|
|
|
|
Changelog for libopenconnect5-9.12-lp155.1.2.x86_64.rpm :
* Sat May 20 2023 Andrea Manzini - Update to release 9.12: * Explicitly reject overly long tun device names. * Increase maximum input size from stdin (#579). * Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58). * Fix stray (null) in URL path after Pulse authentication (4023bd95). * Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475). * Fix case sensitivity in GPST header matching (!474). * Mon May 08 2023 Andrea Manzini - Update to release 9.10: * Fix external browser authentication with KDE plasma-nm < 5.26. * Always redirect stdout to stderr when spawning external browser. * Increase default queue length to 32 packets. * Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array. * Handle idiosyncratic variation in search domain separators for all protocols * Support region selection field for Pulse authentication * Support modified configuration packet from Pulse 9.1R16 servers * Allow hidden form fields to be populated or converted to text fields on the command line * Support yet another strange way of encoding challenge-based 2FA for GlobalProtect * Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments * Parrot a GlobalProtect server\'s software version, if present, as the client version (!333) * Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389). * Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418). * Support F5 VPNs which encode authentication forms only in JSON, not in HTML. * Support simultaneous IPv6 and Legacy IP (\"dual-stack\") for Fortinet . * Support \"FTM-push\" token mode for Fortinet VPNs . * Send IPv6-compatible version string in Pulse IF/T session establishment * Add --no-external-auth option to not advertise external-browser authentication * Many small improvements in server response parsing, and better logging messages and documentation. * Thu Dec 15 2022 Andrea Manzini - Update to release 9.01: * Add support for AnyConnect \"Session Token Re-use Anchor Protocol\" (STRAP) * Add support for AnyConnect \"external browser\" SSO mode * Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20 * Support Cisco\'s multiple-certificate authentication * Revert GlobalProtect default route handling change from v8.20 * Suppo split-exclude routes for Fortinet * Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect * Mon Apr 18 2022 Jan Engelhardt - Update to release 8.20: * Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. * Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19 * Support Juniper login forms containing both password and 2FA token * Explicitly disable 3DES and RC4, unless enabled with - -allow-insecure-crypto * Allow protocols to delay tunnel setup and shutdown (!117) * Support for GlobalProtect IPv6 * SIGUSR1now causes OpenConnect to log detailed connection information and statistics * Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint * Demangle default routes sent as split routes by GlobalProtect * Support more Juniper login forms, including some SSO forms * Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header * Add support for PPP-based protocols, currently over TLS only. * Add support for two PPP-based protocols, F5 with - -protocol=f5 and Fortinet with --protocol=fortinet. * Add support for Array Networks SSL VPN. * Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM. * Tue Nov 23 2021 Robert Munteanu - Import the latest version of the vpnc-script, revision 1d35a8527e5422967514dd1d47350ff2ede55903 (boo#1140772) * This brings a lot of improvements for non-trivial network setups, IPv6 etc * Fri Jan 08 2021 olafAATTaepfle.de- Build with --without-gnutls-version-check * Fri May 15 2020 Martin Hauke - Update to version 8.10: * Install bash completion script to ${datadir}/bash-completion/completions/openconnect. * Improve compatibility of csd-post.sh trojan. * Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823). * Fri May 01 2020 Martin Hauke - Fix CVE-2020-12105 (boo#1170452)- Introduce subpackage for bash-completion- Update to 8.09: * Add bash completion support. * Give more helpful error in case of Pulse servers asking for TNCC. * Sanitize non-canonical Legacy IP network addresses. * Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105). * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91) * Disable Nagle\'s algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP. * GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms. * Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED.- Update to 8.0.8: * Fix check of pin-sha256: public key hashes to be case sensitive * Don\'t give non-functioning stderr to CSD trojan scripts. * Fix crash with uninitialised OIDC token.- Update to 8.0.7: * Don\'t abort Pulse connection when server-provided certificate MD5 doesn\'t match. * Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks. * Don\'t abort connection if CSD wrapper script returns non-zero (for now). * Make --passtos work for protocols that use ESP, in addition to DTLS. * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. * Wed Jan 08 2020 Tomáš Chvátal - Remove tncc-wrapper.py script as it is python2 only bsc#1157446 * Mon Nov 04 2019 Tomáš Chvátal - No need to ship hipreport-android.sh as it is intented for android systems only * Tue Oct 29 2019 Tomáš Chvátal - Update to 8.0.5: * Minor fixes to build on specific platforms * Tue Oct 29 2019 Tomáš Chvátal - Use python3 to generate the web data as now it is supported by upstream * Sun May 19 2019 Martin Hauke - Update to 8.0.3: * Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384. * Fix recognition of OTP password fields.- Verify source signature * Wed Jan 23 2019 liedkeAATTrz.uni-mannheim.de- Update to 8.02: * Fix GNU/Hurd build. * Discover vpnc-script in default packaged location on FreeBSD/OpenBSD. * Support split-exclude routes for GlobalProtect. * Fix GnuTLS builds without libtasn1. * Fix DTLS support with OpenSSL 1.1.1+. * Add Cisco-compatible DTLSv1.2 support. * Invoke script with reason=attempt-reconnect before doing so. * Fri Jan 11 2019 Tomáš Chvátal - Update to 8.01: * Clear form submissions (which may include passwords) before freeing (CVE-2018-20319). * Allow form responses to be provided on command line. * Add support for SSL keys stored in TPM2. * Fix ESP rekey when replay protection is disabled. * Drop support for GnuTLS older than 3.2.10. * Fix --passwd-on-stdin for Windows to not forcibly open console. * Fix portability of shell scripts in test suite. * Add Google Authenticator TOTP support for Juniper. * Add RFC7469 key PIN support for cert hashes. * Add protocol method to securely log out the Juniper session. * Relax requirements for Juniper hostname packet response to support old gateways. * Add API functions to query the supported protocols. * Verify ESP sequence numbers and warn even if replay protection is disabled. * Add support for PAN GlobalProtect VPN protocol (--protocol=gp). * Reorganize listing of command-line options, and include information on supported protocols. * SIGTERM cleans up the session similarly to SIGINT. * Fix memset_s() arguments. * Fix OpenBSD build.- Explicitely enable all the features as needed to stop build if something is missing- Run tests- Folow the library packaging guidelines * Thu Jul 19 2018 sckangAATTsuse.com- Modified spec file: only add this BuildRequires on Leap/SLE 15+ (fate#325553). > BuildRequires: pkgconfig(libpskc) * Thu Jun 07 2018 bjorn.lieAATTgmail.com- Drop pkgconfig(gconf-2.0) and pkgconfig(gtk+-2.0) BuildRequires: Not needed, nor used. * Tue Apr 03 2018 fcrozatAATTsuse.com- Add BuildRequires pkgconfig(libpcsclite/libpskc) to enable liboath (TOTP/HOTP) and yubikey support. * Fri Dec 08 2017 dimstarAATTopensuse.org- Add explicit python2-base and python2-xml BuildRequires: the buildsystem checks for python2 and disables building the documentation if not found. Buildinf the documentation in plus depends on the xml modules. So far we relied on other packages pulling in python2 for us. * Mon Sep 25 2017 sckangAATTsuse.com- Drop vpnc dependency by including vpnc-script from vpnc package (fate#323497). * Fri Dec 16 2016 iAATTmarguerite.su- update to version 7.08 (bsc#1056389) * Add SHA256 support for server cert hashes. * Enable DHE ciphers for Cisco DTLS. * Increase initial oNCP configuration buffer size. * Improve support for point-to-point routing on Windows. * Check for non-resumed DTLS sessions which may indicate a MiTM attack. * Fix compatibility with Pulse Secure 8.2R5. * Support DTLS automatic negotiation. * Support --key-password for GnuTLS PKCS#11 PIN. * Support automatic DTLS MTU detection with OpenSSL. * Update OpenSSL to allow TLSv1.2, improve compatibility options. * Remove --no-cert-check option. It was being (mis)used. * Fix OpenSSL support for PKCS#11 EC keys without public key. * Fix polling/retry on \"tun\" socket when buffers full. * Fix AnyConnect server-side MTU setting. * Fix ESP replay detection. * Add certificate torture test suite. * Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL. * Fix integer overflow issues with ESP packet replay detection. * Add --pass-tos option as in OpenVPN. * Support role selection form in Juniper VPN. * Support DER-format certificates, add certificate format torture tests. * For OpenSSL >= 1.0.2, fix certificate validation when only an intermediate CA is specified with the --cafile option. * Support Juniper \"Pre Sign-in Message\".