baserev update by copy to link target

• Files Changed
• Browse Source

- update to 2.5.8:
  * allow running a default configuration with TLS libraries without BF-CBC
    (even if TLS cipher negotiation would not actually use BF-CBC, the
    long-term compatibility "default cipher BF-CBC" would trigger an error
    on such TLS libraries)
  * ``--auth-nocache'' was not always correctly clearing username+password
    after a renegotiation
  * ensure that auth-token received from server is cleared if requested
    by the management interface ("forget password" or automatically
    via ``--management-forget-disconnect'')
  * in a setup without username+password, but with auth-token and
    auth-token-username pushed by the server, OpenVPN would start asking
    for username+password on token expiry.  Fix.
  * using ``--auth-token`` together with ``--management-client-auth``
    (on the server) would lead to TLS keys getting out of sync and client
    being disconnected.  Fix.
  * management interface would sometimes get stuck if client and server
    try to write something simultaneously.  Fix by allowing a limited
    level of recursion in virtual_output_callback()
  * fix management interface not returning ERROR:/SUCCESS: response
    on "signal SIGxxx" commands when in HOLD state
  * tls-crypt-v2: abort connection if client-key is too short
  * make man page agree with actual code on replay-window backtrag log message
  * remove useless empty line from CR_RESPONSE message

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- build with enable-iproute2 again to have root-less mode working (bsc#1202792)

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- update to 2.5.7:
  * Limited OpenSSL 3.0 support
  * print OpenSSL error stack if decoding PKCS12 file fails
  * fix omission of cipher-negotiation.rst in tarballs
  * fix errno handling on Windows (Windows has different classes of
    error codes, GetLastError() and C runtime errno, these should now
    be handled correctly)
  * fix PATH_MAX build failure in auth-pam.c
  * fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
  * fix overlong path names, leading to missing pkcs11-helper patch
    in tarball

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- update to 2.5.5:
  * SWEET32/64bit cipher deprecation change was postponed to 2.7
  * improve "make check" to notice if "openvpn --show-cipher" crashes
  * improve argv unit tests
  * ensure unit tests work with mbedTLS builds without BF-CBC ciphers
  * include "--push-remove" in the output of "openvpn --help"
  * fix error in iptables syntax in example firewall.sh script
  * fix "resolvconf -p" invocation in example "up" script
  * fix "common_name" environment for script calls when
    "--username-as-common-name" is in effect (Trac #1434)
  * move "push-peer-info" documentation from "server options" to "client"
  * correct "foreign_option_{n}" typo in manpage
  * README.down-root: fix plugin module name

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

  * fix prompting for password on windows console if stderr redirection
    is in use - this breaks 2.5.x on Win11/ARM, and might also break
    on Win11/adm64 when released.
  * fix setting MAC address on TAP adapters (--lladdr) to use sitnl
    (was overlooked, and still used "ifconfig" calls)
  * various improvements for man page building (rst2man/rst2html etc)
  * minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
    at least one platform strictly checking this)
  * fix minor memory leak under certain conditions in add_route() and
    add_route_ipv6()
  * documentation improvements
  * copyright updates where needed
  * better error reporting when win32 console access fails

• Files Changed
• Browse Source

- update to 2.5.4:
  * Connections setup is now much faster
  * ChaCha20-Poly1305 cipher in the OpenVPN data channel
  * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  * Client-specific tls-crypt keys (--tls-crypt-v2)
  * Improved Data channel cipher negotiation
  * Removal of BF-CBC support in default configuration
  * HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
  * Asynchronous (deferred) authentication support for auth-pam plugin
  * Asynchronous (deferred) support for client-connect scripts and plugins
  * Support IPv4 configs with /31 netmasks now
  * 802.1q VLAN support on TAP servers
  * IPv6-only tunnels
  * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
  * VRF support
  * Netlink integration

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- drop sysv5 init support, it hasn't build successfully in ages
  and is build-disabled in devel project

• Files Changed
• Browse Source

- update to 2.4.11 (bsc#1185279):
  * CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
  * This bug allows - under very specific circumstances - to trick a server using
    delayed authentication (plugin or management) into returning a PUSH_REPLY
    before the AUTH_FAILED message, which can possibly be used to gather
    information about a VPN setup.
  * In combination with "--auth-gen-token" or an user-specific token auth
    solution it can be possible to get access to a VPN with an
    otherwise-invalid account.
  * Fix potential NULL ptr crash if compiled with DMALLOC

• Files Changed
• Browse Source

• Browse Source