SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for openvpn-down-root-plugin-2.3.8-14.1.x86_64.rpm :
Tue Oct 10 14:00:00 2017 ndasAATTsuse.de
- Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877).
[+ 0012-Fix-bounds-check-in-read_key.patch]

Tue Jun 20 14:00:00 2017 psimonsAATTsuse.com
- 0001-Fix-remote-triggerable-memory-leaks-CVE-2017-7521.patch:
Several OpenSSL-specific certificate-parsing code paths did not
always clear all allocated memory. Since a client can cause a few
bytes of memory to be leaked for each connection attempt, a
client can cause a server to run out of memory and thereby kill
the server. That makes this a (quite inefficient) DoS attack.
[bsc#1044947, CVE-2017-7521]
- 0002-Restrict-x509-alt-username-extension-types.patch: The code
never supported all --x509-alt-username extension types. Make
this explicit by only allowing subjectAltName and issuerAltName
(for which the current code does work). Using unsupported
extension fields would most likely cause OpenVPN to crash as soon
as a client connects. This does not have a real-world security
impact, as such a configuration would not be possible to use in
practice. [bsc#1044947]
- 0003-Fix-potential-double-free-in-x509-alt-username-CVE-2.patch:
We didn\'t check the return value of ASN1_STRING_to_UTF8() in
extract_x509_extension(). Ignoring such a failure could result in
buf being free\'d twice. An error in ASN1_STRING_to_UTF8() can be
caused remotely if the peer can make the local process run out of
memory. [bsc#1044947, CVE-2017-7521]
- 0004-Prevent-two-kinds-of-stack-buffer-OOB-reads-and-a-cr.patch:
If clients use a HTTP proxy with NTLM authentication, a
man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password. If the proxy password is not reused, this is unlikely
to compromise the security of the OpenVPN tunnel itself. Clients
who do not use the --http-proxy option with ntlm2 authentication
are not affected. [bsc#1044947, CVE-2017-7520]
- 0005-Fix-remotely-triggerable-ASSERT-on-malformed-IPv6-pa.patch:
Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(),
and change the ASSERT() check in mss_fixup_dowork() into a simple
\"return\" (= the TCP header will simply not be inspected further).
This can be used to remotely shutdown an openvpn server or
client, if IPv6 and --mssfix are enabled and the IPv6 networks
used inside the VPN are known. [bsc#1044947, CVE-2017-7508]

Fri May 19 14:00:00 2017 ndasAATTsuse.de
- Show which ciphers should no longer be used in openvpn --show-ciphers
bsc#995374(CVE-2016-6329)
[+0006-Discourage-using-64-bit-block-ciphers.patch]
- Apply fixes for bsc#1038713, bsc#1038709, CVE-2017-7478, bsc#1038711, CVE-2017-7479
[+ 0003-cleanup-merge-packet_id_alloc_outgoing-into-packet_i.patch,
+ 0004-Drop-packets-instead-of-assert-out-if-packet-id-roll.patch,
+ 0005-Don-t-assert-out-on-receiving-too-large-control-pack.patch]

Fri Apr 21 14:00:00 2017 ndasAATTsuse.de
- Use FIPS approved cipher for our sample configuration file(bsc#988522).
[+0002-openvpn-fips140-AES-cipher-in-config-template.patch]

Thu Apr 20 14:00:00 2017 ndasAATTsuse.de
- Preform deferred authentication in the background to not
cause main daemon processing delays when the underlying pam mechanism (e.g.
ldap) needs longer to response (bsc#959511).
[+ 0001-preform-deferred-authentication-in-the-background.patch]

Wed Feb 10 13:00:00 2016 ndasAATTsuse.de
- Added fix for possible heap overflow on read accessing getaddrinfo
result (bsc#959714).
[+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]
- Added a patch to fix multiple low severity issues (bsc#934237).
[+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]

Thu Aug 20 14:00:00 2015 mtAATTsuse.com
- Update to most recent openvpn package in version 2.3.8 (fate#319011)
which obsoletes our security fix backports and provides many fixes.
[- 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch,
- openvpn-use-newertls.patch, + revert-daemonize.patch]
- Moved openvpn-plugin.h into a devel package, removed .gitignore

Thu Aug 13 14:00:00 2015 idonmezAATTsuse.com
- Add revert-daemonize.patch, looks like under systemd the stdin
and stdout are not TTYs by default. This reverts to previous
behaviour fixing bsc#941569

Wed Aug 5 14:00:00 2015 idonmezAATTsuse.com
- Update to version 2.3.8

* Report missing endtags of inline files as warnings

* Fix commit e473b7c if an inline file happens to have a
line break exactly at buffer limit

* Produce a meaningful error message if --daemon gets in the way of
asking for passwords.

