Changelog for
openvpn-auth-pam-plugin-2.4.5-186.1.x86_64.rpm :
Sat Mar 3 13:00:00 2018 bjoernvAATTarcor.de
- Update to 2.4.5
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
Thu Feb 15 13:00:00 2018 bjoernvAATTarcor.de
- Removed --askpass from ExecStart again, because this breaks
setups
- see https://bugzilla.opensuse.org/show_bug.cgi?id=985798#c5
Tue Feb 13 13:00:00 2018 maxAATTsuse.com
- Add --askpass to ExecStart, so that the user name and password
are correctly being queried from the user.
(bsc#1078026, boo#985798, boo#1031748)
- Use %service_add/del macros throughout (bsc#1038406).
Thu Nov 23 13:00:00 2017 rbrownAATTsuse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
Tue Oct 10 14:00:00 2017 ndasAATTsuse.de
- Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877).
[+ 0002-Fix-bounds-check-in-read_key.patch]
Fri Oct 6 14:00:00 2017 bjoernvAATTarcor.de
- reverted parts of the patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
because it breaks the crypto self-test
- see bug bsc#1062157
Thu Sep 28 14:00:00 2017 bjoernvAATTarcor.de
- Update to 2.4.4
https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst
Fri Aug 11 14:00:00 2017 sebix+novell.comAATTsebix.at
- Do not package empty /usr/lib64/tmpfiles.d
Mon Jul 3 14:00:00 2017 bjoernvAATTarcor.de
- work-around for OpenVPN bug #538
(attention: the work-around may break setups, where OpenVPN
needs a password during boot)
Fri Jun 23 14:00:00 2017 ndasAATTsuse.de
- Update to 2.4.3 (bsc#1045489)
- Ignore auth-nocache for auth-user-pass if auth-token is pushed
- crypto: Enable SHA256 fingerprint checking in --verify-hash
- copyright: Update GPLv2 license texts
- auth-token with auth-nocache fix broke --disable-crypto builds
- OpenSSL: don\'t use direct access to the internal of X509
- OpenSSL: don\'t use direct access to the internal of EVP_PKEY
- OpenSSL: don\'t use direct access to the internal of RSA
- OpenSSL: don\'t use direct access to the internal of DSA
- OpenSSL: force meth->name as non-const when we free() it
- OpenSSL: don\'t use direct access to the internal of EVP_MD_CTX
- OpenSSL: don\'t use direct access to the internal of EVP_CIPHER_CTX
- OpenSSL: don\'t use direct access to the internal of HMAC_CTX
- Fix NCP behaviour on TLS reconnect.
- Remove erroneous limitation on max number of args for --plugin
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
- Fix potential 1-byte overread in TCP option parsing.
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
- refactor my_strupr
- Fix 2 memory leaks in proxy authentication routine
- Fix memory leak in add_option() for option \'connection\'
- Ensure option array p[] is always NULL-terminated
- Fix a null-pointer dereference in establish_http_proxy_passthru()
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
- Fix an unaligned access on OpenBSD/sparc64
- Missing include for socket-flags TCP_NODELAY on OpenBSD
- Make openvpn-plugin.h self-contained again.
- Pass correct buffer size to GetModuleFileNameW()
- Log the negotiated (NCP) cipher
- Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
- Skip tls-crypt unit tests if required crypto mode not supported
- openssl: fix overflow check for long --tls-cipher option
- Add a DSA test key/cert pair to sample-keys
- Fix mbedtls fingerprint calculation
- mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
- mbedtls: require C-string compatible types for --x509-username-field
- Fix remote-triggerable memory leaks (CVE-2017-7521)
- Restrict --x509-alt-username extension types
- Fix potential double-free in --x509-alt-username (CVE-2017-7521)
- Fix gateway detection with OpenBSD routing domains
Wed Jun 14 14:00:00 2017 ndasAATTsuse.de
- use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223)
Tue Jun 6 14:00:00 2017 ndasAATTsuse.de
- Update to 2.4.2
- auth-token: Ensure tokens are always wiped on de-auth
- Make --cipher/--auth none more explicit on the risks
- Use SHA256 for the internal digest, instead of MD5
- Deprecate --ns-cert-type
- Deprecate --no-iv
- Support --block-outside-dns on multiple tunnels
- Limit --reneg-bytes to 64MB when using small block ciphers
- Fix --tls-version-max in mbed TLS builds
Details changelogs are avilable in
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[
*0001-preform-deferred-authentication-in-the-background.patch
* openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
* openvpn-fips140-2.3.2.patch]
- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2
- cleanup the spec file
Fri Apr 21 14:00:00 2017 ndasAATTsuse.de
- Preform deferred authentication in the background to not
cause main daemon processing delays when the underlying pam mechanism (e.g.
ldap) needs longer to response (bsc#959511).
