openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of openvpn

Björn Voigt (bjoernv) committed 4 months ago (revision 63)

- update to 2.6.12:
  * For full changelog please refer to:
    https://github.com/OpenVPN/openvpn/blob/v2.6.12/Changes.rst

Björn Voigt (bjoernv) committed 5 months ago (revision 62)

- update to 2.6.11:
  * CVE-2024-4877: Windows: harden interactive service pipe. Security
    scope: a malicious process with "some" elevated privileges
    (SeImpersonatePrivilege) could open the pipe a second time, tricking
    openvn GUI into providing user credentials (tokens), getting full
    access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
  * CVE-2024-5594: control channel: refuse control channel messages with
    nonprintable characters in them. Security scope: a malicious openvpn
    peer can send garbage to openvpn log, or cause high CPU
    load. (Reynir Björnsson)
  * CVE-2024-28882: only call schedule_exit() once (on a given
    peer). Security scope: an authenticated client can make the server
    "keep the session" even when the server has been told to disconnect
    this client (Reynir Björnsson)
  * Fix connect timeout when using SOCKS proxies (trac #328, github
    #267)
  * Work around LibreSSL crashing on OpenBSD 7.5 when enumerating
    ciphers (LibreSSL bug, already fixed upstream, but not backported to
    OpenBSD 7.5, see also LibreSSL/OpenBSD#150) 
  * Add bracket in fingerprint message and do not warn about missing
    verification (github #516)

- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
  if libnl >= 3.4 is available

Björn Voigt (bjoernv) committed 8 months ago (revision 61)

Removed duplicate changelog entry

Björn Voigt (bjoernv) committed 8 months ago (revision 60)

- update to 2.6.10:
  * see https://github.com/OpenVPN/openvpn/blob/v2.6.10/Changes.rst

Björn Voigt (bjoernv) committed 9 months ago (revision 59)

Copied dependencies from parent
- BuildRequires:  openssl-devel
- BuildRequires:  iproute2
- Requires:       iproute2

Björn Voigt (bjoernv) committed 10 months ago (revision 58)

- update to 2.6.9:
  * Remove unused function prototype crypto_adjust_frame_parameters
  * Log SSL alerts more prominently
  * Document tls-exit option mainly as test option
  * Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
  * Fix check_session_buf_not_used using wrong index
  * Add missing check for nl_socket_alloc failure
  * Add check for nice in cmake config
  * Remove compat versionhelpers.h and remove cmake/configure check for it
  * Extend the error message when TLS 1.0 PRF fails
  * Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
  * Check PRF availability on initialisation and add --force-tls-key-material-export
  * Make it more explicit and visible when pkg-config is not found
  * Clarify that the tls-crypt-v2-verify has a very limited env set
  * Implement the --tls-export-cert feature
  * Remove conditional text for Apache2 linking exception
  * Remove --tls-export-cert
  * Remove superfluous x509_write_pem()
  * sample-keys: renew for the next 10 years
  * GHA: clean up libressl builds with newer libressl
  * configure.ac: Remove unused AC_TYPE_SIGNAL macro
  * documentation: remove reference to removed option --show-proxy-settings
  * unit_tests: remove includes for mock_msg.h
  * documentation: improve documentation of --x509-track
  * NTLM: add length check to add_security_buffer
  * NTLM: increase size of phase 2 response we can handle
  * proxy-options.rst: Add proper documentation for --http-proxy-user-pass
  * buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
  * --http-proxy-user-pass: allow to specify in either order with --http-proxy
  * README.cmake.md: Document minimum required CMake version for --preset

Björn Voigt (bjoernv) committed about 1 year ago (revision 57)

- update to 2.6.8:
  * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF
    state (Github #449) - the new sanity check function introduced in
    2.6.7 sometimes tried to use a NULL pointer after an unsuccessful
    TLS handshake

Björn Voigt (bjoernv) committed about 1 year ago (revision 56)