* Document --daemon changes and consequences (--askpass, --auth-nocache)

* Del ipv6 addr on close of linux tun interface

* Fix --askpass not allowing for password input via stdin

* Write pid file immediately after daemonizing

* Fix regression: query password before becoming daemon

* Fix using management interface to get passwords

* Fix overflow check in openvpn_decrypt()
- Update to version 2.3.7

* down-root plugin: Replaced system() calls with execve()

* sockets: Remove the limitation of --tcp-nodelay to be server-only

* pkcs11: Load p11-kit-proxy.so module by default

* New approach to handle peer-id related changes to link-mtu

* Fix incorrect use of get_ipv6_addr() for iroute options

* Print helpful error message on --mktun/--rmtun if not available

* Explain effect of --topology subnet on --ifconfig

* Add note about file permissions and --crl-verify to manpage

* Repair --dev null breakage caused by db950be85d37

* Correct note about DNS randomization in openvpn.8

* Disallow usage of --server-poll-timeout in --secret key mode

* Slightly enhance documentation about --cipher

* On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()

* Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()

* Fix --redirect-private in --dev tap mode

* Updated manpage for --rport and --lport

* Properly escape dashes on the man-page

* Improve documentation in --script-security section of the man-page

* Really fix \'--cipher none\' regression

* Set tls-version-max to 1.1 if cryptoapicert is used

* Account for peer-id in frame size calculation

* Disable SSL compression

* Fix frame size calculation for non-CBC modes.

* Allow for CN/username of 64 characters (fixes off-by-one)

* Re-enable TLS version negotiation by default

* Remove size limit for files inlined in config

* Improve --tls-cipher and --show-tls man page description

* Re-read auth-user-pass file on (re)connect if required

* Clarify --capath option in manpage

* Call daemon() before initializing crypto library

Thu Jul 2 14:00:00 2015 mtAATTsuse.de
- Fixed to use correct sha digest data length and in fips mode,
use aes instead of the disallowed blowfish crypto (boo#914166).
- Fixed to mention actual plugin/doc dirs in openvpn(8) man page.
- Fixed to build with large file support on 32 bit systems.
- Fixed to use _rundir instead _localstatedir/run when defined
- Depend on systemd-devel for the daemon check functionality,
removed obsolete --with-lzo-headers configure option.
- Applied backport patch to permit TLS 1.1/1.2 version negotiation
instead to stick at TLS 1.0 (bsc#928802)

Mon Dec 1 13:00:00 2014 mtAATTsuse.de
- Applied upstream patch fixing a denial-of-service vulnerability
where an authenticated client could stop the server by triggering
a server-side ASSERT (bnc#907764,CVE-2014-8104),
[+ 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch]

Tue Jan 14 13:00:00 2014 mtAATTsuse.de
- Updated README.SUSE, documented also the rcopenvpn compatibility
wrapper script (bnc#848070).

Thu Jan 9 13:00:00 2014 meissnerAATTsuse.com
- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in
some internal checking routines. This allows operation in FIPS 140-2
mode.

Tue Dec 17 13:00:00 2013 mtAATTsuse.de
- Readded rcopenvpn helper script under systemd (bnc#848070)

Thu Oct 31 13:00:00 2013 mtAATTsuse.de
- Fixed invalid mode in exec bit removal call from doc files

Tue Aug 27 14:00:00 2013 lmuelleAATTsuse.com
- Add a section about how to control all or a named configuration with the
help of systemctl to the README.SUSE file.

Tue Jun 4 14:00:00 2013 mrdocsAATTopensuse.org
- Update to 2.3.2
+Fixes since 2.3.0
- Remove dead code path and putenv functionality
- Remove unused function xor
- Move static prototype definition from header into c file
- Remove unused function no_tap_ifconfig
- fix build with automake 1.13(.1)
- Fix corner case in NTLM authentication (trac #172)
- Update README.IPv6 to match what is in 2.3.0
- Repair \"tcp server queue overflow\" brokenness, more fallout.
- Permit pool size of /64.../112 for ifconfig-ipv6-pool
- Add MIN() compatibility macro
- Fix directly connected routes for \"topology subnet\" on Solaris.
- close more file descriptors on exec
- Ignore UTF-8 byte order mark
- reintroduce --no-name-remapping option
- make --tls-remote compatible with pre 2.3 configs
- add new option for X.509 name verification
- add man page patch for missing options
- Fix parameter listing in non-debug builds at verb 4
- (updated) [PATCH] Warn when using verb levels >=7 without debug
- Enable TCP_NODELAY configuration on FreeBSD.
- Updated README
- Cleaned up and updated INSTALL
- PolarSSL-1.2 support
- Improve PolarSSL key_state_read_{cipher, plain}text messages
- Improve verify_callback messages
- Config compatibility patch. Added translate_cipher_name.
- Switch to IANA names for TLS ciphers.
- Fixed autoconf script to properly detect missing pkcs11 with polarssl.
- Use constant time memcmp when comparing HMACs in openvpn_decrypt.

