- Update to 2.4.3 (bsc#1045489)
- Ignore auth-nocache for auth-user-pass if auth-token is pushed
- crypto: Enable SHA256 fingerprint checking in --verify-hash
- copyright: Update GPLv2 license texts
- auth-token with auth-nocache fix broke --disable-crypto builds
- OpenSSL: don't use direct access to the internal of X509
- OpenSSL: don't use direct access to the internal of EVP_PKEY
- OpenSSL: don't use direct access to the internal of RSA
- OpenSSL: don't use direct access to the internal of DSA
- OpenSSL: force meth->name as non-const when we free() it
- OpenSSL: don't use direct access to the internal of EVP_MD_CTX
- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
- OpenSSL: don't use direct access to the internal of HMAC_CTX
- Fix NCP behaviour on TLS reconnect.
- Remove erroneous limitation on max number of args for --plugin
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
- Fix potential 1-byte overread in TCP option parsing.
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
- refactor my_strupr
- Fix 2 memory leaks in proxy authentication routine
- Fix memory leak in add_option() for option 'connection'
- Ensure option array p[] is always NULL-terminated
- Fix a null-pointer dereference in establish_http_proxy_passthru()
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
- Fix an unaligned access on OpenBSD/sparc64
- Missing include for socket-flags TCP_NODELAY on OpenBSD
- Make openvpn-plugin.h self-contained again.
- Pass correct buffer size to GetModuleFileNameW()
- Log the negotiated (NCP) cipher
OBS-URL: https://build.opensuse.org/request/show/505857
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=124
- Update tp 2.4.2
- auth-token: Ensure tokens are always wiped on de-auth
- Make --cipher/--auth none more explicit on the risks
- Use SHA256 for the internal digest, instead of MD5
- Deprecate --ns-cert-type
- Deprecate --no-iv
- Support --block-outside-dns on multiple tunnels
- Limit --reneg-bytes to 64MB when using small block ciphers
- Fix --tls-version-max in mbed TLS builds
Details changelogs are avilable in
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[*0001-preform-deferred-authentication-in-the-background.patch
*openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
*openvpn-fips140-2.3.2.patch]
- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2
- cleanup the spec file
OBS-URL: https://build.opensuse.org/request/show/501452
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=75
- auth-token: Ensure tokens are always wiped on de-auth
- Make --cipher/--auth none more explicit on the risks
- Use SHA256 for the internal digest, instead of MD5
- Deprecate --ns-cert-type
- Deprecate --no-iv
- Support --block-outside-dns on multiple tunnels
- Limit --reneg-bytes to 64MB when using small block ciphers
- Fix --tls-version-max in mbed TLS builds
Details changelogs are avilable in
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[*0001-preform-deferred-authentication-in-the-background.patch
*openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
*openvpn-fips140-2.3.2.patch]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=118
- Preform deferred authentication in the background to not
cause main daemon processing delays when the underlying pam mechanism (e.g.
ldap) needs longer to response (bsc#959511).
[+ 0001-preform-deferred-authentication-in-the-background.patch]
- Added fix for possible heap overflow on read accessing getaddrinfo
result (bsc#959714).
[+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]
- Added a patch to fix multiple low severity issues (bsc#934237).
[+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]
OBS-URL: https://build.opensuse.org/request/show/489820
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=115
- silence warning about %{_rundir}/openvpn
- for non systemd case: just package the %{_rundir}/openvpn in
the package
- for systemd case: call systemd-tmpfiles and own the dir as
%ghost in the filelist
- refreshed patches to apply cleanly again
openvpn-2.3-plugin-man.dif
openvpn-fips140-2.3.2.patch
- update to 2.3.14
- update year in copyright message
- Document the --auth-token option
- Repair topology subnet on FreeBSD 11
- Repair topology subnet on OpenBSD
- Drop recursively routed packets
- Support --block-outside-dns on multiple tunnels
- When parsing '--setenv opt xx ..' make sure a third parameter
is present
- Map restart signals from event loop to SIGTERM during
exit-notification wait
- Correctly state the default dhcp server address in man page
- Clean up format_hex_ex()
- enabled pkcs11 support
OBS-URL: https://build.opensuse.org/request/show/451851
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=113
- Update to version 2.3.11
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data
* Fix undefined signed shift overflow
* Ensure input read using systemd-ask-password is null terminated
* Support reading the challenge-response from console
* hardening: add safe FD_SET() wrapper openvpn_fd_set()
* Restrict default TLS cipher list
- Add BuildRequires on xz for SLE11
OBS-URL: https://build.opensuse.org/request/show/394676
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=105
- Update to version 2.3.10
* Warn user if their certificate has expired
* Fix regression in setups without a client certificate
- Update to version 2.3.9
* Show extra-certs in current parameters.