[+ 0001-preform-deferred-authentication-in-the-background.patch]
- Added fix for possible heap overflow on read accessing getaddrinfo
result (bsc#959714).
[+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]
- Added a patch to fix multiple low severity issues (bsc#934237).
[+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]
Sun Jan 22 13:00:00 2017 mrueckertAATTsuse.de
- silence warning about %{_rundir}/openvpn
- for non systemd case: just package the %{_rundir}/openvpn in
the package
- for systemd case: call systemd-tmpfiles and own the dir as
%ghost in the filelist
Sun Jan 22 13:00:00 2017 mrueckertAATTsuse.de
- refreshed patches to apply cleanly again
openvpn-2.3-plugin-man.dif
openvpn-fips140-2.3.2.patch
Sun Jan 22 13:00:00 2017 mrueckertAATTsuse.de
- update to 2.3.14
- update year in copyright message
- Document the --auth-token option
- Repair topology subnet on FreeBSD 11
- Repair topology subnet on OpenBSD
- Drop recursively routed packets
- Support --block-outside-dns on multiple tunnels
- When parsing \'--setenv opt xx ..\' make sure a third parameter
is present
- Map restart signals from event loop to SIGTERM during
exit-notification wait
- Correctly state the default dhcp server address in man page
- Clean up format_hex_ex()
- enabled pkcs11 support
Sat Dec 3 13:00:00 2016 michaelAATTstroeder.com
- update to 2.3.13
- removed obsolete patch files openvpn-2.3.0-man-dot.diff and
openvpn-fips140-AES-cipher-in-config-template.patch
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
* Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
* Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
* t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
* t_client.sh: Add support for Kerberos/ksu
* t_client.sh: Improve detection if the OpenVPN process did start during tests
* t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
* Do not abort t_client run if OpenVPN instance does not start.
* Fix t_client runs on OpenSolaris
* make t_client robust against sudoers misconfiguration
* add POSTINIT_CMD_suf to t_client.sh and sample config
* Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
* skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
* Exclude peer-id from pulled options digest
* Fix compilation in pedantic mode
Samuli Seppänen (1):
* Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
* Fix unittests for out-of-source builds
* Make gnu89 support explicit
* cleanup: remove code duplication in msg_test()
* Update cipher-related man page text
* Limit --reneg-bytes to 64MB when using small block ciphers
* Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
* Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
* Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
* Only build and run cmocka unit tests if its submodule is initialized
* Another fix related to unit test framework
* Remove NOP function and callers
Dorian Harmans (1):
* Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
* Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
* Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
* Add unit testing support via cmocka
* Add a test for auth-pam searchandreplace
Josh Cepek (1):
* Push an IPv6 CIDR mask used by the server, not the pool\'s size
Leon Klingele (1):
* Add link to bug tracker
Samuli Seppänen (2):
* Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
* Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
* Make error non-fatal while deleting address using netsh
* Make block-outside-dns work with persist-tun
* Ignore SIGUSR1/SIGHUP during exit notification
* Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
* Fix polarssl / mbedtls builds
* Don\'t limit max incoming message size based on c2->frame
* Fix \'--cipher none --cipher\' crash
* Discourage using 64-bit block ciphers
Mon Nov 28 13:00:00 2016 matwey.kornilovAATTgmail.com
- Require iproute2 explicitly. openvpn uses /bin/ip from iproute2,
so it should be installed
Thu Sep 8 14:00:00 2016 astiegerAATTsuse.com
- Add an example for a FIPS 140-2 approved cipher configuration to
the sample configuration files. Fixes bsc#988522
adding openvpn-fips140-AES-cipher-in-config-template.patch
- remove gpg-offline signature verification, now a source service
Tue May 10 14:00:00 2016 idonmezAATTsuse.com
- Update to version 2.3.11
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data
* Fix undefined signed shift overflow
* Ensure input read using systemd-ask-password is null terminated
* Support reading the challenge-response from console
* hardening: add safe FD_SET() wrapper openvpn_fd_set()
* Restrict default TLS cipher list
- Add BuildRequires on xz for SLE11
Mon Jan 4 13:00:00 2016 idonmezAATTsuse.com
- Update to version 2.3.10
* Warn user if their certificate has expired
* Fix regression in setups without a client certificate
Wed Dec 16 13:00:00 2015 idonmezAATTsuse.com
- Update to version 2.3.9
* Show extra-certs in current parameters.
