Revisions of openvpn

Reinhard Max's avatar Reinhard Max (rmax) committed (revision 169)
- Disable 0001-preform-deferred-authentication-in-the-background.patch
  for testing, because the PAM module now has upstream support for
  deferred authentication.
Reinhard Max's avatar Reinhard Max (rmax) accepted request 928265 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 168)
- update to 2.5.4:
  * fix prompting for password on windows console if stderr redirection
    is in use - this breaks 2.5.x on Win11/ARM, and might also break
    on Win11/adm64 when released.
  * fix setting MAC address on TAP adapters (--lladdr) to use sitnl
    (was overlooked, and still used "ifconfig" calls)
  * various improvements for man page building (rst2man/rst2html etc)
  * minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
    at least one platform strictly checking this)
  * fix minor memory leak under certain conditions in add_route() and
    add_route_ipv6()
  * documentation improvements
  * copyright updates where needed
  * better error reporting when win32 console access fails
Reinhard Max's avatar Reinhard Max (rmax) committed (revision 167)
Reinhard Max's avatar Reinhard Max (rmax) committed (revision 166)
Reinhard Max's avatar Reinhard Max (rmax) committed (revision 165)
- Update to 2.5.3:
  * Removal of BF-CBC support in default configuration
    *** POSSIBLE INCOMPATIBILITY ***
    See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
  * Connections setup is now much faster
  * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
  * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  * Client-specific tls-crypt keys (--tls-crypt-v2)
  * Improved Data channel cipher negotiation
  * HMAC based auth-token support for seamless reconnects to
    standalone servers or a group of servers
  * Asynchronous (deferred) authentication support for auth-pam
    plugin
  * Asynchronous (deferred) support for client-connect scripts and
    plugins
  * Support IPv4 configs with /31 netmasks
  * 802.1q VLAN support on TAP servers
  * Support IPv6-only tunnels
  * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
  * Support Virtual Routing and Forwarding (VRF)
  * Netlink integration (OpenVPN no longer needs to execute
    ifconfig/route or ip commands)
  * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
  crypto self-test of newer openvpn versions.
  Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
buildservice-autocommit accepted request 899936 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 164)
baserev update by copy to link target
buildservice-autocommit accepted request 898085 from Reinhard Max's avatar Reinhard Max (rmax) (revision 163)
baserev update by copy to link target
Reinhard Max's avatar Reinhard Max (rmax) committed (revision 162)
Reinhard Max's avatar Reinhard Max (rmax) committed (revision 161)
Reinhard Max's avatar Reinhard Max (rmax) accepted request 896403 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 160)
- update to 2.4.11 (bsc#1185279):
  * CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
  * This bug allows - under very specific circumstances - to trick a server using
    delayed authentication (plugin or management) into returning a PUSH_REPLY
    before the AUTH_FAILED message, which can possibly be used to gather
    information about a VPN setup.
  * In combination with "--auth-gen-token" or an user-specific token auth
    solution it can be possible to get access to a VPN with an
    otherwise-invalid account.
  * Fix potential NULL ptr crash if compiled with DMALLOC
- drop sysv5 init support, it hasn't build successfully in ages
  and is build-disabled in devel project
buildservice-autocommit accepted request 888373 from Reinhard Max's avatar Reinhard Max (rmax) (revision 159)
baserev update by copy to link target
Reinhard Max's avatar Reinhard Max (rmax) accepted request 888332 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 158)
- update 'rcopenvpn' to work without /etc/rc.status (boo#1185273)
buildservice-autocommit accepted request 861546 from Reinhard Max's avatar Reinhard Max (rmax) (revision 157)
baserev update by copy to link target
Reinhard Max's avatar Reinhard Max (rmax) accepted request 860796 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 156)
- update to 2.4.10:
 - OpenVPN client will now announce the acceptable ciphers to the server
   (IV_CIPHER=...), so NCP cipher negotiation works better
 - Parse static challenge response in auth-pam plugin
 - Accept empty password and/or response in auth-pam plugin
 - Log serial number of revoked certificate
 - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
 - Fix auth-token not being updated if auth-nocache is set
   (this should fix all remaining client-side bugs for the combination
   "auth-nocache in client-config" + "auth-token in use on the server")
 - Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
 - Fix error detection / abort in --inetd corner case (#350)
 - Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
 - Fix handling of 'route remote_host' for IPv6 transport case
   (#1247 and #1332)
 - Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
 - A number of documentation improvements / clarification fixes.
 - Fix line number reporting on config file errors after <inline> segments
 - Fix fatal error at switching remotes (#629)
 - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
 - Switch "ks->authenticated" assertion failure to returning false (#1270)
- refresh 0001-preform-deferred-authentication-in-the-background.patch
   openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
buildservice-autocommit accepted request 834319 from Reinhard Max's avatar Reinhard Max (rmax) (revision 155)
baserev update by copy to link target
Reinhard Max's avatar Reinhard Max (rmax) accepted request 833769 from Dirk Mueller's avatar Dirk Mueller (dirkmueller) (revision 154)
- update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
  * Allow unicode search string in --cryptoapicert option (Windows)
  * Skip expired certificates in Windows certificate store (Windows) (trac #966)
  * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
  * fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
  This can be used to disrupt service to a freshly connected client (no session
  keys negotiated yet). It can not be used to inject or steal VPN traffic.
  CVE-2020-11810).
  * fix combination of async push (deferred auth) and NCP (trac #1259)
  * Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
  * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
  * mbedTLS: Make sure TLS session survives move (trac #880)
  * Fix OpenSSL private key passphrase notices
  * Fix building with --enable-async-push in FreeBSD (trac #1256)
  * Fix broken fragmentation logic when using NCP (trac #1140)
buildservice-autocommit accepted request 830245 from Reinhard Max's avatar Reinhard Max (rmax) (revision 153)
baserev update by copy to link target
Reinhard Max's avatar Reinhard Max (rmax) accepted request 829828 from Franck Bui's avatar Franck Bui (fbui) (revision 152)
- Modernize openvpn.service
  * /var/run has been obsoleted since a long time.
  * on reload, send HUP signal directly rather than relying on
    killproc to look for the main process.

- Explicitly requires sysvinit-tools as some of the tools shipped by
  this package are used in various places regardless of whether
  openvpn is built for systemd or non systemd systems.
  For the context: sysvinit-tools was pulled in by systemd since 2014
  but it's no longer the case so better to be safe than sorry.
buildservice-autocommit accepted request 782856 from Reinhard Max's avatar Reinhard Max (rmax) (revision 151)
baserev update by copy to link target
Reinhard Max's avatar Reinhard Max (rmax) accepted request 781397 from Fabian Vogt's avatar Fabian Vogt (Vogtinator) (revision 150)
- Fix inconsistency in openvpn.service:
  * It uses the unescape instance name as config file basename,
    so use that in the description as well
Displaying revisions 41 - 60 of 209
openSUSE Build Service is sponsored by