diff --git a/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch b/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch index 5d2a302..04ab6d3 100644 --- a/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch +++ b/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch @@ -1,8 +1,8 @@ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 09659aa..b35d884 100644 +index ff0f9a7..fb27b36 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c -@@ -119,7 +119,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, +@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* Buffer overflow check */ @@ -11,7 +11,7 @@ index 09659aa..b35d884 100644 { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", -@@ -238,7 +238,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, +@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf)); /* Buffer overflow check */ @@ -20,7 +20,7 @@ index 09659aa..b35d884 100644 { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", buf->capacity, -@@ -379,7 +379,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, +@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); uint8_t *tag_ptr = NULL; int tag_size = 0; @@ -29,7 +29,7 @@ index 09659aa..b35d884 100644 struct gc_arena gc; gc_init(&gc); -@@ -456,7 +456,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, +@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc)); /* Buffer overflow check (should never fail) */ @@ -38,7 +38,7 @@ index 09659aa..b35d884 100644 { CRYPT_ERROR("potential buffer overflow"); } -@@ -602,7 +602,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, +@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, } /* Buffer overflow check (should never happen) */ @@ -48,10 +48,10 @@ index 09659aa..b35d884 100644 CRYPT_ERROR("potential buffer overflow"); } diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h -index f8ddbc8..7706b02 100644 +index 60a2812..c191695 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h -@@ -53,6 +53,9 @@ typedef HMAC_CTX hmac_ctx_t; +@@ -52,6 +52,9 @@ typedef HMAC_CTX hmac_ctx_t; /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH @@ -62,10 +62,10 @@ index f8ddbc8..7706b02 100644 #define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index 66126ef..b8d4a8c 100644 +index 0652ef4..9fa3352 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c -@@ -3052,8 +3052,8 @@ init_context_buffers(const struct frame *frame) +@@ -3067,8 +3067,8 @@ init_context_buffers(const struct frame *frame) b->aux_buf = alloc_buf(BUF_SIZE(frame)); #ifdef ENABLE_CRYPTO @@ -77,10 +77,10 @@ index 66126ef..b8d4a8c 100644 #ifdef USE_COMP diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c -index b0ed327..0ad0385 100644 +index 7a737ea..592bd97 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c -@@ -74,6 +74,9 @@ recv_line(socket_descriptor_t sd, +@@ -73,6 +73,9 @@ recv_line(socket_descriptor_t sd, struct buffer la; int lastc = 0; @@ -90,7 +90,7 @@ index b0ed327..0ad0385 100644 CLEAR(la); if (lookahead) { -@@ -312,11 +315,11 @@ get_proxy_authenticate(socket_descriptor_t sd, +@@ -311,11 +314,11 @@ get_proxy_authenticate(socket_descriptor_t sd, struct gc_arena *gc, volatile int *signal_received) { @@ -102,8 +102,8 @@ index b0ed327..0ad0385 100644 - if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received)) + if (!recv_line(sd, buf, sizeof(buf) - 1, timeout, true, NULL, signal_received)) { + free(*data); *data = NULL; - return HTTP_AUTH_NONE; @@ -631,9 +634,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p, volatile int *signal_received) { @@ -147,7 +147,7 @@ index b0ed327..0ad0385 100644 { goto error; } -@@ -952,7 +958,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, +@@ -959,7 +965,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, } /* receive reply from proxy */ @@ -158,10 +158,10 @@ index b0ed327..0ad0385 100644 goto error; } diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c -index 7d3dd60..334c47e 100644 +index 4e7e3f9..93ea889 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c -@@ -1163,6 +1163,9 @@ socket_listen_accept(socket_descriptor_t sd, +@@ -1162,6 +1162,9 @@ socket_listen_accept(socket_descriptor_t sd, /* struct openvpn_sockaddr *remote = &act->dest; */ struct openvpn_sockaddr remote_verify = act->dest; socket_descriptor_t new_sd = SOCKET_UNDEFINED; @@ -171,7 +171,7 @@ index 7d3dd60..334c47e 100644 CLEAR(*act); socket_do_listen(sd, local, do_listen, true); -@@ -1315,6 +1318,9 @@ openvpn_connect(socket_descriptor_t sd, +@@ -1314,6 +1317,9 @@ openvpn_connect(socket_descriptor_t sd, { int status = 0; @@ -182,10 +182,10 @@ index 7d3dd60..334c47e 100644 protect_fd_nonlocal(sd, remote); #endif diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c -index b50cac3..79632a8 100644 +index 92747ec..f8e02a4 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c -@@ -99,13 +99,16 @@ socks_username_password_auth(struct socks_proxy_info *p, +@@ -98,13 +98,16 @@ socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received) { @@ -204,7 +204,7 @@ index b50cac3..79632a8 100644 creds.defined = 0; if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) { -@@ -194,7 +197,7 @@ socks_handshake(struct socks_proxy_info *p, +@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received) { @@ -213,7 +213,7 @@ index b50cac3..79632a8 100644 int len = 0; const int timeout_sec = 5; ssize_t size; -@@ -206,6 +209,9 @@ socks_handshake(struct socks_proxy_info *p, +@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info *p, method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ } @@ -223,7 +223,7 @@ index b50cac3..79632a8 100644 size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL); if (size != sizeof(method_sel)) { -@@ -313,9 +319,12 @@ recv_socks_reply(socket_descriptor_t sd, +@@ -312,9 +318,12 @@ recv_socks_reply(socket_descriptor_t sd, char atyp = '\0'; int alen = 0; int len = 0; @@ -237,7 +237,7 @@ index b50cac3..79632a8 100644 if (addr != NULL) { addr->addr.in4.sin_family = AF_INET; -@@ -396,7 +405,7 @@ recv_socks_reply(socket_descriptor_t sd, +@@ -395,7 +404,7 @@ recv_socks_reply(socket_descriptor_t sd, } /* store char in buffer */ @@ -246,7 +246,7 @@ index b50cac3..79632a8 100644 { buf[len] = c; } -@@ -448,7 +457,7 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p, +@@ -447,7 +456,7 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p, const char *servname, /* openvpn server port */ volatile int *signal_received) { diff --git a/openvpn-2.4.2.tar.xz b/openvpn-2.4.2.tar.xz deleted file mode 100644 index 751844c..0000000 --- a/openvpn-2.4.