* Do not set the buffer size by default but rely on the operation system default.
* Remove --enable-password-save option
* Detect config lines that are too long and give a warning/error
* Log serial number of revoked certificate
* Avoid partial authentication state when using --disabled in CCD configs
* Replace unaligned 16bit access to TCP MSS value with bytewise access
* Fix possible heap overflow on read accessing getaddrinfo() result.
* Fix isatty() check for good. (obsoletes revert-daemonize.patch)
* Client-side part for server restart notification
* Fix privilege drop if first connection attempt fails
* Support for username-only auth file.
* Increase control channel packet size for faster handshakes
* hardening: add insurance to exit on a failed ASSERT()
* Fix memory leak in auth-pam plugin
* Fix (potential) memory leak in init_route_list()
* Fix unintialized variable in plugin_vlog()
* Add macro to ensure we exit on fatal errors
* Fix memory leak in add_option() by simplifying get_ipv6_addr
* openssl: properly check return value of RAND_bytes()
* Fix rand_bytes return value checking
* Fix \"White space before end tags can break the config parser\"
Thu Dec 3 13:00:00 2015 mtAATTsuse.com
- Adjust /var/run to _rundir macro value in openvpnAATT.service too.
Thu Aug 20 14:00:00 2015 mtAATTsuse.com
- Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS.
- Moved openvpn-plugin.h into a devel package, removed .gitignore
Thu Aug 13 14:00:00 2015 idonmezAATTsuse.com
- Add revert-daemonize.patch, looks like under systemd the stdin
and stdout are not TTYs by default. This reverts to previous
behaviour fixing bsc#941569
Wed Aug 5 14:00:00 2015 idonmezAATTsuse.com
- Update to version 2.3.8
* Report missing endtags of inline files as warnings
* Fix commit e473b7c if an inline file happens to have a
line break exactly at buffer limit
* Produce a meaningful error message if --daemon gets in the way of
asking for passwords.
* Document --daemon changes and consequences (--askpass, --auth-nocache)
* Del ipv6 addr on close of linux tun interface
* Fix --askpass not allowing for password input via stdin
* Write pid file immediately after daemonizing
* Fix regression: query password before becoming daemon
* Fix using management interface to get passwords
* Fix overflow check in openvpn_decrypt()
Tue Jun 9 14:00:00 2015 idonmezAATTsuse.com
- Update to version 2.3.7
* down-root plugin: Replaced system() calls with execve()
* sockets: Remove the limitation of --tcp-nodelay to be server-only
* pkcs11: Load p11-kit-proxy.so module by default
* New approach to handle peer-id related changes to link-mtu
* Fix incorrect use of get_ipv6_addr() for iroute options
* Print helpful error message on --mktun/--rmtun if not available
* Explain effect of --topology subnet on --ifconfig
* Add note about file permissions and --crl-verify to manpage
* Repair --dev null breakage caused by db950be85d37
* Correct note about DNS randomization in openvpn.8
* Disallow usage of --server-poll-timeout in --secret key mode
* Slightly enhance documentation about --cipher
* On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()
* Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()
* Fix --redirect-private in --dev tap mode
* Updated manpage for --rport and --lport
* Properly escape dashes on the man-page
* Improve documentation in --script-security section of the man-page
* Really fix \'--cipher none\' regression
* Set tls-version-max to 1.1 if cryptoapicert is used
* Account for peer-id in frame size calculation
* Disable SSL compression
* Fix frame size calculation for non-CBC modes.
