SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for openvpn-2.5.5-204.1.x86_64.rpm :

* Wed Dec 15 2021 Dirk Müller - update to 2.5.5:
* SWEET32/64bit cipher deprecation change was postponed to 2.7
* improve \"make check\" to notice if \"openvpn --show-cipher\" crashes
* improve argv unit tests
* ensure unit tests work with mbedTLS builds without BF-CBC ciphers
* include \"--push-remove\" in the output of \"openvpn --help\"
* fix error in iptables syntax in example firewall.sh script
* fix \"resolvconf -p\" invocation in example \"up\" script
* fix \"common_name\" environment for script calls when \"--username-as-common-name\" is in effect (Trac #1434)
* move \"push-peer-info\" documentation from \"server options\" to \"client\"
* correct \"foreign_option_{n}\" typo in manpage
* README.down-root: fix plugin module name
* Wed Dec 08 2021 Reinhard Max - Drop 0001-preform-deferred-authentication-in-the-background.patch Upstream has meanwhile solved this differently and the two implementations interfere (boo#1193017).- Obsoleted SLE patches up to this point:
* openvpn-CVE-2020-15078.patch
* openvpn-CVE-2020-11810.patch
* openvpn-CVE-2018-7544.patch
* openvpn-CVE-2018-9336.patch
* Sat Dec 04 2021 Jan Engelhardt - Avoid bashisms and use POSIX sh syntax.- Use more efficient find commands.- Trim marketing filler words from description.
* Sat Oct 16 2021 Dirk Müller - update to 2.5.4:
* fix prompting for password on windows console if stderr redirection is in use - this breaks 2.5.x on Win11/ARM, and might also break on Win11/adm64 when released.
* fix setting MAC address on TAP adapters (--lladdr) to use sitnl (was overlooked, and still used \"ifconfig\" calls)
* various improvements for man page building (rst2man/rst2html etc)
* minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on at least one platform strictly checking this)
* fix minor memory leak under certain conditions in add_route() and add_route_ipv6()
* documentation improvements
* copyright updates where needed
* better error reporting when win32 console access fails
* Thu Aug 05 2021 Reinhard Max - Update to 2.5.3:
* Removal of BF-CBC support in default configuration
*
*
* POSSIBLE INCOMPATIBILITY
*
*
* See section \"DATA CHANNEL CIPHER NEGOTIATION\" in openvpn(8).
* Connections setup is now much faster
* Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
* Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
* Client-specific tls-crypt keys (--tls-crypt-v2)
* Improved Data channel cipher negotiation
* HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers
* Asynchronous (deferred) authentication support for auth-pam plugin
* Asynchronous (deferred) support for client-connect scripts and plugins
* Support IPv4 configs with /31 netmasks
* 802.1q VLAN support on TAP servers
* Support IPv6-only tunnels
* New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
* Support Virtual Routing and Forwarding (VRF)
* Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
* Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch- bsc#1062157: The fix for bsc#934237 causes problems with the crypto self-test of newer openvpn versions. Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
* Mon May 31 2021 Dirk Müller - update to 2.4.11 (bsc#1185279):
* CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
* This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup.
* In combination with \"--auth-gen-token\" or an user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
* Fix potential NULL ptr crash if compiled with DMALLOC- drop sysv init support, it hasn\'t build successfully in ages and is build-disabled in devel project
* Sun Apr 25 2021 Christian Boltz - update \'rcopenvpn\' to work without /etc/rc.status (boo#1185273)
* Wed Jan 06 2021 Dirk Müller - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination \"auth-nocache in client-config\" + \"auth-token in use on the server\") - Fix stack overflow in OpenSolaris and
*BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of \'route remote_host\' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch \"ks->authenticated\" assertion failure to returning false (#1270)- refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
* Fri Sep 11 2020 Dirk Mueller - update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
* Allow unicode search string in --cryptoapicert option (Windows)
* Skip expired certificates in Windows certificate store (Windows) (trac #966)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
* fix condition where a client\'s session could \"float\" to a new IP address that is not authorized (\"fix illegal client float\"). This can be used to disrupt service to a freshly connected client (no session keys negotiated yet). It can not be used to inject or steal VPN traffic. CVE-2020-11810).
* fix combination of async push (deferred auth) and NCP (trac #1259)
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* mbedTLS: Make sure TLS session survives move (trac #880)
* Fix OpenSSL private key passphrase notices
* Fix building with --enable-async-push in FreeBSD (trac #1256)
* Fix broken fragmentation logic when using NCP (trac #1140)
* Wed Aug 26 2020 Franck Bui - Modernize openvpn.service
* /var/run has been obsoleted since a long time.
