forked from pool/openvpn
315 lines
13 KiB
Plaintext
315 lines
13 KiB
Plaintext
-------------------------------------------------------------------
|
|
Tue Oct 28 12:13:45 CET 2008 - mt@suse.de
|
|
|
|
- Fixed init script to handle pid files correctly (bnc#435421).
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 29 15:16:03 CEST 2008 - mt@suse.de
|
|
|
|
- Added $time $named to Should-Start in the init script to avoid
|
|
time related certificate errors and name resolving problems.
|
|
- Added iproute2 to BuildRequires to avoid openvpn rely on PATH.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 26 07:53:38 CEST 2008 - mt@suse.de
|
|
|
|
- Reverted init script changes adding startproc, since they break
|
|
user auth query and multiple tunnels (bnc#394360, bnc#394353).
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 22 18:21:59 CEST 2008 - mt@suse.de
|
|
|
|
- Added -lpam to LDFLAGS of openvpn, because linking the openvpn
|
|
auth-pam plugin against pam is not sufficient. Many pam modules
|
|
that are loaded by pam during the authentication process are not
|
|
linked against pam and contain undefined symbols, causing the
|
|
authentication to fail (bnc#334773).
|
|
- Replaced patch loading plugins from /usr/%_lib/openvpn/plugin/lib
|
|
with -rpath linker flags (bnc#334773).
|
|
- Fixed init script to use startproc to return 0 when started twice.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 19 11:32:55 CET 2008 - mt@suse.de
|
|
|
|
- Fixed spec file to not set pie flags when building plugins
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 17 19:44:41 CET 2008 - mt@suse.de
|
|
|
|
- Bug #334773: Enabled build of down-root and auth-pam plugins,
|
|
sub-packaged as openvpn-auth-pam-plugin/down-root-plugin.
|
|
- Added patch to load plugins from /usr/%_lib/openvpn/plugin/lib
|
|
first, when the plugin name is specified as basename only.
|
|
- Added patch adoptiong plugin path informations in openvpn.8.
|
|
- Added patch to build plugins with RPM_OPT_FLAGS.
|
|
- Fixed init script to use Should-Start/Stop LSB info tags.
|
|
- Bug #343106: Enabled iproute2 support / usage
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 4 10:14:03 CEST 2007 - mt@suse.de
|
|
|
|
- fixed easy-rsa installation (no exec in doc directory)
|
|
- improved spec to use configure directory variables and
|
|
cleaned up macro calls in RPM pre/post scripts.
|
|
- fixed openvpn binary check in the init script.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 27 10:40:59 CEST 2006 - mt@suse.de
|
|
|
|
- upstream 2.0.9, Windows related fixes only
|
|
* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
|
|
published vulnerabilities.
|
|
* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
|
|
(Henry Nestler). The TAP-Win32 driver has now been
|
|
upgraded to version 8.4.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 27 14:34:48 CEST 2006 - poeml@suse.de
|
|
|
|
- upstream 2.0.8
|
|
* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
|
|
RSA Signature Forgery (CVE-2006-4339).
|
|
* No changes to OpenVPN source code between 2.0.7 and 2.0.8.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 23 11:55:10 CEST 2006 - poeml@suse.de
|
|
|
|
- upstream 2.0.7, with bug fixes:
|
|
* When deleting routes under Linux, use the route metric
|
|
as a differentiator to ensure that the route teardown
|
|
process only deletes the identical route which was originally
|
|
added via the "route" directive (Roy Marples).
|
|
* Fixed bug where --server directive in --dev tap mode
|
|
claimed that it would support subnets of /30 or less
|
|
but actually would only accept /29 or less.
|
|
* Extend byte counters to 64 bits (M. van Cuijk).
|
|
* Better sanity checking of --server and --server-bridge
|
|
IP pool ranges, so as not to hit the assertion at
|
|
pool.c:119 (2.0.5).
|
|
* Fixed bug where --daemon and --management-query-passwords
|
|
used together would cause OpenVPN to block prior to
|
|
daemonization.
|
|
* Fixed client/server race condition which could occur
|
|
when --auth-retry interact is set and the initially
|
|
provided auth-user-pass credentials are incorrect,
|
|
forcing a username/password re-query.
|
|
* Fixed bug where if --daemon and --management-hold are
|
|
used together, --user or --group options would be ignored.