* Allow for CN/username of 64 characters (fixes off-by-one)
* Re-enable TLS version negotiation by default
* Remove size limit for files inlined in config
* Improve --tls-cipher and --show-tls man page description
* Re-read auth-user-pass file on (re)connect if required
* Clarify --capath option in manpage
* Call daemon() before initializing crypto library
Mon Mar 2 13:00:00 2015 mtAATTsuse.de
- Fixed to use correct sha digest data length and in fips mode,
use aes instead of the disallowed blowfish crypto (boo#914166).
- Fixed to provide actual plugin/doc dirs in openvpn(8) man page.
Mon Dec 1 13:00:00 2014 mtAATTsuse.de
- Update to version 2.3.6 fixing a denial-of-service vulnerability
where an authenticated client could stop the server by triggering
a server-side ASSERT (bnc#907764,CVE-2014-8104).
See ChangeLog file for a complete list of changes.
Thu Oct 30 13:00:00 2014 idonmezAATTsuse.com
- Update to version 2.3.5
* See included changelog
- Depend on systemd-devel for the daemon check functionality
Mon Aug 25 14:00:00 2014 idonmezAATTsuse.com
- Update to version 2.3.4
* Add support for client-cert-not-required for PolarSSL.
* Introduce safety check for http proxy options.
Mon May 26 14:00:00 2014 crrodriguezAATTopensuse.org
- Build with large file support in 32 bit systems.
Sun May 11 14:00:00 2014 cooloAATTsuse.com
- use %_rundir for %ghost directory - leaving /var/run everywhere
else
Tue Jan 14 13:00:00 2014 mtAATTsuse.de
- Updated README.SUSE, documented also the rcopenvpn compatibility
wrapper script (bnc#848070).
Thu Jan 9 13:00:00 2014 meissnerAATTsuse.com
- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in
some internal checking routines. This allows operation in FIPS 140-2
mode.
Tue Dec 17 13:00:00 2013 mtAATTsuse.de
- Readded rcopenvpn helper script under systemd (bnc#848070)
Thu Oct 31 13:00:00 2013 mtAATTsuse.de
- Fixed invalid mode in exec bit removal call from doc files
Tue Aug 27 14:00:00 2013 lmuelleAATTsuse.com
- Add a section about how to control all or a named configuration with the
help of systemctl to the README.SUSE file.
Mon Jun 3 14:00:00 2013 mrdocsAATTopensuse.org
- Update to 2.3.2
+Fixes since 2.3.0
- Remove dead code path and putenv functionality
- Remove unused function xor
- Move static prototype definition from header into c file
- Remove unused function no_tap_ifconfig
- fix build with automake 1.13(.1)
- Fix corner case in NTLM authentication (trac #172)
- Update README.IPv6 to match what is in 2.3.0
- Repair \"tcp server queue overflow\" brokenness, more
fallout.
- Permit pool size of /64.../112 for ifconfig-ipv6-pool
- Add MIN() compatibility macro
- Fix directly connected routes for \"topology subnet\" on Solaris.
- close more file descriptors on exec
- Ignore UTF-8 byte order mark
- reintroduce --no-name-remapping option
- make --tls-remote compatible with pre 2.3 configs
- add new option for X.509 name verification
- add man page patch for missing options
- Fix parameter listing in non-debug builds at verb 4
- (updated) [PATCH] Warn when using verb levels >=7 without debug
- Enable TCP_NODELAY configuration on FreeBSD.
- Updated README
- Cleaned up and updated INSTALL
- PolarSSL-1.2 support
- Improve PolarSSL key_state_read_{cipher, plain}text messages
- Improve verify_callback messages
- Config compatibility patch. Added translate_cipher_name.
- Switch to IANA names for TLS ciphers.
- Fixed autoconf script to properly detect missing pkcs11 with polarssl.
- Use constant time memcmp when comparing HMACs in openvpn_decrypt.
Mon May 6 14:00:00 2013 mtAATTsuse.de
- Try to migrate openvpn.service autostart to openvpnAATT.service
instance enablement.
Tue Apr 23 14:00:00 2013 mtAATTsuse.de
- Fixed to enable systemd support in configure
- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group.
- Added openvpn.target file allowing to handle all instances at once.
- Fixed to install the service template correctly as openvpnAATT.service.
Use \"systemctl enable openvpnAATTfoo.service\" to enable instance using
/etc/openvpn/foo.conf.
- Disabled systemd variant of restart on update rpm macro, adopted other
macros to use openvpn.target to e.g. stop all instances on uninstall.
