SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for openvpn-down-root-plugin-debuginfo-2.3.8-7.1.x86_64.rpm :

* Wed Feb 10 2016 ndasAATTsuse.de- Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]- Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]
* Thu Aug 20 2015 mtAATTsuse.com- Update to most recent openvpn package in version 2.3.8 (fate#319011) which obsoletes our security fix backports and provides many fixes. [- 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch, - openvpn-use-newertls.patch, + revert-daemonize.patch]- Moved openvpn-plugin.h into a devel package, removed .gitignore
* Thu Aug 13 2015 idonmezAATTsuse.com- Add revert-daemonize.patch, looks like under systemd the stdin and stdout are not TTYs by default. This reverts to previous behaviour fixing bsc#941569
* Wed Aug 05 2015 idonmezAATTsuse.com- Update to version 2.3.8
* Report missing endtags of inline files as warnings
* Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
* Produce a meaningful error message if --daemon gets in the way of asking for passwords.
* Document --daemon changes and consequences (--askpass, --auth-nocache)
* Del ipv6 addr on close of linux tun interface
* Fix --askpass not allowing for password input via stdin
* Write pid file immediately after daemonizing
* Fix regression: query password before becoming daemon
* Fix using management interface to get passwords
* Fix overflow check in openvpn_decrypt()- Update to version 2.3.7
* down-root plugin: Replaced system() calls with execve()
* sockets: Remove the limitation of --tcp-nodelay to be server-only
* pkcs11: Load p11-kit-proxy.so module by default
* New approach to handle peer-id related changes to link-mtu
* Fix incorrect use of get_ipv6_addr() for iroute options
* Print helpful error message on --mktun/--rmtun if not available
* Explain effect of --topology subnet on --ifconfig
* Add note about file permissions and --crl-verify to manpage
* Repair --dev null breakage caused by db950be85d37
* Correct note about DNS randomization in openvpn.8
* Disallow usage of --server-poll-timeout in --secret key mode
* Slightly enhance documentation about --cipher
* On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()
* Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()
* Fix --redirect-private in --dev tap mode
* Updated manpage for --rport and --lport
* Properly escape dashes on the man-page
* Improve documentation in --script-security section of the man-page
* Really fix \'--cipher none\' regression
* Set tls-version-max to 1.1 if cryptoapicert is used
* Account for peer-id in frame size calculation
* Disable SSL compression
* Fix frame size calculation for non-CBC modes.
* Allow for CN/username of 64 characters (fixes off-by-one)
* Re-enable TLS version negotiation by default
* Remove size limit for files inlined in config
* Improve --tls-cipher and --show-tls man page description
* Re-read auth-user-pass file on (re)connect if required
* Clarify --capath option in manpage
* Call daemon() before initializing crypto library
* Thu Jul 02 2015 mtAATTsuse.de- Fixed to use correct sha digest data length and in fips mode, use aes instead of the disallowed blowfish crypto (boo#914166).- Fixed to mention actual plugin/doc dirs in openvpn(8) man page.- Fixed to build with large file support on 32 bit systems.- Fixed to use _rundir instead _localstatedir/run when defined- Depend on systemd-devel for the daemon check functionality, removed obsolete --with-lzo-headers configure option.- Applied backport patch to permit TLS 1.1/1.2 version negotiation instead to stick at TLS 1.0 (bsc#928802)
* Mon Dec 01 2014 mtAATTsuse.de- Applied upstream patch fixing a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT (bnc#907764,CVE-2014-8104), [+ 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch]
* Tue Jan 14 2014 mtAATTsuse.de- Updated README.SUSE, documented also the rcopenvpn compatibility wrapper script (bnc#848070).
* Thu Jan 09 2014 meissnerAATTsuse.com- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in some internal checking routines. This allows operation in FIPS 140-2 mode.
* Tue Dec 17 2013 mtAATTsuse.de- Readded rcopenvpn helper script under systemd (bnc#848070)
* Thu Oct 31 2013 mtAATTsuse.de- Fixed invalid mode in exec bit removal call from doc files
* Tue Aug 27 2013 lmuelleAATTsuse.com- Add a section about how to control all or a named configuration with the help of systemctl to the README.SUSE file.
* Mon Jun 03 2013 mrdocsAATTopensuse.org- Update to 2.3.2 +Fixes since 2.3.0- Remove dead code path and putenv functionality- Remove unused function xor- Move static prototype definition from header into c file- Remove unused function no_tap_ifconfig- fix build with automake 1.13(.1)- Fix corner case in NTLM authentication (trac #172)- Update README.IPv6 to match what is in 2.3.0- Repair \"tcp server queue overflow\" brokenness, more fallout.- Permit pool size of /64.../112 for ifconfig-ipv6-pool- Add MIN() compatibility macro- Fix directly connected routes for \"topology subnet\" on Solaris.- close more file descriptors on exec- Ignore UTF-8 byte order mark- reintroduce --no-name-remapping option- make --tls-remote compatible with pre 2.3 configs- add new option for X.509 name verification- add man page patch for missing options- Fix parameter listing in non-debug builds at verb 4- (updated) [PATCH] Warn when using verb levels >=7 without debug- Enable TCP_NODELAY configuration on FreeBSD.- Updated README- Cleaned up and updated INSTALL- PolarSSL-1.2 support- Improve PolarSSL key_state_read_{cipher, plain}text messages- Improve verify_callback messages- Config compatibility patch. Added translate_cipher_name.- Switch to IANA names for TLS ciphers.- Fixed autoconf script to properly detect missing pkcs11 with polarssl.- Use constant time memcmp when comparing HMACs in openvpn_decrypt.
