- update to 2.5.8:
* allow running a default configuration with TLS libraries without BF-CBC
(even if TLS cipher negotiation would not actually use BF-CBC, the
long-term compatibility "default cipher BF-CBC" would trigger an error
on such TLS libraries)
* ``--auth-nocache'' was not always correctly clearing username+password
after a renegotiation
* ensure that auth-token received from server is cleared if requested
by the management interface ("forget password" or automatically
via ``--management-forget-disconnect'')
* in a setup without username+password, but with auth-token and
auth-token-username pushed by the server, OpenVPN would start asking
for username+password on token expiry. Fix.
* using ``--auth-token`` together with ``--management-client-auth``
(on the server) would lead to TLS keys getting out of sync and client
being disconnected. Fix.
* management interface would sometimes get stuck if client and server
try to write something simultaneously. Fix by allowing a limited
level of recursion in virtual_output_callback()
* fix management interface not returning ERROR:/SUCCESS: response
on "signal SIGxxx" commands when in HOLD state
* tls-crypt-v2: abort connection if client-key is too short
* make man page agree with actual code on replay-window backtrag log message
* remove useless empty line from CR_RESPONSE message
OBS-URL: https://build.opensuse.org/request/show/1036732
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=181
- update to 2.5.7:
* Limited OpenSSL 3.0 support
* print OpenSSL error stack if decoding PKCS12 file fails
* fix omission of cipher-negotiation.rst in tarballs
* fix errno handling on Windows (Windows has different classes of
error codes, GetLastError() and C runtime errno, these should now
be handled correctly)
* fix PATH_MAX build failure in auth-pam.c
* fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
* fix overlong path names, leading to missing pkcs11-helper patch
in tarball
OBS-URL: https://build.opensuse.org/request/show/980821
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=177
* bsc#1197341, CVE-2022-0547: possible authentication bypass in
external authentication plug-in
* Fix "--mtu-disc maybe|yes" on Linux
* Fix $common_name variable passed to scripts when
username-as-common-name is in effect.
* Fix potential memory leaks in add_route() and add_route_ipv6().
* Apply connect-retry backoff only to one side of the connection
in p2p mode.
* repair "--inactive" handling with a 'bytes' parameter larger
than 2 Gbytes.
* new plugin (sample-plugin/defer/multi-auth.c) to help testing
with multiple parallel plugins that succeed/fail in
direct/deferred mode.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=175
- update to 2.5.5:
* SWEET32/64bit cipher deprecation change was postponed to 2.7
* improve "make check" to notice if "openvpn --show-cipher" crashes
* improve argv unit tests
* ensure unit tests work with mbedTLS builds without BF-CBC ciphers
* include "--push-remove" in the output of "openvpn --help"
* fix error in iptables syntax in example firewall.sh script
* fix "resolvconf -p" invocation in example "up" script
* fix "common_name" environment for script calls when
"--username-as-common-name" is in effect (Trac #1434)
* move "push-peer-info" documentation from "server options" to "client"
* correct "foreign_option_{n}" typo in manpage
* README.down-root: fix plugin module name
OBS-URL: https://build.opensuse.org/request/show/940795
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=171
Upstream has meanwhile solved this differently and the two
implementations interfere (boo#1193017).
- Obsoleted SLE patches up to this point:
* openvpn-CVE-2020-15078.patch
* openvpn-CVE-2020-11810.patch
* openvpn-CVE-2018-7544.patch
* openvpn-CVE-2018-9336.patch
(bsc#1085803, CVE-2018-7544)
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=170
- update to 2.5.4:
* fix prompting for password on windows console if stderr redirection
is in use - this breaks 2.5.x on Win11/ARM, and might also break
on Win11/adm64 when released.
