Changelog for
openvpn-down-root-plugin-2.5.9-1.2.x86_64.rpm :
* Thu Mar 02 2023 Mohd Saquib
- update to 2.5.9:
* Optional ciphers in --data-ciphers Ciphers in --data-ciphers can now be prefixed with a ? to mark those as optional and only use them if the SSL library supports them.
* when compiling from a git checkout, put proper branch names into windows builds
* do not include auth-token in pulled-option digest (interferes with persist-tun when auth-token is in use, GH #200).
* fix corner case that might lead to leaked file descriptor
* fix parser bug (parse_line()) that can lead to buffer overflows on malformed command line or server ccd file handling. Not exploitable.
* pull-filter: ignore leading spaces in option names (work around server side bug with erroneous extra spaces)
* push: do not add leading spaces to \"out of renegotiations\" pushed auth-token fix NULL pointer crash on \"openvpn --show-tls\" with mbedtls
* Mon Feb 13 2023 Thorsten Kukuk - Remove migration from openvpn.service to openvpnAATT.service and depending requires, this is from pre SLE12 times and not supported anymore.
* Mon Jan 09 2023 Reinhard Max - bsc#1123557: --suppress-timestamps isn\'t needed by default.
* Fri Nov 18 2022 Dirk Müller - update to 2.5.8:
* allow running a default configuration with TLS libraries without BF-CBC (even if TLS cipher negotiation would not actually use BF-CBC, the long-term compatibility \"default cipher BF-CBC\" would trigger an error on such TLS libraries)
* ``--auth-nocache\'\' was not always correctly clearing username+password after a renegotiation
* ensure that auth-token received from server is cleared if requested by the management interface (\"forget password\" or automatically via ``--management-forget-disconnect\'\')
* in a setup without username+password, but with auth-token and auth-token-username pushed by the server, OpenVPN would start asking for username+password on token expiry. Fix.
* using ``--auth-token`` together with ``--management-client-auth`` (on the server) would lead to TLS keys getting out of sync and client being disconnected. Fix.
* management interface would sometimes get stuck if client and server try to write something simultaneously. Fix by allowing a limited level of recursion in virtual_output_callback()
* fix management interface not returning ERROR:/SUCCESS: response on \"signal SIGxxx\" commands when in HOLD state
* tls-crypt-v2: abort connection if client-key is too short
* make man page agree with actual code on replay-window backtrag log message
* remove useless empty line from CR_RESPONSE message
* Mon Sep 12 2022 Dirk Müller - build with enable-iproute2 again to have root-less mode working (bsc#1202792)
* Sun Jun 05 2022 Dirk Müller - update to 2.5.7:
* Limited OpenSSL 3.0 support
* print OpenSSL error stack if decoding PKCS12 file fails
* fix omission of cipher-negotiation.rst in tarballs
* fix errno handling on Windows (Windows has different classes of error codes, GetLastError() and C runtime errno, these should now be handled correctly)
* fix PATH_MAX build failure in auth-pam.c
* fix t_net.sh self-test leaving around stale \"ovpn-dummy0\" interface
* fix overlong path names, leading to missing pkcs11-helper patch in tarball
* Wed Mar 23 2022 Reinhard Max - update to 2.5.6:
* bsc#1197341, CVE-2022-0547: possible authentication bypass in external authentication plug-in
* Fix \"--mtu-disc maybe|yes\" on Linux
* Fix $common_name variable passed to scripts when username-as-common-name is in effect.
* Fix potential memory leaks in add_route() and add_route_ipv6().
* Apply connect-retry backoff only to one side of the connection in p2p mode.
* repair \"--inactive\" handling with a \'bytes\' parameter larger than 2 Gbytes.
* new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple parallel plugins that succeed/fail in direct/deferred mode.
* Thu Feb 10 2022 Reinhard Max - Fix license tag in spec file.
* Wed Dec 15 2021 Dirk Müller - update to 2.5.5:
* SWEET32/64bit cipher deprecation change was postponed to 2.7
* improve \"make check\" to notice if \"openvpn --show-cipher\" crashes
* improve argv unit tests
* ensure unit tests work with mbedTLS builds without BF-CBC ciphers
* include \"--push-remove\" in the output of \"openvpn --help\"
* fix error in iptables syntax in example firewall.sh script
* fix \"resolvconf -p\" invocation in example \"up\" script
* fix \"common_name\" environment for script calls when \"--username-as-common-name\" is in effect (Trac #1434)
* move \"push-peer-info\" documentation from \"server options\" to \"client\"
* correct \"foreign_option_{n}\" typo in manpage
* README.down-root: fix plugin module name
* Wed Dec 08 2021 Reinhard Max - Drop 0001-preform-deferred-authentication-in-the-background.patch Upstream has meanwhile solved this differently and the two implementations interfere (boo#1193017).- Obsoleted SLE patches up to this point:
* openvpn-CVE-2020-15078.patch
* openvpn-CVE-2020-11810.patch
* openvpn-CVE-2018-7544.patch
* openvpn-CVE-2018-9336.patch
* Sat Dec 04 2021 Jan Engelhardt - Avoid bashisms and use POSIX sh syntax.- Use more efficient find commands.- Trim marketing filler words from description.
