Changelog for
openvpn-down-root-plugin-2.4.3-lp152.6.3.1.x86_64.rpm :
* Sat May 01 2021 Reinhard Max
- bsc#1185279, CVE-2020-15078, openvpn-CVE-2020-15078.patch: Authentication bypass with deferred authentication.- bsc#1169925, CVE-2020-11810, openvpn-CVE-2020-11810.patch: race condition between allocating peer-id and initializing data channel key- bsc#1085803, CVE-2018-7544, openvpn-CVE-2018-7544.patch: Cross-protocol scripting issue was discovered in the management interface
* Wed May 09 2018 maxAATTsuse.com- CVE-2018-9336, bsc#1090839: Fix potential double-free() in Interactive Service (openvpn-CVE-2018-9336.patch).
* Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
* Tue Oct 10 2017 ndasAATTsuse.de- Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877). [+ 0002-Fix-bounds-check-in-read_key.patch]
* Fri Aug 11 2017 sebix+novell.comAATTsebix.at- Do not package empty /usr/lib64/tmpfiles.d
* Fri Jun 23 2017 ndasAATTsuse.de- Update to 2.4.3 (bsc#1045489) - Ignore auth-nocache for auth-user-pass if auth-token is pushed - crypto: Enable SHA256 fingerprint checking in --verify-hash - copyright: Update GPLv2 license texts - auth-token with auth-nocache fix broke --disable-crypto builds - OpenSSL: don\'t use direct access to the internal of X509 - OpenSSL: don\'t use direct access to the internal of EVP_PKEY - OpenSSL: don\'t use direct access to the internal of RSA - OpenSSL: don\'t use direct access to the internal of DSA - OpenSSL: force meth->name as non-const when we free() it - OpenSSL: don\'t use direct access to the internal of EVP_MD_CTX - OpenSSL: don\'t use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don\'t use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option \'connection\' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) - Skip tls-crypt unit tests if required crypto mode not supported - openssl: fix overflow check for long --tls-cipher option - Add a DSA test key/cert pair to sample-keys - Fix mbedtls fingerprint calculation - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) - mbedtls: require C-string compatible types for --x509-username-field - Fix remote-triggerable memory leaks (CVE-2017-7521) - Restrict --x509-alt-username extension types - Fix potential double-free in --x509-alt-username (CVE-2017-7521) - Fix gateway detection with OpenBSD routing domains
* Wed Jun 14 2017 ndasAATTsuse.de- use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223)
* Tue Jun 06 2017 ndasAATTsuse.de- Update to 2.4.2 - auth-token: Ensure tokens are always wiped on de-auth - Make --cipher/--auth none more explicit on the risks - Use SHA256 for the internal digest, instead of MD5 - Deprecate --ns-cert-type - Deprecate --no-iv - Support --block-outside-dns on multiple tunnels - Limit --reneg-bytes to 64MB when using small block ciphers - Fix --tls-version-max in mbed TLS builds Details changelogs are avilable in https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 [
*0001-preform-deferred-authentication-in-the-background.patch
* openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
* openvpn-fips140-2.3.2.patch]- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2- cleanup the spec file
* Fri Apr 21 2017 ndasAATTsuse.de- Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch]- Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]- Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]
* Sun Jan 22 2017 mrueckertAATTsuse.de- silence warning about %{_rundir}/openvpn - for non systemd case: just package the %{_rundir}/openvpn in the package - for systemd case: call systemd-tmpfiles and own the dir as %ghost in the filelist
* Sun Jan 22 2017 mrueckertAATTsuse.de- refreshed patches to apply cleanly again openvpn-2.3-plugin-man.dif openvpn-fips140-2.3.2.patch
* Sun Jan 22 2017 mrueckertAATTsuse.de- update to 2.3.14 - update year in copyright message - Document the --auth-token option - Repair topology subnet on FreeBSD 11 - Repair topology subnet on OpenBSD - Drop recursively routed packets - Support --block-outside-dns on multiple tunnels - When parsing \'--setenv opt xx ..\' make sure a third parameter is present - Map restart signals from event loop to SIGTERM during exit-notification wait - Correctly state the default dhcp server address in man page - Clean up format_hex_ex()- enabled pkcs11 support
* Sat Dec 03 2016 michaelAATTstroeder.com- update to 2.3.13- removed obsolete patch files openvpn-2.3.0-man-dot.diff and openvpn-fips140-AES-cipher-in-config-template.patch 2016.11.02 -- Version 2.3.13 Arne Schwabe (2):
* Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
* Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer David Sommerseth (4):
* t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
* t_client.sh: Add support for Kerberos/ksu
* t_client.sh: Improve detection if the OpenVPN process did start during tests
* t_client.sh: Add prepare/cleanup possibilties for each test case Gert Doering (5):
* Do not abort t_client run if OpenVPN instance does not start.