* Do not set the buffer size by default but rely on the operation system default.
* Remove --enable-password-save option
* Detect config lines that are too long and give a warning/error
* Log serial number of revoked certificate
* Avoid partial authentication state when using --disabled in CCD configs
* Replace unaligned 16bit access to TCP MSS value with bytewise access
* Fix possible heap overflow on read accessing getaddrinfo() result.
* Fix isatty() check for good. (obsoletes revert-daemonize.patch)
* Client-side part for server restart notification
* Fix privilege drop if first connection attempt fails
* Support for username-only auth file.
* Increase control channel packet size for faster handshakes
* hardening: add insurance to exit on a failed ASSERT()
* Fix memory leak in auth-pam plugin
* Fix (potential) memory leak in init_route_list()
* Fix unintialized variable in plugin_vlog()
* Add macro to ensure we exit on fatal errors
* Fix memory leak in add_option() by simplifying get_ipv6_addr
* openssl: properly check return value of RAND_bytes()
* Fix rand_bytes return value checking
* Fix "White space before end tags can break the config parser"
OBS-URL: https://build.opensuse.org/request/show/351949
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=103
- Update to version 2.3.8
* Report missing endtags of inline files as warnings
* Fix commit e473b7c if an inline file happens to have a
line break exactly at buffer limit
* Produce a meaningful error message if --daemon gets in the way of
asking for passwords.
* Document --daemon changes and consequences (--askpass, --auth-nocache)
* Del ipv6 addr on close of linux tun interface
* Fix --askpass not allowing for password input via stdin
* Write pid file immediately after daemonizing
* Fix regression: query password before becoming daemon
* Fix using management interface to get passwords
* Fix overflow check in openvpn_decrypt()
OBS-URL: https://build.opensuse.org/request/show/320680
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=94
- Update to version 2.3.7
* down-root plugin: Replaced system() calls with execve()
* sockets: Remove the limitation of --tcp-nodelay to be server-only
* pkcs11: Load p11-kit-proxy.so module by default
* New approach to handle peer-id related changes to link-mtu
* Fix incorrect use of get_ipv6_addr() for iroute options
* Print helpful error message on --mktun/--rmtun if not available
* Explain effect of --topology subnet on --ifconfig
* Add note about file permissions and --crl-verify to manpage
* Repair --dev null breakage caused by db950be85d37
* Correct note about DNS randomization in openvpn.8
* Disallow usage of --server-poll-timeout in --secret key mode
* Slightly enhance documentation about --cipher
* On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()
* Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()
* Fix --redirect-private in --dev tap mode
* Updated manpage for --rport and --lport
* Properly escape dashes on the man-page
* Improve documentation in --script-security section of the man-page
* Really fix '--cipher none' regression
* Set tls-version-max to 1.1 if cryptoapicert is used
* Account for peer-id in frame size calculation
* Disable SSL compression
* Fix frame size calculation for non-CBC modes.
* Allow for CN/username of 64 characters (fixes off-by-one)
* Re-enable TLS version negotiation by default
* Remove size limit for files inlined in config
* Improve --tls-cipher and --show-tls man page description
* Re-read auth-user-pass file on (re)connect if required
* Clarify --capath option in manpage
OBS-URL: https://build.opensuse.org/request/show/313671
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=92