Mon May 6 14:00:00 2013 mtAATTsuse.de
- Try to migrate openvpn.service autostart to openvpnAATT.service
instance enablement.

Tue Apr 23 14:00:00 2013 mtAATTsuse.de
- Fixed to enable systemd support in configure
- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group.
- Added openvpn.target file allowing to handle all instances at once.
- Fixed to install the service template correctly as openvpnAATT.service.
Use \"systemctl enable openvpnAATTfoo.service\" to enable instance using
/etc/openvpn/foo.conf.
- Disabled systemd variant of restart on update rpm macro, adopted other
macros to use openvpn.target to e.g. stop all instances on uninstall.

Tue Mar 26 13:00:00 2013 ajAATTsuse.com
- Remove _unitdir definition, it is provided by systemd.
- Install service file without x permissions

Mon Mar 25 13:00:00 2013 p.drouandAATTgmail.com
Update to version 2.3.0:

* Full IPv6 support

* SSL layer modularised, enabling easier implementation for other SSL libraries

* PolarSSL support as a drop-in replacement for OpenSSL

* New plug-in API providing direct certificate access, improved logging API
and easier to extend in the future

* Added \'dev_type\' environment variable to scripts and plug-ins - which is
set to \'TUN\' or \'TAP\'

* New feature: --management-external-key - to provide access to the encryption
keys via the management interface

* New feature: --x509-track option, more fine grained access to X.509 fields
in scripts and plug-ins

* New feature: --client-nat support

* New feature: --mark which can mark encrypted packets from the tunnel, suitable
for more advanced routing and firewalling

* New feature: --management-query-proxy - manage proxy settings via the management
interface (supercedes --http-proxy-fallback)

* New feature: --stale-routes-check, which cleans up the internal routing table

* New feature: --x509-username-field, where other X.509v3 fields can be used for
the authentication instead of Common Name

* Improved client-kill management interface command

* Improved UTF-8 support - and added --compat-names to provide backwards compatibility
with older scripts/plug-ins

* Improved auth-pam with COMMONNAME support, passing the certificate\'s common
name in the PAM conversation

* More options can now be used inside blocks

* Completely new build system, enabling easier cross-compilation and Windows builds

* Much of the code has been better documented

* Many documentation updates

* Plenty of bug fixes and other code clean-ups
- Add systemd native support for OpenSUSE > 12.1
- Adapt patchs to upstream release:

* openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif

* openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff
- Remove obsolete patchs; fixed or merged on upstream release:

* 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch

* openvpn-2.1-plugin-build.dif

* openvpn-2.1-systemd-passwd.patch
- Rebase specfile to upstream changes:

* easy-rsa is not provided anymore with main package

* remove %clean section

* autoreconf -fi is no needed
- Update openvpn.keyring file for upstream release asc key

Mon Jan 28 13:00:00 2013 mtAATTsuse.com
- Join openvpn.service systemd cgroup in start when needed, e.g.
when starting with further parameters. (bnc#781106)

Thu Nov 29 13:00:00 2012 sbrabecAATTsuse.cz
- Verify GPG signature.

Fri Sep 21 14:00:00 2012 cooloAATTsuse.com
- fix ciaran\'s previous license entry. the license has a SUSE prefix

Thu Sep 20 14:00:00 2012 mtAATTsuse.com
- Fixed openvpn init script to not map reopen to reload so the
reopen code is without any effect (bnc#781106).
- Added requested OPENVPN_AUTOSTART variable allowing to provide
an optional list of config names started by default (bnc#692440).

Wed Aug 22 14:00:00 2012 cfarrellAATTsuse.com
- license update: GPL-2.0-with-openssl-exception and LGPL-2.1
openssl has an openssl exception (also, it is GPL-2.0 only)

Thu Mar 29 14:00:00 2012 mtAATTsuse.com
- Fixed SLES build readding Group tags to sub-packages in spec,
not require libselinux-devel on SLE-10 and datadir/doc cleanup.

Wed Feb 15 13:00:00 2012 mtAATTsuse.com
- Updated to openvpn-2.2.2:
- Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2
- Pkcs11 support built into the Windows version
- Fixed a bug in the Windows TAP-driver

Thu Dec 8 13:00:00 2011 ajAATTsuse.de
- Fix source URLs.