* Fix t_client runs on OpenSolaris
* make t_client robust against sudoers misconfiguration
* add POSTINIT_CMD_suf to t_client.sh and sample config
* Fix --multihome for IPv6 on 64bit BSD systems. Ilya Shipitsin (1):
* skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Lev Stipakov (2):
* Exclude peer-id from pulled options digest
* Fix compilation in pedantic mode Samuli Seppänen (1):
* Automatically cache expected IPs for t_client.sh on the first run Steffan Karger (6):
* Fix unittests for out-of-source builds
* Make gnu89 support explicit
* cleanup: remove code duplication in msg_test()
* Update cipher-related man page text
* Limit --reneg-bytes to 64MB when using small block ciphers
* Add a revoked cert to the sample keys 2016.08.23 -- Version 2.3.12 Arne Schwabe (2):
* Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
* Move ASSERT so external-key with OpenSSL works again David Sommerseth (3):
* Only build and run cmocka unit tests if its submodule is initialized
* Another fix related to unit test framework
* Remove NOP function and callers Dorian Harmans (1):
* Add CHACHA20-POLY1305 ciphersuite IANA name translations. Ivo Manca (1):
* Plug memory leak in mbedTLS backend Jeffrey Cutter (1):
* Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (2):
* Add unit testing support via cmocka
* Add a test for auth-pam searchandreplace Josh Cepek (1):
* Push an IPv6 CIDR mask used by the server, not the pool\'s size Leon Klingele (1):
* Add link to bug tracker Samuli Seppänen (2):
* Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
* Clarify the fact that build instructions in README are for release tarballs Selva Nair (4):
* Make error non-fatal while deleting address using netsh
* Make block-outside-dns work with persist-tun
* Ignore SIGUSR1/SIGHUP during exit notification
* Promptly close the netcmd_semaphore handle after use Steffan Karger (4):
* Fix polarssl / mbedtls builds
* Don\'t limit max incoming message size based on c2->frame
* Fix \'--cipher none --cipher\' crash
* Discourage using 64-bit block ciphers
* Mon Nov 28 2016 matwey.kornilovAATTgmail.com- Require iproute2 explicitly. openvpn uses /bin/ip from iproute2, so it should be installed
* Thu Sep 08 2016 astiegerAATTsuse.com- Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration files. Fixes bsc#988522 adding openvpn-fips140-AES-cipher-in-config-template.patch- remove gpg-offline signature verification, now a source service
* Tue May 10 2016 idonmezAATTsuse.com- Update to version 2.3.11
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data
* Fix undefined signed shift overflow
* Ensure input read using systemd-ask-password is null terminated
* Support reading the challenge-response from console
* hardening: add safe FD_SET() wrapper openvpn_fd_set()
* Restrict default TLS cipher list- Add BuildRequires on xz for SLE11
* Mon Jan 04 2016 idonmezAATTsuse.com- Update to version 2.3.10
* Warn user if their certificate has expired
* Fix regression in setups without a client certificate
* Wed Dec 16 2015 idonmezAATTsuse.com- Update to version 2.3.9
* Show extra-certs in current parameters.
* Do not set the buffer size by default but rely on the operation system default.