|
|
* fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed
|
|
to clients from the server)
|
|
- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 19 13:10:56 CEST 2006 - poeml@suse.de
|
|
|
|
- security fix (CVE-2006-1629): disallow "setenv" to be pushed to
|
|
clients from the server [#165123]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 25 21:39:08 CET 2006 - mls@suse.de
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 3 15:25:01 CET 2005 - poeml@suse.de
|
|
|
|
- update to 2.0.5, with two security fixes -- see below. [#132003]
|
|
2005.11.02 -- Version 2.0.5
|
|
* Fixed bug in Linux get_default_gateway function
|
|
introduced in 2.0.4, which would cause redirect-gateway
|
|
on Linux clients to fail.
|
|
* Restored easy-rsa/2.0 tree (backported from 2.1 beta
|
|
series) which accidentally disappeared in
|
|
2.0.2 -> 2.0.4 transition.
|
|
2005.11.01 -- Version 2.0.4
|
|
* Security fix -- Affects non-Windows OpenVPN clients of
|
|
version 2.0 or higher which connect to a malicious or
|
|
compromised server. A format string vulnerability
|
|
in the foreign_option function in options.c could
|
|
potentially allow a malicious or compromised server
|
|
to execute arbitrary code on the client. Only
|
|
non-Windows clients are affected. The vulnerability
|
|
only exists if (a) the client's TLS negotiation with
|
|
the server succeeds, (b) the server is malicious or
|
|
has been compromised such that it is configured to
|
|
push a maliciously crafted options string to the client,
|
|
and (c) the client indicates its willingness to accept
|
|
pushed options from the server by having "pull" or
|
|
"client" in its configuration file (Credit: Vade79).
|
|
CVE-2005-3393
|
|
* Security fix -- Potential DoS vulnerability on the
|
|
server in TCP mode. If the TCP server accept() call
|
|
returns an error status, the resulting exception handler
|
|
may attempt to indirect through a NULL pointer, causing
|
|
a segfault. Affects all OpenVPN 2.0 versions.
|
|
CVE-2005-3409
|
|
* Fix attempt of assertion at multi.c:1586 (note that
|
|
this precise line number will vary across different
|
|
versions of OpenVPN).
|
|
* Added ".PHONY: plugin" to Makefile.am to work around
|
|
"make dist" issue.
|
|
* Fixed double fork issue that occurs when --management-hold
|
|
is used.
|
|
* Moved TUN/TAP read/write log messages from --verb 8 to 6.
|
|
* Warn when multiple clients having the same common name or
|
|
username usurp each other when --duplicate-cn is not used.
|
|
* Modified Windows and Linux versions of get_default_gateway
|
|
to return the route with the smallest metric
|
|
if multiple 0.0.0.0/0.0.0.0 entries are present.
|
|
2005.09.25 -- Version 2.0.3-rc1
|
|
* openvpn_plugin_abort_v1 function wasn't being properly
|
|
registered on Windows.
|
|
* Fixed a bug where --mode server --proto tcp-server --cipher none
|
|
operation could cause tunnel packet truncation.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 30 15:05:08 CEST 2005 - poeml@suse.de
|
|
|
|
- update to 2.0.2 [#106258] relevant changes:
|
|
* Fixed bug where "--proto tcp-server --mode p2p --management
|
|
host port" would cause the management port to not respond until
|
|
the OpenVPN peer connects.
|
|
* Modified pkitool script to be /bin/sh compatible (Johnny Lam).
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 23 13:56:27 CEST 2005 - poeml@suse.de
|
|
|
|
- update to 2.0.1 [#106258]
|
|
* Security Fix -- DoS attack against server when run with "verb 0" and
|
|
without "tls-auth". If a client connection to the server fails
|
|
certificate verification, the OpenSSL error queue is not properly
|
|
flushed, which can result in another unrelated client instance on the
|
|
server seeing the error and responding to it, resulting in disconnection
|
|
of the unrelated client (CAN-2005-2531).
|
|
* Security Fix -- DoS attack against server by authenticated client.
|
|
This bug presents a potential DoS attack vector against the server
|
|
which can only be initiated by a connected and authenticated client.