* on reload, send HUP signal directly rather than relying on killproc to look for the main process.
* Wed Aug 26 2020 Franck Bui - Explicitly requires sysvinit-tools as some of the tools shipped by this package are used in various places regardless of whether openvpn is built for systemd or non systemd systems. For the context: sysvinit-tools was pulled in by systemd since 2014 but it\'s no longer the case so better to be safe than sorry.
* Wed Mar 04 2020 Fabian Vogt - Fix inconsistency in openvpn.service:
* It uses the unescape instance name as config file basename, so use that in the description as well
* Fri Jan 24 2020 Dominique Leuenberger - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut through the -mini flavors.- Use %systemd_ordering instead of systemd_requires: in fact, systemd is not a hard requirement for openvpn. But in case a system is being installed with systemd, we want systemd to be there before openvpn is being installed.
* Tue Jan 07 2020 Bjørn Lie - Update to version 2.4.8:
* mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
* cleanup: Remove RPM openvpn.spec build approach
* docs: Update INSTALL
* build: Package missing mock_msg.h
* Increase listen() backlog queue to 32
* Force combinationation of --socks-proxy and --proto UDP to use IPv4.
* Wrong FILETYPE in .rc files
* Do not set pkcs11-helper \'safe fork mode\'
* tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
* Fix various compiler warnings
* Fix regression, reinstate LibreSSL support.
* man: correct the description of --capath and --crl-verify regarding CRLs
* Fix typo in NTLM proxy debug message
* Ignore --pull-filter for --mode server
* openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
* Better error message when script fails due to script-security setting
* Correct the return value of cryptoapi RSA signature callbacks
* Handle PSS padding in cryptoapicert
* cmocka: use relative paths
* Fix documentation of tls-verify script argument
* Thu Dec 19 2019 Dominique Leuenberger - BuildRequire pkgconfig(libsystemd) instead of systemd-devel: Allow OBS to shortcut through the -mini flavors.
* Wed Sep 18 2019 Michal Hrusecky - Add p11kit build time dependency for pkcs providers autodetection
* Mon Jul 29 2019 Reinhard Max - Clarify in the service file that the reload action doesn\'t work when dropping root privileges (boo#1142830).
* Tue Jun 25 2019 Michael Ströder - Updated openvpn.keyring with public key downloaded from https://swupdate.openvpn.net/community/keys/security-key-2019.asc
* Thu Feb 21 2019 Franck Bui - Drop use of $FIRST_ARG in openvpn.spec The use of $FIRST_ARG was probably required because of the %service_
* rpm macros were playing tricks with the shell positional parameters. This is bad practice and error prones so let\'s assume that no macros should do that anymore and hence it\'s safe to assume that positional parameters remains unchanged after any rpm macro call.
* Wed Feb 20 2019 Michael Ströder - Update to 2.4.7: Adam Ciarcin?ski (1):
* Fix subnet topology on NetBSD (2.4). Antonio Quartulli (3):
* add support for %lu in argv_printf and prevent ASSERT
* buffer_list: add functions documentation
* ifconfig-ipv6(-push): allow using hostnames Arne Schwabe (7):
* Properly free tuntap struct on android when emulating persist-tun
* Add OpenSSL compat definition for RSA_meth_set_sign
* Add support for tls-ciphersuites for TLS 1.3
* Add better support for showing TLS 1.3 ciphersuites in --show-tls
* Use right function to set TLS1.3 restrictions in show-tls
* Add message explaining early TLS client hello failure
* Fallback to password authentication when auth-token fails Christian Ehrhardt (1):
* systemd: extend CapabilityBoundingSet for auth_pam David Sommerseth (1):
* plugin: Export base64 encode and decode functions Gert Doering (3):
* Add %d, %u and %lu tests to test_argv unit tests.
* Fix combination of --dev tap and --topology subnet across multiple platforms.