* Sat Oct 16 2021 Dirk Müller - update to 2.5.4:
* fix prompting for password on windows console if stderr redirection is in use - this breaks 2.5.x on Win11/ARM, and might also break on Win11/adm64 when released.
* fix setting MAC address on TAP adapters (--lladdr) to use sitnl (was overlooked, and still used \"ifconfig\" calls)
* various improvements for man page building (rst2man/rst2html etc)
* minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on at least one platform strictly checking this)
* fix minor memory leak under certain conditions in add_route() and add_route_ipv6()
* documentation improvements
* copyright updates where needed
* better error reporting when win32 console access fails
* Thu Aug 05 2021 Reinhard Max - Update to 2.5.3:
* Removal of BF-CBC support in default configuration
*
*
* POSSIBLE INCOMPATIBILITY
*
*
* See section \"DATA CHANNEL CIPHER NEGOTIATION\" in openvpn(8).
* Connections setup is now much faster
* Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
* Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
* Client-specific tls-crypt keys (--tls-crypt-v2)
* Improved Data channel cipher negotiation
* HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers
* Asynchronous (deferred) authentication support for auth-pam plugin
* Asynchronous (deferred) support for client-connect scripts and plugins
* Support IPv4 configs with /31 netmasks
* 802.1q VLAN support on TAP servers
* Support IPv6-only tunnels
* New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
* Support Virtual Routing and Forwarding (VRF)
* Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
* Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch- bsc#1062157: The fix for bsc#934237 causes problems with the crypto self-test of newer openvpn versions. Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
* Mon May 31 2021 Dirk Müller - update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup.
* In combination with \"--auth-gen-token\" or an user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC- drop sysv init support, it hasn\'t build successfully in ages and is build-disabled in devel project
* Sun Apr 25 2021 Christian Boltz - update \'rcopenvpn\' to work without /etc/rc.status (boo#1185273)
* Wed Jan 06 2021 Dirk Müller - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination \"auth-nocache in client-config\" + \"auth-token in use on the server\") - Fix stack overflow in OpenSolaris and
*BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of \'route remote_host\' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch \"ks->authenticated\" assertion failure to returning false (#1270)- refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
* Fri Sep 11 2020 Dirk Mueller - update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
* Allow unicode search string in --cryptoapicert option (Windows)
* Skip expired certificates in Windows certificate store (Windows) (trac #966)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
* fix condition where a client\'s session could \"float\" to a new IP address that is not authorized (\"fix illegal client float\"). This can be used to disrupt service to a freshly connected client (no session keys negotiated yet). It can not be used to inject or steal VPN traffic. CVE-2020-11810).
* fix combination of async push (deferred auth) and NCP (trac #1259)
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* mbedTLS: Make sure TLS session survives move (trac #880)
* Fix OpenSSL private key passphrase notices
* Fix building with --enable-async-push in FreeBSD (trac #1256)
* Fix broken fragmentation logic when using NCP (trac #1140)
* Wed Aug 26 2020 Franck Bui - Modernize openvpn.service
* /var/run has been obsoleted since a long time.
* on reload, send HUP signal directly rather than relying on killproc to look for the main process.
* Wed Aug 26 2020 Franck Bui - Explicitly requires sysvinit-tools as some of the tools shipped by this package are used in various places regardless of whether openvpn is built for systemd or non systemd systems. For the context: sysvinit-tools was pulled in by systemd since 2014 but it\'s no longer the case so better to be safe than sorry.
* Wed Mar 04 2020 Fabian Vogt - Fix inconsistency in openvpn.service:
* It uses the unescape instance name as config file basename, so use that in the description as well
* Fri Jan 24 2020 Dominique Leuenberger - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut through the -mini flavors.- Use %systemd_ordering instead of systemd_requires: in fact, systemd is not a hard requirement for openvpn. But in case a system is being installed with systemd, we want systemd to be there before openvpn is being installed.
* Tue Jan 07 2020 Bjørn Lie - Update to version 2.4.8:
* mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
* cleanup: Remove RPM openvpn.spec build approach
* docs: Update INSTALL
* build: Package missing mock_msg.h
* Increase listen() backlog queue to 32
* Force combinationation of --socks-proxy and --proto UDP to use IPv4.
* Wrong FILETYPE in .rc files
* Do not set pkcs11-helper \'safe fork mode\'
* tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
* Fix various compiler warnings
* Fix regression, reinstate LibreSSL support.
* man: correct the description of --capath and --crl-verify regarding CRLs
* Fix typo in NTLM proxy debug message
* Ignore --pull-filter for --mode server
* openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
* Better error message when script fails due to script-security setting
* Correct the return value of cryptoapi RSA signature callbacks
* Handle PSS padding in cryptoapicert
* cmocka: use relative paths
* Fix documentation of tls-verify script argument