- dropped juniper-fix-for-upstream-sources.patch, upstreamed * Tue Oct 04 2016 fativiAATTgmail.com- Upgraded to 7.07, included fix for Juniper vpn * Tue Oct 04 2016 fativiAATTgmail.com- Update to version 7.0.7 * More fixes for OpenSSL 1.1 build. * Support Juniper \"Post Sign-in Message\". * Add --protocol option. * Fix ChaCha20-Poly1305 cipher suite to reflect final standard. * Add ability to disable IPv6 support via library API. * Set groups appropriately when using setuid(). * Automatic DTLS MTU detection. * Support SSL client certificate authentication with Juniper servers. * Revamp SSL certificate validation for OpenSSL and stop supporting OpenSSL older than 0.9.8. * Fix handling of multiple DNS search domains with Network Connect. * Fix handling of large configuration packets for Network Connect. * Enable SNI when built with OpenSSL (1.0.1g or later). * Add --resolve and --local-hostname options to command line.- juniper-fix-for-upstream-sources.patch included to fix upgraded Juniper servers * Submitted to upstream, not yet included in release * Tue Mar 17 2015 idonmezAATTsuse.com- Update to version 7.0.6 * Fix openconnect.pc breakage after liboath removal. * Refactor Juniper Network Connect receive loop. * Fix some memory leaks. * Add Bosnian translation. * Wed Mar 11 2015 idonmezAATTsuse.com- Update to version 7.0.5 * Fix alignment issue which broke LZS compression on ARM etc. * Support HTTP authentication to servers, not just proxies. * Add SHA256/SHA512 support for OATH. * Remove liboath dependency. * Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2. * Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711). * Fix build with OpenSSL HEAD (OpenSSL 1.1.x). * Preliminary support for Juniper SSL VPN. * Mon Jan 26 2015 idonmezAATTsuse.com- Update to Version 7.04 * Change default behaviour to enable only stateless compression. * Add --compression argument and openconnect_set_compression_mode(). * Add support for LZS compression * Add support for LZ4 compression- Add liblz4-devel dependency for LZ4 compression support. * Wed Jan 14 2015 idonmezAATTsuse.com- Update to Version 7.03 * Clean up handling of incoming packets. * Fix issue with two-stage (i.e. NetworkManager) connection to servers with trick DNS (rh#1179681). * Stop using static variables for received packets. * Fri Dec 19 2014 rsalevskyAATTsuse.com- Update to Version 7.02 * Add PKCS#11 support for OpenSSL. * Fix handling of select options in openconnect_set_option_value(). * Wed Dec 10 2014 rsalevskyAATTsuse.com- Update to Version 7.01 * Try harder to find a PKCS#11 key to match a given certificate. * Handle \'Connection: close\' from proxies correctly. * Warn when MTU is set too low (<1280) to permit IPv6 connectivity. * Add support for X-CSTP-DynDNS, to trigger DNS lookup on each reconnec * Thu Dec 04 2014 rsalevskyAATTsuse.com- Update to Version 7.00 * Add support for GnuTLS 3.4 system: keys including Windows certificate store. * Add support for HOTP/TOTP keys from Yubikey NEO devices. * Add ---no-system-trust option to disable default certificate authorities. * Improve libiconv and libintl detection. * Stop calling setenv() from library functions. * Support utun driver on OS X. * Change library API so string ownership is never transferred. * Support new NDIS6 TAP-Windows driver shipped with OpenVPN 2.3.4. * Support using PSKC (RFC6030) token files for HOTP/TOTP tokens. * Support for updating HOTP token storage when token is used. * Support for reading OTP token data from a file. * Add full character set handling for legacy non-UTF8 systems (including Windows). * Fix legacy (i.e. not XML POST) submission of non-ASCII form entries (even in UTF-8 locales). * Avoid retrying without XML POST, when we failed to even reach the server. * Fix off-by-one in parameter substitution in error messages. * Improve reporting when GSSAPI auth requested but not compiled in. * Fix parsing of split include routes on Windows. * Fix crash on invocation with --token-mode but no --token-secret.
|
|
|