|
|
If the client sends a packet which fails to decrypt on the server,
|
|
the OpenSSL error queue is not properly flushed, which can result in
|
|
another unrelated client instance on the server seeing the error and
|
|
responding to it, resulting in disconnection of the unrelated client
|
|
(CAN-2005-2532).
|
|
* Security Fix -- DoS attack against server by authenticated client.
|
|
A malicious client in "dev tap" ethernet bridging mode could
|
|
theoretically flood the server with packets appearing to come from
|
|
hundreds of thousands of different MAC addresses, causing the OpenVPN
|
|
process to deplete system virtual memory as it expands its internal
|
|
routing table. A --max-routes-per-client directive has been added
|
|
(default=256) to limit the maximum number of routes in OpenVPN's
|
|
internal routing table which can be associated with a given client
|
|
(CAN-2005-2533).
|
|
* Security Fix -- DoS attack against server by authenticated client.
|
|
If two or more client machines try to connect to the server at the
|
|
same time via TCP, using the same client certificate, and when
|
|
--duplicate-cn is not enabled on the server, a race condition can
|
|
crash the server with "Assertion failed at mtcp.c:411"
|
|
(CAN-2005-2534).
|
|
* Fixed server bug where under certain circumstances, the client instance
|
|
object deletion function would try to delete iroutes which had never been
|
|
added in the first place, triggering "Assertion failed at mroute.c:349".
|
|
* Added --auth-retry option to prevent auth errors from being fatal
|
|
on the client side, and to permit username/password requeries in case
|
|
of error. Also controllable via new "auth-retry" management interface
|
|
command. See man page for more info.
|
|
* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
|
|
* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
|
|
would fail to build.
|
|
* Implement "make check" to perform loopback tests (Matthias Andree).
|
|
- drop obsolete patch which fixed finding lzo libraries
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 28 14:27:17 CEST 2005 - mrueckert@suse.de
|
|
|
|
- The previous patch didnt work with lzo1 based distros. Fixed.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 28 11:25:32 CEST 2005 - cthiel@suse.de
|
|
|
|
- fixed build with lzo2 (added lzo2.diff)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 23 01:48:38 CEST 2005 - ro@suse.de
|
|
|
|
- build with fPIE/pie
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 2 18:01:18 CEST 2005 - hvogel@suse.de
|
|
|
|
- lzo headers are in a subdirectory now
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 19 10:28:32 CEST 2005 - cthiel@suse.de
|
|
|
|
- update to 2.0
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 17 21:57:20 CET 2005 - poeml@suse.de
|
|
|
|
- update to 2.0_rc14
|
|
- add README.SUSE
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 28 10:52:55 CET 2005 - poeml@suse.de
|
|
|
|
- update to 2.0_rc10
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 29 14:10:20 CET 2004 - poeml@suse.de
|
|
|
|
- update to 2.0_rc6
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 29 10:35:28 CET 2004 - poeml@suse.de
|
|
|
|
- update to 2.0_rc1 (closing #45979)
|
|
IMPORTANT: OpenVPN's default port number is now 1194, based on an
|
|
official port number assignment by IANA. OpenVPN 2.0-beta16 and
|
|
earlier used 5000 as the default port.
|
|
-> see http://openvpn.net/20notes.html
|
|
- remove lzo sources, which come in a separate package since 9.2
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 26 15:43:00 CEST 2004 - poeml@suse.de
|
|
|
|
- update to 1.6_rc4
|
|
- bzip2 sources
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 11 11:33:35 CET 2004 - adrian@suse.de
|
|
|
|
- build as user
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 16 16:07:29 CET 2003 - wengel@suse.de
|
|
|
|
- update to version 1.5.0
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Sep 7 18:41:23 CEST 2003 - poeml@suse.de
|
|
|
|
- add an init script
|
|
- use RPM_OPT_FLAGS
|
|
- add /var/run/openvpn directory for pid files
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 31 14:24:14 CEST 2003 - wengel@suse.de
|
|
|
|
- update to new version -> 1.4.2
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 27 10:45:35 CEST 2003 - coolo@suse.de
|
|
|
|
- use BuildRoot
|
|
- package a bit more straightforward
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 19 08:41:42 CEST 2003 - wengel@suse.de
|
|
|
|
- update to version 1.4.1
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 20 17:05:53 CET 2003 - wengel@suse.de
|
|
|
|
- initial package
|
|
|