* fix setting MAC address on TAP adapters (--lladdr) to use sitnl
(was overlooked, and still used "ifconfig" calls)
* various improvements for man page building (rst2man/rst2html etc)
* minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
at least one platform strictly checking this)
* fix minor memory leak under certain conditions in add_route() and
add_route_ipv6()
* documentation improvements
* copyright updates where needed
* better error reporting when win32 console access fails
OBS-URL: https://build.opensuse.org/request/show/928265
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=168
* Removal of BF-CBC support in default configuration
*** POSSIBLE INCOMPATIBILITY ***
See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
* Connections setup is now much faster
* Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
* Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
* Client-specific tls-crypt keys (--tls-crypt-v2)
* Improved Data channel cipher negotiation
* HMAC based auth-token support for seamless reconnects to
standalone servers or a group of servers
* Asynchronous (deferred) authentication support for auth-pam
plugin
* Asynchronous (deferred) support for client-connect scripts and
plugins
* Support IPv4 configs with /31 netmasks
* 802.1q VLAN support on TAP servers
* Support IPv6-only tunnels
* New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
* Support Virtual Routing and Forwarding (VRF)
* Netlink integration (OpenVPN no longer needs to execute
ifconfig/route or ip commands)
* Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
crypto self-test of newer openvpn versions.
Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=165
- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/898085
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=92
- update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using
delayed authentication (plugin or management) into returning a PUSH_REPLY
before the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
* In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
and is build-disabled in devel project
OBS-URL: https://build.opensuse.org/request/show/896403
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=160
- update to 2.4.10:
- OpenVPN client will now announce the acceptable ciphers to the server
(IV_CIPHER=...), so NCP cipher negotiation works better
- Parse static challenge response in auth-pam plugin
- Accept empty password and/or response in auth-pam plugin
- Log serial number of revoked certificate
- Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
- Fix auth-token not being updated if auth-nocache is set
(this should fix all remaining client-side bugs for the combination
"auth-nocache in client-config" + "auth-token in use on the server")
- Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
- Fix error detection / abort in --inetd corner case (#350)
- Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
- Fix handling of 'route remote_host' for IPv6 transport case
(#1247 and #1332)
- Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
- A number of documentation improvements / clarification fixes.
- Fix line number reporting on config file errors after <inline> segments
- Fix fatal error at switching remotes (#629)
- socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
- Switch "ks->authenticated" assertion failure to returning false (#1270)
- refresh 0001-preform-deferred-authentication-in-the-background.patch
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
OBS-URL: https://build.opensuse.org/request/show/860796
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
- update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
* Allow unicode search string in --cryptoapicert option (Windows)
* Skip expired certificates in Windows certificate store (Windows) (trac #966)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
* fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
This can be used to disrupt service to a freshly connected client (no session
keys negotiated yet). It can not be used to inject or steal VPN traffic.
CVE-2020-11810).
* fix combination of async push (deferred auth) and NCP (trac #1259)
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* mbedTLS: Make sure TLS session survives move (trac #880)
* Fix OpenSSL private key passphrase notices
* Fix building with --enable-async-push in FreeBSD (trac #1256)
* Fix broken fragmentation logic when using NCP (trac #1140)
OBS-URL: https://build.opensuse.org/request/show/833769
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=154
- Modernize openvpn.service
* /var/run has been obsoleted since a long time.
* on reload, send HUP signal directly rather than relying on
killproc to look for the main process.
- Explicitly requires sysvinit-tools as some of the tools shipped by
this package are used in various places regardless of whether
openvpn is built for systemd or non systemd systems.
For the context: sysvinit-tools was pulled in by systemd since 2014
but it's no longer the case so better to be safe than sorry.
OBS-URL: https://build.opensuse.org/request/show/829828
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=152
Include SR#758278 also
- Update to version 2.4.8:
* mbedtls: fix segfault by calling mbedtls_cipher_free() in
cipher_ctx_free()
* cleanup: Remove RPM openvpn.spec build approach
* docs: Update INSTALL
* build: Package missing mock_msg.h
* Increase listen() backlog queue to 32
* Force combinationation of --socks-proxy and --proto UDP to use
IPv4.
* Wrong FILETYPE in .rc files
* Do not set pkcs11-helper 'safe fork mode'
* tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
* Fix various compiler warnings
* Fix regression, reinstate LibreSSL support.
* man: correct the description of --capath and --crl-verify
regarding CRLs
* Fix typo in NTLM proxy debug message
* Ignore --pull-filter for --mode server
* openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
* Better error message when script fails due to script-security
setting
* Correct the return value of cryptoapi RSA signature callbacks
* Handle PSS padding in cryptoapicert
* cmocka: use relative paths
* Fix documentation of tls-verify script argument
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
Allow OBS to shortcut through the -mini flavors.
OBS-URL: https://build.opensuse.org/request/show/764916
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=146