Fri Dec 2 13:00:00 2011 cooloAATTsuse.com
- add automake as buildrequire to avoid implicit dependency

Mon Aug 29 14:00:00 2011 mtAATTsuse.com
- Marked /var/run/openvpn as ghost (bnc#710270), man page and
other rpmlint warning fixes

Tue Aug 23 14:00:00 2011 crrodriguezAATTopensuse.org
- BuildRequires libselinux-devel
- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent
upstream as https://community.openvpn.net/openvpn/ticket/157

Mon Aug 22 14:00:00 2011 fcrozatAATTnovell.com
- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to
support systemd password query (bnc#675406)

Mon Jul 11 14:00:00 2011 mtAATTsuse.de
- Updated to openvpn-2.2.1, a new version series providing several
new features. This version fixes build issues and provides
updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125),
- Adopted spec file, enabled saving password in a file and to
specify an alternative username in x509 cert.
- Removed X-Interactive from init script again, as systemd isn\'t
able to use it correctly [any more?] (bnc#675406). We will
address it later and probably use /bin/systemd-ask-password.

Tue Mar 15 13:00:00 2011 crrodriguezAATTopensuse.org
- KVPNC is unable to parse openvpn version [bnc#679153]

Thu Feb 17 13:00:00 2011 mtAATTsuse.de
- Added X-Interactive: true LSB tag to the init script.

Tue Nov 16 13:00:00 2010 mtAATTsuse.de
- Updated to openvpn 2.1.4, providing several bug fixes and
improvements, such as:

* Fix of a problem with special case route targets

* Try to ensure, that the tun/tap interface gets closed on
non-graceful aborts.

* Several AUTH_FAILED reporting fixes causing the connection
to fail without any error indication.

* Enable exponential backoff in reliability layer retransmits.

* Proxy improvements
Please review the ChangeLog file for a complete and exact list.

Wed Sep 8 14:00:00 2010 cristian.rodriguezAATTopensuse.org
- Do not include build date in binaries

Tue Jun 15 14:00:00 2010 mtAATTsuse.de
- Improved netconfig based client up and down sample scripts.

Fri Jun 11 14:00:00 2010 anschneiderAATTexsuse.de
- Added netconfig based client up and down scripts to samples.

Thu Mar 11 13:00:00 2010 mtAATTsuse.de
- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20:

* Fixed a couple issues in sample plugins auth-pam.c and
down-root.c.
(1) Fail gracefully rather than segfault if calloc returns NULL.
(2) The openvpn_plugin_abort_v1 function can potentially be
called with handle == NULL. Add code to detect this case,
and if so, avoid dereferencing pointers derived from handle
(Thanks to David Sommerseth for finding this bug).

* Documented \"multihome\" option in the man page.

* Added a hard failure when peer provides a certificate chain
with depth > 16. Previously, a warning was issued.

* Added additional session renegotiation hardening. OpenVPN has
always required that mid-session renegotiations build up a new
SSL/TLS session from scratch. While the client certificate
common name is already locked against changes in mid-session
TLS renegotiations, we now extend this locking to the
auth-user-pass username as well as all certificate content in
the full client certificate chain.
- Improved openvpn init script adding messages giving a hint about
pid write failure and to look into the log messages (bnc#559041).
- Added -fno-strict-aliasing to compile flags in the spec file.

Fri Dec 18 13:00:00 2009 mtAATTsuse.de
- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and
option handling provided by the from server (bnc#552440).
For complete list of changes, see ChangeLog file, here just
the IMO most important:

* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using
the redirect-gateway option by itself, without any extra
parameters, would cause the option to be ignored.

* Optimized PUSH_REQUEST handshake sequence to shave several
seconds off of a typical client connection initiation.

* The maximum number of \"route\" directives (specified in the
config file or pulled from a server) can now be configured
via the new \"max-routes\" directive.

* Eliminated the limitation on the number of options that can
be pushed to clients, including routes. Previously, all
pushed options needed to fit within a 1024 byte options
string.

* Added --server-poll-timeout option : when polling possible
remote servers to connect to in a round-robin fashion,
spend no more than n seconds waiting for a response before
trying the next server.

* Added the ability for the server to provide a custom reason
string when an AUTH_FAILED message is returned to the client.
This string can be set by the server-side managment interface
and read by the client-side management interface.

* client-kill management interface command, when issued on server,
will now send a RESTART message to client. This feature is
intended to make UDP clients respond the same as TCP clients
in the case where the server issues a RESTART message in order
to force the client to reconnect and pull a new options/route
list.

Fri Oct 2 14:00:00 2009 mtAATTsuse.de
- Added network-remotefs to init script dependencies (bnc#522279).

Wed Jun 10 14:00:00 2009 mtAATTsuse.de
- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289).
- Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558).
- Adopted spec file and patches, improved init script.
- Disabled installation of easy-rsa for Windows.


  
ICM