- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/898085
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=92
- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/896403
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=160
- update to 2.4.10:
- OpenVPN client will now announce the acceptable ciphers to the server
(IV_CIPHER=...), so NCP cipher negotiation works better
- Parse static challenge response in auth-pam plugin
- Accept empty password and/or response in auth-pam plugin
- Log serial number of revoked certificate
- Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
- Fix auth-token not being updated if auth-nocache is set
(this should fix all remaining client-side bugs for the combination
"auth-nocache in client-config" + "auth-token in use on the server")
- Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
- Fix error detection / abort in --inetd corner case (#350)
- Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
- Fix handling of 'route remote_host' for IPv6 transport case
(#1247 and #1332)
- Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
- A number of documentation improvements / clarification fixes.
- Fix line number reporting on config file errors after <inline> segments
- Fix fatal error at switching remotes (#629)
- socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
- Switch "ks->authenticated" assertion failure to returning false (#1270)
- refresh 0001-preform-deferred-authentication-in-the-background.patch
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
OBS-URL: https://build.opensuse.org/request/show/860796
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
- update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
* Allow unicode search string in --cryptoapicert option (Windows)
* Skip expired certificates in Windows certificate store (Windows) (trac #966)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
* fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
This can be used to disrupt service to a freshly connected client (no session
keys negotiated yet). It can not be used to inject or steal VPN traffic.
CVE-2020-11810).
* fix combination of async push (deferred auth) and NCP (trac #1259)
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* mbedTLS: Make sure TLS session survives move (trac #880)
* Fix OpenSSL private key passphrase notices
* Fix building with --enable-async-push in FreeBSD (trac #1256)
* Fix broken fragmentation logic when using NCP (trac #1140)
OBS-URL: https://build.opensuse.org/request/show/833769
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=154
- Modernize openvpn.service
* /var/run has been obsoleted since a long time.
* on reload, send HUP signal directly rather than relying on
killproc to look for the main process.
- Explicitly requires sysvinit-tools as some of the tools shipped by
this package are used in various places regardless of whether
openvpn is built for systemd or non systemd systems.
For the context: sysvinit-tools was pulled in by systemd since 2014
but it's no longer the case so better to be safe than sorry.
OBS-URL: https://build.opensuse.org/request/show/829828
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=152
Include SR#758278 also
- Update to version 2.4.8:
* mbedtls: fix segfault by calling mbedtls_cipher_free() in
cipher_ctx_free()
* cleanup: Remove RPM openvpn.spec build approach
* docs: Update INSTALL
* build: Package missing mock_msg.h
* Increase listen() backlog queue to 32
* Force combinationation of --socks-proxy and --proto UDP to use
IPv4.
* Wrong FILETYPE in .rc files
* Do not set pkcs11-helper 'safe fork mode'
* tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
* Fix various compiler warnings
* Fix regression, reinstate LibreSSL support.
* man: correct the description of --capath and --crl-verify
regarding CRLs
* Fix typo in NTLM proxy debug message
* Ignore --pull-filter for --mode server
* openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
* Better error message when script fails due to script-security
setting
* Correct the return value of cryptoapi RSA signature callbacks
* Handle PSS padding in cryptoapicert
* cmocka: use relative paths
* Fix documentation of tls-verify script argument
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
Allow OBS to shortcut through the -mini flavors.
OBS-URL: https://build.opensuse.org/request/show/764916
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=146
- Drop use of $FIRST_ARG in openvpn.spec
The use of $FIRST_ARG was probably required because of the
%service_* rpm macros were playing tricks with the shell positional
parameters. This is bad practice and error prones so let's assume
that no macros should do that anymore and hence it's safe to assume
that positional parameters remains unchanged after any rpm macro
call.
OBS-URL: https://build.opensuse.org/request/show/678070
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=139
- Update to 2.4.6:
* CVE-2018-9336, bsc#1090839: Fix potential double-free() in
Interactive Service
* Delete the IPv6 route to the "connected" network on tun close
* Management: warn about password only when the option is in use
* Avoid overflow in wakeup time computation
- Remove --askpass again, because it was also asking for a password
when none was needed. As a workaround for keys that need a
password, the "askpass" statement should be added to the config
file (bsc#1078026).
