN-2005-2532). - * Security Fix -- DoS attack against server by authenticated client. - A malicious client in "dev tap" ethernet bridging mode could - theoretically flood the server with packets appearing to come from - hundreds of thousands of different MAC addresses, causing the OpenVPN - process to deplete system virtual memory as it expands its internal - routing table. A --max-routes-per-client directive has been added - (default=256) to limit the maximum number of routes in OpenVPN's - internal routing table which can be associated with a given client - (CAN-2005-2533). - * Security Fix -- DoS attack against server by authenticated client. - If two or more client machines try to connect to the server at the - same time via TCP, using the same client certificate, and when - --duplicate-cn is not enabled on the server, a race condition can - crash the server with "Assertion failed at mtcp.c:411" - (CAN-2005-2534). - * Fixed server bug where under certain circumstances, the client instance - object deletion function would try to delete iroutes which had never been - added in the first place, triggering "Assertion failed at mroute.c:349". - * Added --auth-retry option to prevent auth errors from being fatal - on the client side, and to permit username/password requeries in case - of error. Also controllable via new "auth-retry" management interface - command. See man page for more info. - * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 - * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' - would fail to build. - * Implement "make check" to perform loopback tests (Matthias Andree). -- drop obsolete patch which fixed finding lzo libraries -* Tue Jun 28 2005 mrueckert@suse.de -- The previous patch didnt work with lzo1 based distros. Fixed. -* Tue Jun 28 2005 cthiel@suse.de -- fixed build with lzo2 (added lzo2.diff) -* Thu Jun 23 2005 ro@suse.de -- build with fPIE/pie -* Thu Jun 02 2005 hvogel@suse.de -- lzo headers are in a subdirectory now -* Tue Apr 19 2005 cthiel@suse.de -- update to 2.0 -* Thu Feb 17 2005 poeml@suse.de -- update to 2.0_rc14 -- add README.SUSE -* Fri Jan 28 2005 poeml@suse.de -- update to 2.0_rc10 -* Wed Dec 29 2004 poeml@suse.de -- update to 2.0_rc6 -* Wed Dec 29 2004 poeml@suse.de -- update to 2.0_rc1 (closing #45979) - IMPORTANT: OpenVPN's default port number is now 1194, based on an - official port number assignment by IANA. OpenVPN 2.0-beta16 and - earlier used 5000 as the default port. - -> see http://openvpn.net/20notes.html -- remove lzo sources, which come in a separate package since 9.2 -* Mon Jul 26 2004 poeml@suse.de -- update to 1.6_rc4 -- bzip2 sources -* Sun Jan 11 2004 adrian@suse.de -- build as user -* Tue Dec 16 2003 wengel@suse.de -- update to version 1.5.0 -* Sun Sep 07 2003 poeml@suse.de -- add an init script -- use RPM_OPT_FLAGS -- add /var/run/openvpn directory for pid files -* Thu Jul 31 2003 wengel@suse.de -- update to new version -> 1.4.2 -* Tue May 27 2003 coolo@suse.de -- use BuildRoot -- package a bit more straightforward -* Mon May 19 2003 wengel@suse.de -- update to version 1.4.1 -* Mon Jan 20 2003 wengel@suse.de -- initial package