- update to 2.6.7:
  * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
    use a send buffer after it has been free()d in some circumstances,
    causing some free()d memory to be sent to the peer. All
    configurations using TLS (e.g. not using --secret) are affected by
    this issue. (found while tracking down CVE-2023-46849 / Github #400,
    #417)
  * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
    restore --fragment configuration in some circumstances, leading to a
    division by zero when --fragment is used. On platforms where
    division by zero is fatal, this will cause an OpenVPN
    crash. Reported by Niccolo Belli <niccolo.belli@linuxsystems.it> and
    WIPocket (Github #400, #417).
  * DCO: warn if DATA_V1 packets are sent by the other side - this a
    hard incompatibility between a 2.6.x client connecting to a
    2.4.0-2.4.4 server, and the only fix is to use --disable-dco.
  * Remove OpenSSL Engine method for loading a key. This had to be
    removed because the original author did not agree to relicensing the
    code with the new linking exception added. This was a somewhat
    obsolete feature anyway as it only worked with OpenSSL 1.x, which is
    end-of-support.
  * add warning if p2p NCP client connects to a p2mp server - this is a
    combination that used to work without cipher negotiation (pre 2.6 on
    both ends), but would fail in non-obvious ways with 2.6 to 2.6.
  * add warning to --show-groups that not all supported groups are
    listed (this is due the internal enumeration in OpenSSL being a bit
    weird, omitting X448 and X25519 curves).
  * --dns: remove support for exclude-domains argument (this was a new
    2.6 option, with no backend support implemented yet on any platform,
    and it turns out that no platform supported it at all - so remove
    option again)
  * warn user if INFO control message too long, do not forward to
    management client (safeguard against protocol-violating server
    implementations)
  * DCO-WIN: get and log driver version (for easier debugging).
  * print "peer temporary key details" in TLS handshake
  * log OpenSSL errors on failure to set certificate, for example if the
    algorithms used are in acceptable to OpenSSL (misleading message
    would be printed in cryptoapi / pkcs#11 scenarios)
  * add CMake build system for MinGW and MSVC builds
  * remove old MSVC build system
  * improve cmocka unit test building for Windows

Björn Voigt (bjoernv) committed about 1 year ago (revision 55)

added link to home:plater libnl3-devel

Björn Voigt (bjoernv) committed over 1 year ago (revision 54)

added dependencies libnl3-200 >= 3.4.0 and libnl3-config >= 3.4.0

Björn Voigt (bjoernv) committed over 1 year ago (revision 53)

Moved _aggregate to a new package

Björn Voigt (bjoernv) committed over 1 year ago (revision 52)

updated _aggregate file

Björn Voigt (bjoernv) committed over 1 year ago (revision 51)

New dependency to home:plater, packages libnl3-devel and libnl3-200

Björn Voigt (bjoernv) committed over 1 year ago (revision 50)

Added BuildRequires version (libnl3-devel >= 3.4.0)

Björn Voigt (bjoernv) committed over 1 year ago (revision 49)

Removed old openvpn-2.6.3 sources

Björn Voigt (bjoernv) committed over 1 year ago (revision 48)

- Update to 2.6.4:
  * DCO: support kernel-triggered key rotation (avoid IV reuse after 
    2^32 packets). This is the userland side, accepting a message
    from kernel, and initiating a TLS renegotiation. As of release,
  * fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323)
  * fix compile error on TARGET_ANDROID
  * fix typo in help text
  * manpage updates (--topology)
  * encoding of non-ASCII windows error messages in log + management fixed
- Update openvpn.keyring

- update to 2.6.3:
  * For full changelog please refer to:
    https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
  * implement byte counter statistics for DCO Linux (p2mp server
    and client)
  * implement byte counter statistics for DCO Windows (client only)
  * '--dns server <n> address ...' now permits up to 8 v4 or v6
    addresses
  * fix a few cases of possibly undefined behaviour detected by ASAN
  * add more unit tests for Windows cryptoapi interface
  * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
    will dynamically create a tls-crypt key that is used for
    renegotiation. This ensure that only the previously authenticated
    peer can do trigger renegotiation and complete renegotiations.
  * Keying Material Exporters (RFC 5705) based key generation
  * As part of the cipher negotiation OpenVPN will automatically prefer
    the RFC5705 based key material generation to the current custom
    OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
  * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort

Björn Voigt (bjoernv) committed over 1 year ago (revision 47)

- added compile option --enable-async-push

Björn Voigt (bjoernv) committed over 1 year ago (revision 46)

- OpenSSL 3 dependency also for Leap 15.4

Björn Voigt (bjoernv) committed over 1 year ago (revision 45)

- update to 2.6.3
  * see https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
- removed patch to fix (now upstream)
  #301 crash on OpenVPN 2.6.2 Ubuntu 22.04 LTS
  #303 OpenVPN 2.6.2 crash with DCO module after network connection is back

Björn Voigt (bjoernv) committed over 1 year ago (revision 44)

- added patch to fix
  #301 crash on OpenVPN 2.6.2 Ubuntu 22.04 LTS
  #303 OpenVPN 2.6.2 crash with DCO module after network connection is back

Displaying revisions 1 - 20 of 63

Places

Revisions of openvpn

Places