Tue Mar 26 13:00:00 2013 ajAATTsuse.com
- Remove _unitdir definition, it is provided by systemd.
- Install service file without x permissions
Mon Mar 25 13:00:00 2013 p.drouandAATTgmail.com
Update to version 2.3.0:
* Full IPv6 support
* SSL layer modularised, enabling easier implementation for other SSL libraries
* PolarSSL support as a drop-in replacement for OpenSSL
* New plug-in API providing direct certificate access, improved logging API
and easier to extend in the future
* Added \'dev_type\' environment variable to scripts and plug-ins - which is
set to \'TUN\' or \'TAP\'
* New feature: --management-external-key - to provide access to the encryption
keys via the management interface
* New feature: --x509-track option, more fine grained access to X.509 fields
in scripts and plug-ins
* New feature: --client-nat support
* New feature: --mark which can mark encrypted packets from the tunnel, suitable
for more advanced routing and firewalling
* New feature: --management-query-proxy - manage proxy settings via the management
interface (supercedes --http-proxy-fallback)
* New feature: --stale-routes-check, which cleans up the internal routing table
* New feature: --x509-username-field, where other X.509v3 fields can be used for
the authentication instead of Common Name
* Improved client-kill management interface command
* Improved UTF-8 support - and added --compat-names to provide backwards compatibility
with older scripts/plug-ins
* Improved auth-pam with COMMONNAME support, passing the certificate\'s common
name in the PAM conversation
* More options can now be used inside blocks
* Completely new build system, enabling easier cross-compilation and Windows builds
* Much of the code has been better documented
* Many documentation updates
* Plenty of bug fixes and other code clean-ups
- Add systemd native support for OpenSUSE > 12.1
- Adapt patchs to upstream release:
* openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif
* openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff
- Remove obsolete patchs; fixed or merged on upstream release:
* 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch
* openvpn-2.1-plugin-build.dif
* openvpn-2.1-systemd-passwd.patch
- Rebase specfile to upstream changes:
* easy-rsa is not provided anymore with main package
* remove %clean section
* autoreconf -fi is no needed
- Update openvpn.keyring file for upstream release asc key
Mon Jan 28 13:00:00 2013 mtAATTsuse.com
- Join openvpn.service systemd cgroup in start when needed, e.g.
when starting with further parameters. (bnc#781106)
Thu Nov 29 13:00:00 2012 sbrabecAATTsuse.cz
- Verify GPG signature.
Fri Sep 21 14:00:00 2012 cooloAATTsuse.com
- fix ciaran\'s previous license entry. the license has a SUSE prefix
Thu Sep 20 14:00:00 2012 mtAATTsuse.com
- Fixed openvpn init script to not map reopen to reload so the
reopen code is without any effect (bnc#781106).
- Added requested OPENVPN_AUTOSTART variable allowing to provide
an optional list of config names started by default (bnc#692440).
Wed Aug 22 14:00:00 2012 cfarrellAATTsuse.com
- license update: GPL-2.0-with-openssl-exception and LGPL-2.1
openssl has an openssl exception (also, it is GPL-2.0 only)
Thu Mar 29 14:00:00 2012 mtAATTsuse.com
- Fixed SLES build readding Group tags to sub-packages in spec,
not require libselinux-devel on SLE-10 and datadir/doc cleanup.
Wed Feb 15 13:00:00 2012 mtAATTsuse.com
- Updated to openvpn-2.2.2:
- Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2
- Pkcs11 support built into the Windows version
- Fixed a bug in the Windows TAP-driver
Thu Dec 8 13:00:00 2011 ajAATTsuse.de
- Fix source URLs.
Fri Dec 2 13:00:00 2011 cooloAATTsuse.com
- add automake as buildrequire to avoid implicit dependency
Mon Aug 29 14:00:00 2011 mtAATTsuse.com
- Marked /var/run/openvpn as ghost (bnc#710270), man page and
other rpmlint warning fixes
Tue Aug 23 14:00:00 2011 crrodriguezAATTopensuse.org
- BuildRequires libselinux-devel
- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent
upstream as https://community.openvpn.net/openvpn/ticket/157
Mon Aug 22 14:00:00 2011 fcrozatAATTnovell.com
- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to
support systemd password query (bnc#675406)
Mon Jul 11 14:00:00 2011 mtAATTsuse.de
- Updated to openvpn-2.2.1, a new version series providing several
new features. This version fixes build issues and provides
updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125),
- Adopted spec file, enabled saving password in a file and to
specify an alternative username in x509 cert.