- Use Type=notify in openvpn.service to reflect what openvpn is
actually doing.
- Import the new signing key from upstream.
- Remove obsolete configure switch --enable-password-save .
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
OBS-URL: https://build.opensuse.org/request/show/601900
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=81
* CVE-2018-9336, bsc#1090839: Fix potential double-free() in
Interactive Service
* Delete the IPv6 route to the "connected" network on tun close
* Management: warn about password only when the option is in use
* Avoid overflow in wakeup time computation
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=136
when none was needed. As a workaround for keys that need a
password, the "askpass" statement should be added to the config
file (bsc#1078026).
- Use Type=notify in openvpn.service to reflect what openvpn is
actually doing.
- Import the new signing key from upstream.
- Remove obsolete configure switch --enable-password-save .
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=134
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
- Update to 2.4.3 (bsc#1045489)
- Ignore auth-nocache for auth-user-pass if auth-token is pushed
- crypto: Enable SHA256 fingerprint checking in --verify-hash
- copyright: Update GPLv2 license texts
- auth-token with auth-nocache fix broke --disable-crypto builds
- OpenSSL: don't use direct access to the internal of X509
- OpenSSL: don't use direct access to the internal of EVP_PKEY
- OpenSSL: don't use direct access to the internal of RSA
- OpenSSL: don't use direct access to the internal of DSA
- OpenSSL: force meth->name as non-const when we free() it
- OpenSSL: don't use direct access to the internal of EVP_MD_CTX
- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
- OpenSSL: don't use direct access to the internal of HMAC_CTX
- Fix NCP behaviour on TLS reconnect.
- Remove erroneous limitation on max number of args for --plugin
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
- Fix potential 1-byte overread in TCP option parsing.
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
- refactor my_strupr
- Fix 2 memory leaks in proxy authentication routine
- Fix memory leak in add_option() for option 'connection'
- Ensure option array p[] is always NULL-terminated
- Fix a null-pointer dereference in establish_http_proxy_passthru()
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
- Fix an unaligned access on OpenBSD/sparc64
- Missing include for socket-flags TCP_NODELAY on OpenBSD
- Make openvpn-plugin.h self-contained again.
- Pass correct buffer size to GetModuleFileNameW()
- Log the negotiated (NCP) cipher
OBS-URL: https://build.opensuse.org/request/show/505857
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=124
- Update tp 2.4.2
- auth-token: Ensure tokens are always wiped on de-auth
- Make --cipher/--auth none more explicit on the risks
- Use SHA256 for the internal digest, instead of MD5
- Deprecate --ns-cert-type
- Deprecate --no-iv
- Support --block-outside-dns on multiple tunnels
- Limit --reneg-bytes to 64MB when using small block ciphers
- Fix --tls-version-max in mbed TLS builds
Details changelogs are avilable in
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[*0001-preform-deferred-authentication-in-the-background.patch
*openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
*openvpn-fips140-2.3.2.patch]
- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2
- cleanup the spec file
OBS-URL: https://build.opensuse.org/request/show/501452
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=75
- auth-token: Ensure tokens are always wiped on de-auth
- Make --cipher/--auth none more explicit on the risks
- Use SHA256 for the internal digest, instead of MD5
- Deprecate --ns-cert-type
- Deprecate --no-iv
- Support --block-outside-dns on multiple tunnels
- Limit --reneg-bytes to 64MB when using small block ciphers
- Fix --tls-version-max in mbed TLS builds
Details changelogs are avilable in
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[*0001-preform-deferred-authentication-in-the-background.patch
*openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
*openvpn-fips140-2.3.2.patch]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=118
- Preform deferred authentication in the background to not
cause main daemon processing delays when the underlying pam mechanism (e.g.
ldap) needs longer to response (bsc#959511).
[+ 0001-preform-deferred-authentication-in-the-background.patch]
- Added fix for possible heap overflow on read accessing getaddrinfo
result (bsc#959714).
[+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]
- Added a patch to fix multiple low severity issues (bsc#934237).
[+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]
OBS-URL: https://build.opensuse.org/request/show/489820
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=115