* Remove --enable-password-save option
* Detect config lines that are too long and give a warning/error
* Log serial number of revoked certificate
* Avoid partial authentication state when using --disabled in CCD configs
* Replace unaligned 16bit access to TCP MSS value with bytewise access
* Fix possible heap overflow on read accessing getaddrinfo() result.
* Fix isatty() check for good. (obsoletes revert-daemonize.patch)
* Client-side part for server restart notification
* Fix privilege drop if first connection attempt fails
* Support for username-only auth file.
* Increase control channel packet size for faster handshakes
* hardening: add insurance to exit on a failed ASSERT()
* Fix memory leak in auth-pam plugin
* Fix (potential) memory leak in init_route_list()
* Fix unintialized variable in plugin_vlog()
* Add macro to ensure we exit on fatal errors
* Fix memory leak in add_option() by simplifying get_ipv6_addr
* openssl: properly check return value of RAND_bytes()
* Fix rand_bytes return value checking
* Fix \"White space before end tags can break the config parser\"
* Thu Dec 03 2015 mtAATTsuse.com- Adjust /var/run to _rundir macro value in openvpnAATT.service too.
* Thu Aug 20 2015 mtAATTsuse.com- Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS.- Moved openvpn-plugin.h into a devel package, removed .gitignore
* Thu Aug 13 2015 idonmezAATTsuse.com- Add revert-daemonize.patch, looks like under systemd the stdin and stdout are not TTYs by default. This reverts to previous behaviour fixing bsc#941569
* Wed Aug 05 2015 idonmezAATTsuse.com- Update to version 2.3.8
* Report missing endtags of inline files as warnings
* Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
* Produce a meaningful error message if --daemon gets in the way of asking for passwords.
* Document --daemon changes and consequences (--askpass, --auth-nocache)
* Del ipv6 addr on close of linux tun interface
* Fix --askpass not allowing for password input via stdin
* Write pid file immediately after daemonizing
* Fix regression: query password before becoming daemon
* Fix using management interface to get passwords
* Fix overflow check in openvpn_decrypt()
* Tue Jun 09 2015 idonmezAATTsuse.com- Update to version 2.3.7
* down-root plugin: Replaced system() calls with execve()
* sockets: Remove the limitation of --tcp-nodelay to be server-only
* pkcs11: Load p11-kit-proxy.so module by default
* New approach to handle peer-id related changes to link-mtu
* Fix incorrect use of get_ipv6_addr() for iroute options
* Print helpful error message on --mktun/--rmtun if not available
* Explain effect of --topology subnet on --ifconfig
* Add note about file permissions and --crl-verify to manpage
* Repair --dev null breakage caused by db950be85d37
* Correct note about DNS randomization in openvpn.8
* Disallow usage of --server-poll-timeout in --secret key mode
* Slightly enhance documentation about --cipher
* On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()
* Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()
* Fix --redirect-private in --dev tap mode
* Updated manpage for --rport and --lport
* Properly escape dashes on the man-page
* Improve documentation in --script-security section of the man-page
* Really fix \'--cipher none\' regression
* Set tls-version-max to 1.1 if cryptoapicert is used
* Account for peer-id in frame size calculation
* Disable SSL compression
* Fix frame size calculation for non-CBC modes.
* Allow for CN/username of 64 characters (fixes off-by-one)
* Re-enable TLS version negotiation by default
* Remove size limit for files inlined in config
* Improve --tls-cipher and --show-tls man page description
* Re-read auth-user-pass file on (re)connect if required
* Clarify --capath option in manpage
* Call daemon() before initializing crypto library
* Mon Mar 02 2015 mtAATTsuse.de- Fixed to use correct sha digest data length and in fips mode, use aes instead of the disallowed blowfish crypto (boo#914166).- Fixed to provide actual plugin/doc dirs in openvpn(8) man page.
* Mon Dec 01 2014 mtAATTsuse.de- Update to version 2.3.6 fixing a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT (bnc#907764,CVE-2014-8104). See ChangeLog file for a complete list of changes.
* Thu Oct 30 2014 idonmezAATTsuse.com- Update to version 2.3.5
* See included changelog- Depend on systemd-devel for the daemon check functionality