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:df5c4f384b7df6b08a2f6fa8a84b9fd382baf59c2cef1836f82e2a7f62f1bff9 -size 918448 diff --git a/openvpn-2.4.2.tar.xz.asc b/openvpn-2.4.2.tar.xz.asc deleted file mode 100644 index 4a0a2b3..0000000 --- a/openvpn-2.4.2.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQEcBAABAgAGBQJZFE4hAAoJEClYTZ9AhkV454EIAMI6GwqVrxgO+XewvCFWMrXv -GuVpFx8w4DVoBN6Kc6bLrcP1R4m04SCYrsey88ahDP5113Z4QlGkuVo3GSKSqFtS -ZvO0r9c37VnSUpIp8yD1F/F/K9np1mvywyF8/1cHDFoIMwEe5TNti3Fvo0TaFO7k -rLnNdcTILWveqTQBP4Hhma9Hl0MRLOXY9CPcwKBhYZqh8UBjlmbnAyOPXD9hQe/q -QP96ZCl6sClvPyBTfGw8q0bxsdWjTJQjZnioO61xkR4JyQr7dpOLr2gCwnL1l9U6 -feV9EyjHQxX9lbr+SvfuDOWMZXAAqMfx0Ltz7oopB3DTAtiN9TAWQn5v7kSxwxc= -=Wkw4 ------END PGP SIGNATURE----- diff --git a/openvpn-2.4.3.tar.xz b/openvpn-2.4.3.tar.xz new file mode 100644 index 0000000..9b0cb20 --- /dev/null +++ b/openvpn-2.4.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb +size 938440 diff --git a/openvpn-2.4.3.tar.xz.asc b/openvpn-2.4.3.tar.xz.asc new file mode 100644 index 0000000..869c53e --- /dev/null +++ b/openvpn-2.4.3.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJZSkg4AAoJENcq80SMwrA0XBwQAKoiJYeq99LnxrXrxDNVyGTr +r8hFA7zo5Py3ZLelliKqVldBVeX6kkfrJAD5Immwt35PzffzSfVjUCd8mTUCoTdK +nOuxVRsIfccb2B9yF25HmKPk7tXYfOg7QCCPK8Za8QJxLV85U9h0amTa5veRC4wm +xQ4TRSk3yQRRKarOySpAJU7ue59LJ3jVBbuiNU0i6xGTzykrnqrli6pAzvFuTqfi +DOIO8lwMFxwyDXonlX2faglfWanjVSv8nIwmP7EzefhTUkT9EU+7aoA1Lluh2HR6 +DmqOxh0x2DCR+pv37PHgQ0LhBJ2IVRp5sKskzUqkupV3S5dqj8OVFGly6+4D5aoO +mTd9ZtVK1GAM/yw7QKO+jguSxRn/usIgBmxFcVcLZESycTCSS2iqtdQfSp/PtcGM +0pQfNsyOm6vutlYFaUQqeGYIlqnlBEDeJr7zI9TdQoJ12DmeYyWABQ4MswnEWOGa +LwD1PeKLNLddXiSXI1b4b/9TDmSiYw2MH9wDbMvKep+1IQhoh1Zubtv+DbcXXXCR +cKWkDcTDzGoE55yHAPiP5VCZJvwTWEUA6z9hW38vVY2wauHMNXTeNcVGeTggq+YJ +NfVv5Np7UP2BbSOPAspGsVlV5sekHvl1YAXuA5Y6hyixt1+KxZdJfFbqsU+fYm1n +B1yC9E8sA2QK4kahvDj/ +=GwRO +-----END PGP SIGNATURE----- diff --git a/openvpn-fips140-2.3.2.patch b/openvpn-fips140-2.3.2.patch index 02667b8..7b6d4d5 100644 --- a/openvpn-fips140-2.3.2.patch +++ b/openvpn-fips140-2.3.2.patch @@ -1,25 +1,40 @@ +From a33c0d811ad976561e5cb5bfc8431c1a286e796b Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Fri, 23 Jun 2017 11:00:08 +0200 +Subject: [PATCH] fips-140 + +Signed-off-by: Nirmoy Das +--- + src/openvpn/crypto.c | 2 +- + src/openvpn/crypto_backend.h | 3 ++- + src/openvpn/crypto_openssl.c | 6 +++++- + src/openvpn/ntlm.c | 2 +- + src/openvpn/options.c | 4 ++++ + src/openvpn/ssl.c | 4 ++-- + 6 files changed, 15 insertions(+), 6 deletions(-) + diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 4b54279..09659aa 100644 +index 5f482d0..ff0f9a7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c -@@ -877,7 +877,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, +@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, if (kt->digest && kt->hmac_length > 0) { - ALLOC_OBJ(ctx->hmac, hmac_ctx_t); + ctx->hmac = hmac_ctx_new(); - hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); + hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); msg(D_HANDSHAKE, "%s: Using %d bit message hash '%s' for HMAC authentication", diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h -index 2c79baa..81848c9 100644 +index b7f519b..2911248 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h -@@ -557,10 +557,11 @@ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst); +@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters -+ * @param prf_use Intended use for PRF in TLS protocol ++ * @param prf_use Intended use for PRF in TLS protocol * */ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, @@ -29,10 +44,10 @@ index 2c79baa..81848c9 100644 /* * Free the given HMAC context. diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c -index 881a2d1..deb41c7 100644 +index a55e65c..79f5530 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c -@@ -891,13 +891,17 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) +@@ -926,11 +926,15 @@ hmac_ctx_free(HMAC_CTX *ctx) void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, @@ -41,31 +56,29 @@ index 881a2d1..deb41c7 100644 { ASSERT(NULL != kt && NULL != ctx); - CLEAR(*ctx); - HMAC_CTX_init(ctx); + /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not -+ * to be used anywhere else */ ++ * * to be used anywhere else */ + if(kt == EVP_md5() && prf_use) + HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); HMAC_Init_ex(ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c -index 0c43681..c3d5613 100644 +index 0b1163e..93283bc 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c -@@ -89,7 +89,7 @@ gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char * - hmac_ctx_t hmac_ctx; - CLEAR(hmac_ctx); +@@ -87,7 +87,7 @@ gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char * + const md_kt_t *md5_kt = md_kt_get("MD5"); + hmac_ctx_t *hmac_ctx = hmac_ctx_new(); -- hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt); -+ hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt, 0); - hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len); - hmac_ctx_final(&hmac_ctx, (unsigned char *)result); - hmac_ctx_cleanup(&hmac_ctx); +- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); ++ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0); + hmac_ctx_update(hmac_ctx, (const unsigned char *)data, data_len); + hmac_ctx_final(hmac_ctx, (unsigned char *)result); + hmac_ctx_cleanup(hmac_ctx); diff --git a/src/openvpn/options.c b/src/openvpn/options.c -index 9fef394..6b52dec 100644 +index fef5e90..33b6976 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -850,6 +850,10 @@ init_options(struct options *o, const bool init_gc) @@ -80,17 +93,20 @@ index 9fef394..6b52dec 100644 o->ncp_enabled = true; #else diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c -index 51c7b95..2f89df7 100644 +index 15cd94a..21f50f1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c -@@ -1626,8 +1626,8 @@ tls1_P_hash(const md_kt_t *md_kt, +@@ -1635,8 +1635,8 @@ tls1_P_hash(const md_kt_t *md_kt, chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt); -- hmac_ctx_init(&ctx, sec, sec_len, md_kt); -- hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt); -+ hmac_ctx_init(&ctx, sec, sec_len, md_kt, 1); -+ hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt, 1); +- hmac_ctx_init(ctx, sec, sec_len, md_kt); +- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); ++ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1); ++ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1); - hmac_ctx_update(&ctx,seed,seed_len); - hmac_ctx_final(&ctx, A1); + hmac_ctx_update(ctx,seed,seed_len); + hmac_ctx_final(ctx, A1); +-- +2.13.1 + diff --git a/openvpn.changes b/openvpn.changes index ed5a43a..2605220 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Fri Aug 11 13:43:39 UTC 2017 - sebix+novell.com@sebix.at + +- Do not package empty /usr/lib64/tmpfiles.d + +------------------------------------------------------------------- +Fri Jun 23 11:47:38 CEST 2017 - ndas@suse.de + +- Update to 2.4.3 (bsc#1045489) + - Ignore auth-nocache for auth-user-pass if auth-token is pushed + - crypto: Enable SHA256 fingerprint checking in --verify-hash + - copyright: Update GPLv2 license texts + - auth-token with auth-nocache fix broke --disable-crypto builds + - OpenSSL: don't use direct access to the internal of X509 + - OpenSSL: don't use direct access to the internal of EVP_PKEY + - OpenSSL: don't use direct access to the internal of RSA + - OpenSSL: don't use direct access to the internal of DSA + - OpenSSL: force meth->name as non-const when we free() it + - OpenSSL: don't use direct access to the internal of EVP_MD_CTX + - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX + - OpenSSL: don't use direct access to the internal of HMAC_CTX + - Fix NCP behaviour on TLS reconnect. + - Remove erroneous limitation on max number of args for --plugin + - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. + - Fix potential 1-byte overread in TCP option parsing. + - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. + - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) + - refactor my_strupr + - Fix 2 memory leaks in proxy authentication routine + - Fix memory leak in add_option() for option 'connection' + - Ensure option array p[] is always NULL-terminated + - Fix a null-pointer dereference in establish_http_proxy_passthru() + - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + - Fix an unaligned access on OpenBSD/sparc64 + - Missing include for socket-flags TCP_NODELAY on OpenBSD + - Make openvpn-plugin.h self-contained again. + - Pass correct buffer size to GetModuleFileNameW() + - Log the negotiated (NCP) cipher + - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) + - Skip tls-crypt unit tests if required crypto mode not supported + - openssl: fix overflow check for long --tls-cipher option + - Add a DSA test key/cert pair to sample-keys + - Fix mbedtls fingerprint calculation + - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) + - mbedtls: require C-string compatible types for --x509-username-field + - Fix remote-triggerable memory leaks (CVE-2017-7521) + - Restrict --x509-alt-username extension types + - Fix potential double-free in --x509-alt-username (CVE-2017-7521) + - Fix gateway detection with OpenBSD routing domains + ------------------------------------------------------------------- Wed Jun 14 12:05:14 CEST 2017 - ndas@suse.de @@ -6,7 +56,7 @@ Wed Jun 14 12:05:14 CEST 2017 - ndas@suse.de ------------------------------------------------------------------- Tue Jun 6 14:59:29 CEST 2017 - ndas@suse.de -- Update tp 2.4.2 +- Update to 2.4.2 - auth-token: Ensure tokens are always wiped on de-auth - Make --cipher/--auth none more explicit on the risks - Use SHA256 for the internal digest, instead of MD5 diff --git a/openvpn.keyring b/openvpn.keyring index f3a516c..3fcfd4b 100644 --- a/openvpn.keyring +++ b/openvpn.keyring @@ -1,41 +1,109 