* Add \'printing of port number\' to mroute_addr_print_ex() for v4-mapped v6. Gert van Dijk (1):
* Minor reliability layer documentation fixes James Bekkema (1):
* Resolves small IV_GUI_VER typo in the documentation. Jonathan K. Bullard (1):
* Clarify and expand management interface documentation Lev Stipakov (5):
* Refactor NCP-negotiable options handling
* init.c: refine functions names and description
* interactive.c: fix usage of potentially uninitialized variable
* options.c: fix broken unary minus usage
* Remove extra token after #endif Richard van den Berg via Openvpn-devel (1):
* Fix error message when using RHEL init script Samy Mahmoudi (1):
* man: correct a --redirection-gateway option flag Selva Nair (7):
* Replace M_DEBUG with D_LOW as the former is too verbose
* Correct the declaration of handle in \'struct openvpn_plugin_args_open_return\'
* Bump version of openvpn plugin argument structs to 5
* Move get system directory to a separate function
* Enable dhcp on tap adapter using interactive service
* Pass the hash without the DigestInfo header to NCryptSignHash()
* White-list pull-filter and script-security in interactive service Simon Rozman (2):
* Add Interactive Service developer documentation
* Detect TAP interfaces with root-enumerated hardware ID Steffan Karger (7):
* man: add security considerations to --compress section
* mbedtls: print warning if random personalisation fails
* Fix memory leak after sighup
* travis: add OpenSSL 1.1 Windows build
* Fix --disable-crypto build
* Don\'t print OCC warnings about \'key-method\', \'keydir\' and \'tls-auth\'
* buffer_list_aggregate_separator(): simplify code
* Fri Apr 27 2018 maxAATTsuse.com- Update to 2.4.6:
* CVE-2018-9336, bsc#1090839: Fix potential double-free() in Interactive Service
* Delete the IPv6 route to the \"connected\" network on tun close
* Management: warn about password only when the option is in use
* Avoid overflow in wakeup time computation
* Tue Apr 10 2018 maxAATTsuse.com- Remove --askpass again, because it was also asking for a password when none was needed. As a workaround for keys that need a password, the \"askpass\" statement should be added to the config file (bsc#1078026).- Use Type=notify in openvpn.service to reflect what openvpn is actually doing.- Import the new signing key from upstream.- Remove obsolete configure switch --enable-password-save .
* Tue Mar 13 2018 avindraAATTopensuse.org- Update to 2.4.5
* New features + The new option --tls-cert-profile can be used to restrict the set of allowed crypto algorithms in TLS certificates in mbed TLS builds. The default profile is \'legacy\' for now, which allows SHA1+, RSA-1024+ and any elliptic curve certificates. The default will be changed to the \'preferred\' profile in the future, which requires SHA2+, RSA-2048+ and any curve. + openvpnserv: Add support for multi-instances (to support multiple parallel OpenVPN installations, like EduVPN and regular OpenVPN) + Use P_DATA_V2 for server->client packets too (better packet alignment) + improve management interface documentation (bsc#1085803, CVE-2018-7544) + rework registry key handling for OpenVPN service, notably making most registry values optional, falling back to reasonable defaults + accept IPv6 address for pushed \"dhcp-option DNS ...\" (make OpenVPN 2 option compatible with OpenVPN 3 iOS and Android clients)
* Bug fixes + Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ + Fix lots of compiler warnings (format string, type casts, ...) + reload HTTP proxy credentials when moving to the next connection profile + Fix build with LibreSSL (multiple times) + Remove non-useful warning on pushed tun-ipv6 option. + autoconf: Fix engine checks for openssl 1.1 + lz4: Rebase compat-lz4 against upstream v1.7.5 + lz4: Fix broken builds when pkg-config is not present but system library is + Fix \'--bind ipv6only\' + Allow learning iroutes with network made up of all 0s- Includes 2.4.4
* Bug fixes + Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is rejected by the remote side + Ignore --keysize when NCP have resulted in a changed cipher + Configurations using --auth-nocache and the management interface to provide user credentials (like NetworkManager) on client side with servers implementing authentication tokens (for example, using --auth-gen-token) will now behave correctly and not query the user for an, to them, unknown authentication token on renegotiations of the tunnel. + Invalid or corrupt SOCKS port number when changing the proxy via the management interface. + man page should now have proper escaping of hyphen/minus characters and other minor corrections.
* User-visible Changes + Linux servers with systemd which use the openvpn-serverAATT.service unit file for server configurations will now utilize the automatic restart feature in systemd. If the OpenVPN server process dies unexpectedly, systemd will ensure the OpenVPN configuration will be restarted automatically.
* Deprecated + --no-replay (will be removed in 2.5) + --keysize (will be removed in 2.6)
* Security + CVE-2017-12166: Fix bounds check for configurations using - -key-method 1. Before this fix, attackers could send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as --key-method 2 has been the default since 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5.- Rebase openvpn-fips140-2.3.2.patch- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255- Partial cleanup with spec-cleaner
* Tue Feb 13 2018 maxAATTsuse.com- Add --askpass to ExecStart, so that the user name and password are correctly being queried from the user. (bsc#1078026, boo#985798, boo#1031748)- Use %service_add/del macros throughout (bsc#1038406).
  
ICM