Revisions of openvpn
Björn Voigt (bjoernv)
committed
(revision 60)
- update to 2.6.10: * see https://github.com/OpenVPN/openvpn/blob/v2.6.10/Changes.rst
Björn Voigt (bjoernv)
committed
(revision 59)
Copied dependencies from parent - BuildRequires: openssl-devel - BuildRequires: iproute2 - Requires: iproute2
Björn Voigt (bjoernv)
committed
(revision 58)
- update to 2.6.9: * Remove unused function prototype crypto_adjust_frame_parameters * Log SSL alerts more prominently * Document tls-exit option mainly as test option * Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway * Fix check_session_buf_not_used using wrong index * Add missing check for nl_socket_alloc failure * Add check for nice in cmake config * Remove compat versionhelpers.h and remove cmake/configure check for it * Extend the error message when TLS 1.0 PRF fails * Fix unaligned access in macOS, FreeBSD, Solaris hwaddr * Check PRF availability on initialisation and add --force-tls-key-material-export * Make it more explicit and visible when pkg-config is not found * Clarify that the tls-crypt-v2-verify has a very limited env set * Implement the --tls-export-cert feature * Remove conditional text for Apache2 linking exception * Remove --tls-export-cert * Remove superfluous x509_write_pem() * sample-keys: renew for the next 10 years * GHA: clean up libressl builds with newer libressl * configure.ac: Remove unused AC_TYPE_SIGNAL macro * documentation: remove reference to removed option --show-proxy-settings * unit_tests: remove includes for mock_msg.h * documentation: improve documentation of --x509-track * NTLM: add length check to add_security_buffer * NTLM: increase size of phase 2 response we can handle * proxy-options.rst: Add proper documentation for --http-proxy-user-pass * buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' * --http-proxy-user-pass: allow to specify in either order with --http-proxy * README.cmake.md: Document minimum required CMake version for --preset
Björn Voigt (bjoernv)
committed
(revision 57)
- update to 2.6.8:
* SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF
state (Github #449) - the new sanity check function introduced in
2.6.7 sometimes tried to use a NULL pointer after an unsuccessful
TLS handshake
Björn Voigt (bjoernv)
committed
(revision 56)
- update to 2.6.7:
* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
use a send buffer after it has been free()d in some circumstances,
causing some free()d memory to be sent to the peer. All
configurations using TLS (e.g. not using --secret) are affected by
this issue. (found while tracking down CVE-2023-46849 / Github #400,
#417)
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
restore --fragment configuration in some circumstances, leading to a
division by zero when --fragment is used. On platforms where
division by zero is fatal, this will cause an OpenVPN
crash. Reported by Niccolo Belli <niccolo.belli@linuxsystems.it> and
WIPocket (Github #400, #417).
* DCO: warn if DATA_V1 packets are sent by the other side - this a
hard incompatibility between a 2.6.x client connecting to a
2.4.0-2.4.4 server, and the only fix is to use --disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be
removed because the original author did not agree to relicensing the
code with the new linking exception added. This was a somewhat
obsolete feature anyway as it only worked with OpenSSL 1.x, which is
end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a
combination that used to work without cipher negotiation (pre 2.6 on
both ends), but would fail in non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are
listed (this is due the internal enumeration in OpenSSL being a bit
weird, omitting X448 and X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new
2.6 option, with no backend support implemented yet on any platform,
and it turns out that no platform supported it at all - so remove
option again)
* warn user if INFO control message too long, do not forward to
management client (safeguard against protocol-violating server
implementations)
* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the
algorithms used are in acceptable to OpenSSL (misleading message
would be printed in cryptoapi / pkcs#11 scenarios)
* add CMake build system for MinGW and MSVC builds
* remove old MSVC build system
* improve cmocka unit test building for Windows
Björn Voigt (bjoernv)
committed
(revision 54)
added dependencies libnl3-200 >= 3.4.0 and libnl3-config >= 3.4.0
Björn Voigt (bjoernv)
committed
(revision 51)
New dependency to home:plater, packages libnl3-devel and libnl3-200
Björn Voigt (bjoernv)
committed
(revision 48)
- Update to 2.6.4:
* DCO: support kernel-triggered key rotation (avoid IV reuse after
2^32 packets). This is the userland side, accepting a message
from kernel, and initiating a TLS renegotiation. As of release,
* fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323)
* fix compile error on TARGET_ANDROID
* fix typo in help text
* manpage updates (--topology)
* encoding of non-ASCII windows error messages in log + management fixed
- Update openvpn.keyring
- update to 2.6.3:
* For full changelog please refer to:
https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
* implement byte counter statistics for DCO Linux (p2mp server
and client)
* implement byte counter statistics for DCO Windows (client only)
* '--dns server <n> address ...' now permits up to 8 v4 or v6
addresses
* fix a few cases of possibly undefined behaviour detected by ASAN
* add more unit tests for Windows cryptoapi interface
* Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
will dynamically create a tls-crypt key that is used for
renegotiation. This ensure that only the previously authenticated
peer can do trigger renegotiation and complete renegotiations.
* Keying Material Exporters (RFC 5705) based key generation
* As part of the cipher negotiation OpenVPN will automatically prefer
the RFC5705 based key material generation to the current custom
OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
* OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
Björn Voigt (bjoernv)
committed
(revision 45)
- update to 2.6.3 * see https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst - removed patch to fix (now upstream) #301 crash on OpenVPN 2.6.2 Ubuntu 22.04 LTS #303 OpenVPN 2.6.2 crash with DCO module after network connection is back
Björn Voigt (bjoernv)
committed
(revision 44)
- added patch to fix #301 crash on OpenVPN 2.6.2 Ubuntu 22.04 LTS #303 OpenVPN 2.6.2 crash with DCO module after network connection is back
Björn Voigt (bjoernv)
committed
(revision 43)
- update to 2.6.2 * see https://github.com/OpenVPN/openvpn/blob/v2.6.2/Changes.rst - New control packets flow for data channel offloading on Linux: 2.6.2+ changes the way OpenVPN control packets are handled on Linux when DCO is active, fixing the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must be upgraded. The kernel module was renamed to "ovpn-dco-v2.ko" in order to highlight this change and ensure that users and userspace software could easily understand which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime.
Björn Voigt (bjoernv)
committed
(revision 42)
- update to 2.6.1 * see https://github.com/OpenVPN/openvpn/blob/v2.6.1/Changes.rst - disabled openvpn-fips140-2.3.2.patch (currently not compatible) - new BuildRequires: libcap-ng-devel, liblz4-devel, libnl3-devel - removed BuildRequires: iproute2
Displaying revisions 1 - 20 of 61