- Removed X-Interactive from init script again, as systemd isn\'t
able to use it correctly [any more?] (bnc#675406). We will
address it later and probably use /bin/systemd-ask-password.
Tue Mar 15 13:00:00 2011 crrodriguezAATTopensuse.org
- KVPNC is unable to parse openvpn version [bnc#679153]
Thu Feb 17 13:00:00 2011 mtAATTsuse.de
- Added X-Interactive: true LSB tag to the init script.
Tue Nov 16 13:00:00 2010 mtAATTsuse.de
- Updated to openvpn 2.1.4, providing several bug fixes and
improvements, such as:
* Fix of a problem with special case route targets
* Try to ensure, that the tun/tap interface gets closed on
non-graceful aborts.
* Several AUTH_FAILED reporting fixes causing the connection
to fail without any error indication.
* Enable exponential backoff in reliability layer retransmits.
* Proxy improvements
Please review the ChangeLog file for a complete and exact list.
Wed Sep 8 14:00:00 2010 cristian.rodriguezAATTopensuse.org
- Do not include build date in binaries
Tue Jun 15 14:00:00 2010 mtAATTsuse.de
- Improved netconfig based client up and down sample scripts.
Fri Jun 11 14:00:00 2010 anschneiderAATTexsuse.de
- Added netconfig based client up and down scripts to samples.
Thu Mar 11 13:00:00 2010 mtAATTsuse.de
- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20:
* Fixed a couple issues in sample plugins auth-pam.c and
down-root.c.
(1) Fail gracefully rather than segfault if calloc returns NULL.
(2) The openvpn_plugin_abort_v1 function can potentially be
called with handle == NULL. Add code to detect this case,
and if so, avoid dereferencing pointers derived from handle
(Thanks to David Sommerseth for finding this bug).
* Documented \"multihome\" option in the man page.
* Added a hard failure when peer provides a certificate chain
with depth > 16. Previously, a warning was issued.
* Added additional session renegotiation hardening. OpenVPN has
always required that mid-session renegotiations build up a new
SSL/TLS session from scratch. While the client certificate
common name is already locked against changes in mid-session
TLS renegotiations, we now extend this locking to the
auth-user-pass username as well as all certificate content in
the full client certificate chain.
- Improved openvpn init script adding messages giving a hint about
pid write failure and to look into the log messages (bnc#559041).
- Added -fno-strict-aliasing to compile flags in the spec file.
Thu Dec 17 13:00:00 2009 mtAATTsuse.de
- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and
option handling provided by the from server (bnc#552440).
For complete list of changes, see ChangeLog file, here just
the IMO most important:
* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using
the redirect-gateway option by itself, without any extra
parameters, would cause the option to be ignored.
* Optimized PUSH_REQUEST handshake sequence to shave several
seconds off of a typical client connection initiation.
* The maximum number of \"route\" directives (specified in the
config file or pulled from a server) can now be configured
via the new \"max-routes\" directive.
* Eliminated the limitation on the number of options that can
be pushed to clients, including routes. Previously, all
pushed options needed to fit within a 1024 byte options
string.
* Added --server-poll-timeout option : when polling possible
remote servers to connect to in a round-robin fashion,
spend no more than n seconds waiting for a response before
trying the next server.
* Added the ability for the server to provide a custom reason
string when an AUTH_FAILED message is returned to the client.
This string can be set by the server-side managment interface
and read by the client-side management interface.
* client-kill management interface command, when issued on server,
will now send a RESTART message to client. This feature is
intended to make UDP clients respond the same as TCP clients
in the case where the server issues a RESTART message in order
to force the client to reconnect and pull a new options/route
list.
Fri Oct 2 14:00:00 2009 mtAATTsuse.de
- Added network-remotefs to init script dependencies (bnc#522279).
Wed Jun 10 14:00:00 2009 mtAATTsuse.de
- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289).
- Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558).
- Adopted spec file and patches, improved init script.
- Disabled installation of easy-rsa for Windows.