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 -mQENBFilZHYBCADGVuvyV9yg2GW7bslnPylaa9cxb3IXmb0qC7hUJueGnz0vLdit -/fPPPfsI3/hgcQYK1Y8cP5p2Pq+CZL0TVQWBEu2naH2unwxtfNm1EJcWDsky9DzW -CZQrcZ/v/coaV4UqMTVzGQaxQOzzeaP5nRgdX95dVKqXqsG8wKoIJmBuILAqkOPi -4EG9NQt2Lbqaiszo3LdsqyeGYK2yc745xBX4UDgIN7XTrXcQDyUOb4dsJynbM+Z9 -8NMQxdA5q0s6BwWSA1xK/gKUCzfF7D1fwWuO2MoedHveB45rOMSFlfVUgr7fa1CR -zCe7lccu0APfgXrTnNWwWMVoQMO8HIyk2iGnABEBAAG0JVNhbXVsaSBTZXBww6Ru -ZW4gPHNhbXVsaUBvcGVudnBuLm5ldD6JATgEEwECACIFAlilZtwCGwMGCwkIBwMC -BhUIAgkKCwQWAgMBAh4BAheAAAoJEClYTZ9AhkV46tEH/Aot7SnpcLHpEkkCX7Jm -ERrWuqIwYJp7fQlbOPAVZG1+iC/3KlhYxHmH1/Dj6rP3LEEfWpCQSHSbBFkzPtZ6 -AGnEfaxovXjso/tgnAAjYnxy9R0+1t0g5T6anXzCAjl3+mOssjzWBICBDZaFW9Rd -R47vCA92Fp9kAy3N+AMOv1HfTabaPo6p8HbaBSUQtgdOrfoBSXaFzaPSp8uwonQW -xRvpG91XtDrEoQio13460025ww+sZe5mIH4c7xhKBEZPswO2xnFszcFp3u12Glbj -eloAn8oxNycEuw11DfsHf2ctlbQCOLlJJxh2MND5SyL0SjCWMqO7v2c8UUUe4igS -xeuIRgQQEQIABgUCWKVo6wAKCRDCnZftGY0ioxDUAJ45kbXxCH3hiUexMvlJzvgN -mZmpyACg0UKbcmHUiFhnhyjtTTmAS5TjB8G0LFNhbXVsaSBTZXBww6RuZW4gPHNh -bXVsaS5zZXBwYW5lbkBnbWFpbC5jb20+iQE4BBMBAgAiBQJYpWR2AhsDBgsJCAcD -AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRApWE2fQIZFeLAeB/9lGhVfON8TR6o6+lbm -GslU2xqV3PQ3hVuAlEttxpP4hCTKU0PwLLb7gtc0UF642qyB7ho2RtU+bg1tiq5z -R93Ka92Aex4yJDI4viEJ04MTX2WLRv6ogGTRrytIqmYGbYHTFXlnMnQD7Tf+O4sv -8tJj5gguB/zT8MXQGqU6zq9CF6b3XXdPSITkC7df/CU425HI4V5HvluC/4GrzFZI -za4Hv/d8G1tXzHXDqoLIBdS44g6GRdXak3PfROKsuk7sG/MmtfbfUPnyBI+yaGQk -jhlj3BRY0b1dg7T5SiZ6NoMXFH9zKEh7KnG8CaoqiNWDSp2sazy8kbZR5HUp2jOt -yXmgiEYEEBECAAYFAlilaOsACgkQwp2X7RmNIqOStQCePGpvkvmpISX4fR+lGAlt -VtWf3XgAmwQTECYXlq3NMdefzLxA5dnxstlEuQENBFilZHYBCADEe46V63aYL+VL -nZbmBz78KA0fOb5qopFQsOp79FdCQevGXa6JtdibaOLhWUiaMNgkGXma0rSzv/yc -kDX310JSSrNvbXtbn29MdmCZhWum3lT0bhHltF2w23ha913AEneUq1TAESZz74zJ -wGtoej7f2H0e3qjOKtwIzItnHRQSHXFRZUh1IRbZAqXQKqRRWiYVLG3pgF1iC9gA -jLcihK9P89G8jUmB8Ko+9Guw6JszKN+l5SVuK+ttrKCRi8hrkOIiazQUL4gu9PZs -aGPxNdwnzKGHGZKT0WglXavZFMWHunb6I9/CrCK3ekyHWAvYF7IY95r4SH+CtKqj -QoW8fOeVABEBAAGJAR8EGAECAAkFAlilZHYCGwwACgkQKVhNn0CGRXiO1QgAh3/I -EELh+pTiII5IiolHXEKEmgJ6WUU4RzM26Pfv3yMQKqUKBeEvKc21ZWmMKzPWXOE8 -1np7DVXcp0ayiXrfGheGbXSpFP5WGlquYdYjVegBgRJ+v/r/QR+Oy2kbq0lsWuNz -Eia08fEHr7PM7mct0d1rFVuSS1m+1YOZNN8e/eSox84HvboSq6xk+3IC1NGXXdUQ -qObWceUyU0KmmBFMV86pUgI/YbA2uMxkFK8XGsOqMgTBdBWHTTcSOfmPsu/04zDl -MuQ+GC2WcUHoTtxytA432TzOixF5wfunqTzXeZxAybQPkETmAFgHT0BmUVShwPQ0 -XuwT7RpGDZ6jBfphYQ== -=FKLE +mQINBFicXUkBEAC9j2L+kJxqetXfslRL/UOqZUNpfNGUjpP2yb+j9UYdZbS3dq67 +i0oYINqKRO4fZEg0VLpW611fTUL3qhKADmSlrktY8p26T79I/TYAUuwlijTFKUVw +3RGpMsfuldnk007uhx7Go5Ss6y7fPzwWxhvwuRhNdh8I+vswrsBMp08dQ36sIjnv +5QQ1MekBiIiOnMwQBgUUSG7rsbGtrIlW0mlScO3fOAI2CtT2J4s3uGnktKsGSuoe +s3qmRVrKceLygEJE9nB3vV7JhCfQWR97HCGrORcq6lBzi4dC0l9Mp28npQ/mcEtg +B2oKA4Gs8qyhhhVLC6lBF38z9gfoLVqA+d9dY1l33atTyNfvA6swiA9hjklAzL3P +zUqabmRzKalhVwhNKnua3Zw21OphLUk6vzZPZ6VB/Xddmenu0MCLx8mubKr+H+cj +2YRgn9Np2NR7J6reSWD/WbG12DKa84rTrCw3bpUDR3PvB3IztRfDGlBonDaL1i62 +bav3zvqEia7kQiR6qLd6KMk4dcpE5UAdLii8yGNBF93aU4UPJg4zhTl4hBANp8jf +tCd4LfxB1aurGfqSlwfE3c1wYXOAplzG/CAbvHch0mA1ckKKb9MYvmInYj/cnPxT +ZBhjT5qBq91qiqNbStVquyBwuyEsa3FpeUopTZWxeO6Ik6hz89g3+Mu2awARAQAB +tDZPcGVuVlBOIC0gU2VjdXJpdHkgTWFpbGluZyBMaXN0IDxzZWN1cml0eUBvcGVu +dnBuLm5ldD6JAj8EEwECACkFAlicXUkCGwMFCRLMAwAHCwkIBwMCAQYVCAIJCgsE +FgIDAQIeAQIXgAAKCRAS9fe0LysB56coD/4/z1WaO6S6MW9GJUHnQC0xym6ZW3Ax +c+iRT2M1FnBBEYEZXdPtQg6dkuAozip/V7MsYt/0xo0bR0ViE8SA53R+E3KW5/zW +lebAF9E/QZMobVU3T2fbMDHckRyrSXfjTWnUi4EKrXbC41axwiRJisbFMPAY9aNP +SHhPDvYvKCNvuVYB1cPOZ0pJYzeuGSiv4FGaUYKdNQOZhinVGccev/+ll/g1yW/Y +2qFnQPh/z0LJnTwk4PAxrtt6sc+AUXo0CFAnGVYfw42TFqNb23osO8IFHENSS5Uo +XakMbw+EZYd2gCnUptRUMLLH2mUexVQaFaIdi9j+zqhOfgZ9MRa9OhmC7sq+Poz6 +SxmQz6W//TczylpXixRJsK8rdIYMp717ycShX8mOqSWX53Ehc2q8kSCor1xOhDXt +oBkKYHucX33/+NS6l9XjyW6RMJg1sV4XSvu6Dfw/qnUFj+z00N8lQUiM7KPU6EhN +/h5PeyLKxppkpndlBuHZ9YvpiQNnfPRlfwPi1o59N/rhN6Xet5kbD5e8yPnNXZlc +gwanJBkwFyrgIKq9zoGD08TfVha44sIsq8iy+3QwFp1BgjBNFthl1JYWVHpnM5ni +FIx87RaRp5CQJZ4+PfZ4B/oisX4Pr9QkEhGxqIy/34zOGnv/k1TDIPwYVXSx0zsK +Q4GdxmxB0QRTbYkCOwQTAQIAJQIbAwUJEswDAAIeAQIXgAUCWJzLrgQLCQgHBBUK +CQgFFgIDAQAACgkQEvX3tC8rAecE3A/+LCiwUH30gbauYFlk6tWL8GfEKmGqjyYV +IJAmmkdlHXg/oiP96Xjrg6aOHLm/QNIvNIM2Z8u+0i/UxpPcnXp1qxy6YEl2rgbi +b0njCC2L23ziEVQniPBrZCWvp5wQdMy3BG+1cvYV+H84YlW3IZm/P6mqgKNU1U1j +Y4zpIVe6oF+WhM7ijZGQFOYzaFBK3kZw5TNguXiQEdisDZF25zHBcz7aR1WtYsd6 +Zm/Tfeaoaa8SW23GdhueruDpIEsEAcMrwfsYnUPTuIQ/NsiQoQWVKHRMxONuJB53 +o07/1T8C8GPBL3t5xVZZK2Go0XQryUWuW380IrT120B+patIpdySOTzBlDeX75nN +dM2epY8mBmlR6Jx1RTAAY1ImYD1myv2+kYZYczfThpN04G2L2LXbnOJ99UmAxGIv +abPYawYriEYI1r7+WeQXHoHS8SxZex7tSzuVkYYE3mxT0YaPD9FGjbcu/79GYF8O +qouKUcjFTDOzL3yBZIbJSXlxgXD+AjIOjV54F9+xkmT0GAC55QbCPmvgMLhAbl8b ++maKw0MORCTqhzpF5jOVPjhT36ZJXpCNCZ4MA0U1qWY5v/qKKpaP14CXV/rT8VR6 +7MgEBdIMUtRM0uMYQHYvHh2Am3BU/Oee4ns3s7OCVhhMeWQ85UEYKQ894fRwOANG +NlSPHWw+LvKJAhwEEAEIAAYFAlijkAkACgkQV9udq2E7jaFf4w//d+Tx2ti5mWEj +/7ZygilmqwR8w1yUZAZBeMXkSF4NEeGkInt2bLBDDHoEiRpM7pmPUq4uKEJmm145 +cLnfN2RScxefOAxGN2NhAKTHRbN7QIAy7oX7FVvEydOZzFYRYDLdC0fKiSg1BJG4 ++kaan18S2oWLfAQ9gEH8KD8zbF7a9okeM5GSUkIs6WdNjU3YM1bGiXIbPQWqHI1w +/6GpraPbKRCDE/td6FjInpQy7eQl4GW0HPekLdWnrLyZ5KOwTAaDXkIVqse4bwi2 +e/4OWZLZGM3G5aCkMZ5aUehli4fAIRbjqhfh1lxtIZQsnImrHIIEp3cm/4DghoII +aqqmJ2Tngp/uLfVqy2uNFkM1dAhrW1U7TbLa+DmiYH9X5/0ctd75H1ZQoEjKwKGN +qgw/Rq75rxSBvFSLU9fvuH7WG14WXdCwdFroXXDjhd1g+Pc4qvr9W8yJjBjfi/NI +1s50iWhTXoBt7rKWwvYhy/LFAo9leEo+RzU6+ugUaOaPOU7F91HwLTut0Gri9rLe +tujpNn59ZHk4zr+Mcw7UC8X57oW7dW6ZI19G0SWPPhyaU9epcfumlMSqI1r/66Ji +4LJ11Td7Nv2JUTjo/SVGor2IUzABsNjb9s/ffLFvSePjRDJLe2I8l1Qs6bubjGPQ +HZM2VxQw8mA5MjTFDDd+bk4AEU0bhpG5Ag0EWJxdSQEQAKO2FBTqXkiAYeur4Wzq +OakSDPk8qeVGaGzWIkehy5l/JV3npacqgRLafPvOTdUDujd1+pAaRABUrA5L+LlJ +98AZgLzxWywIbTdkLVE+65gdGTchGU95WxqT9HYBzORMdXpc3avWbnX0AJ5DfbBG +j3nPsxwTTeyg8Gut8p5BGUYJg2vvZ2XJjPQrFUqpN71FLXwlq4j6fQwG8rp5/LCX +QwA1KPJoNm6W8HT2V812ZcKXmfV0bK88qI9ukvhM6e/2OmOChfm27gR0+A3iGk6E +x9KhA0HhfWPByI14PsFHC6mSg1nJBjN4F7IY5ddP3bg2EILz6Dx0cydh/FznZHM/ +iXHHeQWu1vkUUnDZ2Lp+QUu8YaHjUbFof0gExnU6T/IAxUjRfNBf+1/5O4beo3gD +7deXLwUQ5UqFUjEdiGr97zRteLvE6BcMQXEv59gbWgvXKEt47oA5iSCC6/Kxk1vd +90WrPWSP8FGz8W/vZDYLvHqLAZ0LdM2jVraVx5F1ESjsyXQ89s9BfWaWM2l8WlpG +CnPv/z7sAkzfTIZuqBUB3RkvSNeFOhkydqXxCK1moE13Cdo/YJEAYBoSf28w0Fxm +fiWUVuq71lpMXbUbQZRg+AyHG/bSTii4riZPKws+k38a4oqHNfBcIHokWj9bLh7m +iemW8EAm+iMzlg4Qc6XYuvN7ABEBAAGJAiUEGAECAA8CGwwFAliji0QFCQICv3sA +CgkQEvX3tC8rAefqWg/+Jp2z1PSfQvAcTzrDgGfssQQRDhH8p5KPlbQnjdc54Oz5 +gF2qvJNBVnGEJqMq8HyuyXaGND5PlptV6NTulxgX2U6d7g667ad6aqufO8EAzOj7 +EUxaONVH/jGcRi95g2LTR4CJ9mzS7M1VZ4oUWfx785uhyyyxHuiuFRfMq1zZYOuc +xJ3fI3zIUJMHt6HKzxB14YtwPfyJ5RD/VViaq/Agck9GCaAeDm0dqZnlQf5yx6R4 +xuEpfp+9CK9iuaPGXui5KQsYaIqS2xqFakGKQ02JrrhQgHTP7BRIjzXv4gv94Eiv +N48L5jaoNk1eHKHFD20XMT2honheB/KXCzdYzz4bIlfNossHpcRahcqMOAud57Ag +CmO/X8husUfc38rJUMlrcvsTEMFoWoNXkhKko/hdRdYG0CiAAsRhCpY+b43NUPgG +M549KDyJtHLi8jczBy1FYWd73HK95EgS+suTdWN/JIbzYE2PHNW+4CfT2WPBiUxk +oV0ZuzAecjmsffYZDKZgT3+WVmewxyVQGNyGmeRQ2iNDxfntkgL4DRHJkB/ryDsS +lltRmqwOMbI0unMt1j0CQLllzY3TQvWIiYRcMBESFREgxWrv5kJKZMze0+BNwCMS +iEkwNvm2Jz50EZmOTiNGl5d0SqYgQyw8/i1uxBSs80WA1E60JlI7EqTJHT2Dgs65 +Ag0EWJxd7gEQAK/OTSfxwn91jNGTy2D29/pIPAR9Q2aYV+AZ1V8sprXwg5XeFvHg +Msc47wCHSihu3oNGZR2XF5O+gXE6k4/BZpBgBxdijGtb+P3aYHjr0xUNmMWw1VdJ +ODh6f2t+1r/GLUUF38GUYL6Hjy54sTF8CHTu5afm4DugxU1bDwOfH1QXMOYC7tIn +Q1y9JWoowKItCcRKfG3DvHfgfnB8jfbGOdyUcLMNIuxCXcAt9rPh1QRCbK+OBBom +S9pNwXVi6AtGbkw4LNemhspk1rm+kZOMJALKpz2nOc+VA9Ci+6oHkXaUTJt5rJm9 +llqD49p0Tt/wtIWPyr0ThJXoTwuu1aeSiT22vtDO8LoJrognRuxzbDs05pT68W3i +wBc8P8F8jNJim5Fzu9U0hkqkJv0wHP4Ap/MCDGZ36BMSAE8oQXBsTjHydVye/YL2 +8cg3GRckL4C1E8kY1Bn2hmHA9QQbK3iCNduISBmN8abYX9RDJjqrCkrspRefIkbB +5WUo0f6hW+7+UVhQUCD23GA5qPza6Ue2HjSEW2Y8RPXbcBGk0pgX3ee+yRbp9izN +jn5zb/tSYx5GneMaTwDrbDeB0P0pow9NoH2ONGs+hkXvsKL+pc7crkuFZqRETAfI +NOvQDvUF/eto2vfArNW4hxcosrMB78pUQ8LOgtFxjJBR4EHEC25gwXlJABEBAAGJ +BEQEGAECAA8FAlicXe4CGwIFCQICKQACKQkQEvX3tC8rAefBXSAEGQECAAYFAlic +Xe4ACgkQ1yrzRIzCsDSaeg/+Pr9O9qKYgfmg8nE0M43P5bWO6ootkaf/Uc2LQDuX +qiS8WXmzK8S5zIujxnBH9B4z8nrwCvTZ6JZHUygyhdkvnkDXBtO+MTWPugalxmMW +AaGK/V1M2ZXWHdQpwAfK7dqfuAP9Tse1SoQJVsLFjJ7L33lHAygKG24zJhowQCRG +Hc1N491MvbgsEdCCiaIQByVko8itJxLlOa5A7jDJy6I1L5YcoBFY5i5Cm0y/8TRX +kfCLhwtslXeltPDpHBqd7iKHBc2OYZz9clZNgr1oQFnlntCS9HlnuSPVS50xg4Rd +idyyNvR7tm8LKx0Ptm4Aj8q6+2s1zUVY1yZbyd8vLqZ/QwN7pZhAhiGZXr/e+Prc +lL5BalQR2FndYrGY77HAcubWpTkzXC+iGizPSa1nni562rwHdQWXWPt3R5KBmcdJ +KirNfeF2WiHP77gFnyCg7o9XzvWsqni7XTm+HGDq+E/RMFYdeSzYJ0wL/kWavpbS +kdCN4FBQ4HAc3hypsSHG3Vuian4kykJ0i5uDtgdeLxJmtgQ9PpNZScSrMC1lGBdE +36cRCvAR3wwf7nzD1F1voTfe5MMx7k7IVdyfs1Ajnjrrm/hlShFifl8hQ2UIyhNM ++bQ/YeHvL1OjpDTmIvxuelJcPmM9+g+gGrV8DYw+ZPrFDOTfEPgRqPze1608JQp1 +P7FuzA//Zd6iLDL7EmVlx3sJs756SkiUfS1Yj9vTbNRVP/GX+D7rqHQL/vRHQlc4 +rxqpQIf/T1jhanqXB+NCIGwV49xO1ODsDkSZuJqjPUyW8BpqskR/l+OXbCa04oCy +RBriMtWFUUQ0uquagdvte4dEo6gC4l73cz8emUnB6bOKCq/QxvtjoQSa/VsWrs3D +xIowQOCTk9eW9YOkpwhrSSnksumYS0V+VQ5NpgYesR7oH36d7Sh5RNEk97v9T+OQ +cjDtPXBD2fD5e7nwo+UV0px0y+pAzzf6Gwh20D/gnIJobOAgFl5u/l3LGaYZnUvL +4xIaKVNHxjldX8BmHos1+7xC0i5JH0IdNoCHGXF8BmkTz7t9CwuESZeFp6ucsvTt +LfLsJW73E5V1y4yWLE2Baucpj3+WFwQBVM311/X2mGMTF6FO7n5UiBE52dmy78kS +EyfpNwdTJ4NbpiZaeRFusWE9J3zVP+AKXlyANjil/F7xkgbqK32CrD6OLd/AjyoS +QeqBuFk0KIEWnj8FcRnSZCTy0V5iqx/guBvy9gHyGHs39xRH4amybmn/wHX9vULd +KJY9YjVdjtH6OpQw+7Jc9xH4+tInHBB+MErX9Q1TCeg/kANZPAD0aHgUrbawyNHQ +QvVy6MJDfWSsx6t/SAwUHF6rKPiN3nfWTCN8JQccPjw+Ziu+C8E= +=iBcj -----END PGP PUBLIC KEY BLOCK----- diff --git a/openvpn.spec b/openvpn.spec index ecd016d..8f9be63 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -32,7 +32,7 @@ Url: http://openvpn.net/ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version: 2.4.2 +Version: 2.4.3 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -273,7 +273,7 @@ rm -f %{_sysconfdir}/sysconfig/openvpn || : %doc %{_mandir}/man8/openvpn.8.gz %config(noreplace) %{_sysconfdir}/openvpn/ %if %{with_systemd} -%dir %{_libdir}/tmpfiles.d +%dir %{_tmpfilesdir} %{_unitdir}/%{name}@.service %{_unitdir}/%{name}.target %{_tmpfilesdir}/%{name}.conf