openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of openvpn

Reinhard Max (rmax) committed almost 3 years ago (revision 166)

Reinhard Max (rmax) committed almost 3 years ago (revision 165)

- Update to 2.5.3:
  * Removal of BF-CBC support in default configuration
    *** POSSIBLE INCOMPATIBILITY ***
    See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
  * Connections setup is now much faster
  * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
  * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  * Client-specific tls-crypt keys (--tls-crypt-v2)
  * Improved Data channel cipher negotiation
  * HMAC based auth-token support for seamless reconnects to
    standalone servers or a group of servers
  * Asynchronous (deferred) authentication support for auth-pam
    plugin
  * Asynchronous (deferred) support for client-connect scripts and
    plugins
  * Support IPv4 configs with /31 netmasks
  * 802.1q VLAN support on TAP servers
  * Support IPv6-only tunnels
  * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
  * Support Virtual Routing and Forwarding (VRF)
  * Netlink integration (OpenVPN no longer needs to execute
    ifconfig/route or ip commands)
  * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
  crypto self-test of newer openvpn versions.
  Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .

buildservice-autocommit accepted request 899936 from

Factory Maintainer (factory-maintainer) almost 3 years ago (revision 164)

baserev update by copy to link target

buildservice-autocommit accepted request 898085 from

Reinhard Max (rmax) almost 3 years ago (revision 163)

baserev update by copy to link target

Reinhard Max (rmax) committed almost 3 years ago (revision 162)

Reinhard Max (rmax) committed almost 3 years ago (revision 161)

Reinhard Max (rmax) accepted request 896403 from

Dirk Mueller (dirkmueller) almost 3 years ago (revision 160)

- update to 2.4.11 (bsc#1185279):
  * CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
  * This bug allows - under very specific circumstances - to trick a server using
    delayed authentication (plugin or management) into returning a PUSH_REPLY
    before the AUTH_FAILED message, which can possibly be used to gather
    information about a VPN setup.
  * In combination with "--auth-gen-token" or an user-specific token auth
    solution it can be possible to get access to a VPN with an
    otherwise-invalid account.
  * Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
  and is build-disabled in devel project

buildservice-autocommit accepted request 888373 from

Reinhard Max (rmax) about 3 years ago (revision 159)

baserev update by copy to link target

Reinhard Max (rmax) accepted request 888332 from

Christian Boltz (cboltz) about 3 years ago (revision 158)

- update 'rcopenvpn' to work without /etc/rc.status (boo#1185273)

buildservice-autocommit accepted request 861546 from

Reinhard Max (rmax) over 3 years ago (revision 157)

baserev update by copy to link target

Reinhard Max (rmax) accepted request 860796 from

Dirk Mueller (dirkmueller) over 3 years ago (revision 156)

- update to 2.4.10:
 - OpenVPN client will now announce the acceptable ciphers to the server
   (IV_CIPHER=...), so NCP cipher negotiation works better
 - Parse static challenge response in auth-pam plugin
 - Accept empty password and/or response in auth-pam plugin
 - Log serial number of revoked certificate
 - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
 - Fix auth-token not being updated if auth-nocache is set
   (this should fix all remaining client-side bugs for the combination
   "auth-nocache in client-config" + "auth-token in use on the server")
 - Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
 - Fix error detection / abort in --inetd corner case (#350)
 - Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
 - Fix handling of 'route remote_host' for IPv6 transport case
   (#1247 and #1332)
 - Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
 - A number of documentation improvements / clarification fixes.
 - Fix line number reporting on config file errors after <inline> segments
 - Fix fatal error at switching remotes (#629)
 - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
 - Switch "ks->authenticated" assertion failure to returning false (#1270)
- refresh 0001-preform-deferred-authentication-in-the-background.patch
   openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10

buildservice-autocommit accepted request 834319 from

Reinhard Max (rmax) over 3 years ago (revision 155)

baserev update by copy to link target

Reinhard Max (rmax) accepted request 833769 from

Dirk Mueller (dirkmueller) over 3 years ago (revision 154)

- update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
  * Allow unicode search string in --cryptoapicert option (Windows)
  * Skip expired certificates in Windows certificate store (Windows) (trac #966)
  * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
  * fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
  This can be used to disrupt service to a freshly connected client (no session
  keys negotiated yet). It can not be used to inject or steal VPN traffic.
  CVE-2020-11810).
  * fix combination of async push (deferred auth) and NCP (trac #1259)
  * Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
  * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
  * mbedTLS: Make sure TLS session survives move (trac #880)
  * Fix OpenSSL private key passphrase notices
  * Fix building with --enable-async-push in FreeBSD (trac #1256)
  * Fix broken fragmentation logic when using NCP (trac #1140)

buildservice-autocommit accepted request 830245 from

Reinhard Max (rmax) over 3 years ago (revision 153)

baserev update by copy to link target

Reinhard Max (rmax) accepted request 829828 from

Franck Bui (fbui) over 3 years ago (revision 152)

- Modernize openvpn.service
  * /var/run has been obsoleted since a long time.
  * on reload, send HUP signal directly rather than relying on
    killproc to look for the main process.

- Explicitly requires sysvinit-tools as some of the tools shipped by
  this package are used in various places regardless of whether
  openvpn is built for systemd or non systemd systems.
  For the context: sysvinit-tools was pulled in by systemd since 2014
  but it's no longer the case so better to be safe than sorry.

buildservice-autocommit accepted request 782856 from

Reinhard Max (rmax) about 4 years ago (revision 151)

baserev update by copy to link target

Reinhard Max (rmax) accepted request 781397 from

Fabian Vogt (Vogtinator) about 4 years ago (revision 150)

- Fix inconsistency in openvpn.service:
  * It uses the unescape instance name as config file basename,
    so use that in the description as well

buildservice-autocommit accepted request 768341 from

Reinhard Max (rmax) over 4 years ago (revision 149)

baserev update by copy to link target

Reinhard Max (rmax) accepted request 766820 from

Dominique Leuenberger (dimstar) over 4 years ago (revision 148)

- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
  shortcut through the -mini flavors.
- Use %systemd_ordering instead of systemd_requires: in fact,
  systemd is not a hard requirement for openvpn. But in case a
  system is being installed with systemd, we want systemd to be
  there before  openvpn is being installed.

buildservice-autocommit accepted request 764977 from

Reinhard Max (rmax) over 4 years ago (revision 147)

baserev update by copy to link target

Displaying revisions 41 - 60 of 206

Places

Revisions of openvpn

Places