* Mon May 06 2013 mtAATTsuse.de- Try to migrate openvpn.service autostart to openvpnAATT.service instance enablement.
* Tue Apr 23 2013 mtAATTsuse.de- Fixed to enable systemd support in configure- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group.- Added openvpn.target file allowing to handle all instances at once.- Fixed to install the service template correctly as openvpnAATT.service. Use \"systemctl enable openvpnAATTfoo.service\" to enable instance using /etc/openvpn/foo.conf.- Disabled systemd variant of restart on update rpm macro, adopted other macros to use openvpn.target to e.g. stop all instances on uninstall.
* Tue Mar 26 2013 ajAATTsuse.com- Remove _unitdir definition, it is provided by systemd.- Install service file without x permissions
* Mon Mar 25 2013 p.drouandAATTgmail.comUpdate to version 2.3.0:
* Full IPv6 support
* SSL layer modularised, enabling easier implementation for other SSL libraries
* PolarSSL support as a drop-in replacement for OpenSSL
* New plug-in API providing direct certificate access, improved logging API and easier to extend in the future
* Added \'dev_type\' environment variable to scripts and plug-ins - which is set to \'TUN\' or \'TAP\'
* New feature: --management-external-key - to provide access to the encryption keys via the management interface
* New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins
* New feature: --client-nat support
* New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling
* New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback)
* New feature: --stale-routes-check, which cleans up the internal routing table
* New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name
* Improved client-kill management interface command
* Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins
* Improved auth-pam with COMMONNAME support, passing the certificate\'s common name in the PAM conversation
* More options can now be used inside blocks
* Completely new build system, enabling easier cross-compilation and Windows builds
* Much of the code has been better documented
* Many documentation updates
* Plenty of bug fixes and other code clean-ups- Add systemd native support for OpenSUSE > 12.1- Adapt patchs to upstream release:
* openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif
* openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff- Remove obsolete patchs; fixed or merged on upstream release:
* 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch
* openvpn-2.1-plugin-build.dif
* openvpn-2.1-systemd-passwd.patch- Rebase specfile to upstream changes:
* easy-rsa is not provided anymore with main package
* remove %clean section
* autoreconf -fi is no needed- Update openvpn.keyring file for upstream release asc key
* Mon Jan 28 2013 mtAATTsuse.com- Join openvpn.service systemd cgroup in start when needed, e.g. when starting with further parameters. (bnc#781106)
* Thu Nov 29 2012 sbrabecAATTsuse.cz- Verify GPG signature.
* Fri Sep 21 2012 cooloAATTsuse.com- fix ciaran\'s previous license entry. the license has a SUSE prefix
* Thu Sep 20 2012 mtAATTsuse.com- Fixed openvpn init script to not map reopen to reload so the reopen code is without any effect (bnc#781106).- Added requested OPENVPN_AUTOSTART variable allowing to provide an optional list of config names started by default (bnc#692440).
* Wed Aug 22 2012 cfarrellAATTsuse.com- license update: GPL-2.0-with-openssl-exception and LGPL-2.1 openssl has an openssl exception (also, it is GPL-2.0 only)
* Thu Mar 29 2012 mtAATTsuse.com- Fixed SLES build readding Group tags to sub-packages in spec, not require libselinux-devel on SLE-10 and datadir/doc cleanup.
* Wed Feb 15 2012 mtAATTsuse.com- Updated to openvpn-2.2.2: - Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2 - Pkcs11 support built into the Windows version - Fixed a bug in the Windows TAP-driver
* Thu Dec 08 2011 ajAATTsuse.de- Fix source URLs.
* Fri Dec 02 2011 cooloAATTsuse.com- add automake as buildrequire to avoid implicit dependency
* Mon Aug 29 2011 mtAATTsuse.com- Marked /var/run/openvpn as ghost (bnc#710270), man page and other rpmlint warning fixes
* Tue Aug 23 2011 crrodriguezAATTopensuse.org- BuildRequires libselinux-devel- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent upstream as https://community.openvpn.net/openvpn/ticket/157
* Mon Aug 22 2011 fcrozatAATTnovell.com- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to support systemd password query (bnc#675406)
* Mon Jul 11 2011 mtAATTsuse.de- Updated to openvpn-2.2.1, a new version series providing several new features. This version fixes build issues and provides updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125),- Adopted spec file, enabled saving password in a file and to specify an alternative username in x509 cert.- Removed X-Interactive from init script again, as systemd isn\'t able to use it correctly [any more?] (bnc#675406). We will address it later and probably use /bin/systemd-ask-password.
* Tue Mar 15 2011 crrodriguezAATTopensuse.org- KVPNC is unable to parse openvpn version [bnc#679153]
* Thu Feb 17 2011 mtAATTsuse.de- Added X-Interactive: true LSB tag to the init script.
* Tue Nov 16 2010 mtAATTsuse.de- Updated to openvpn 2.1.4, providing several bug fixes and improvements, such as:
* Fix of a problem with special case route targets
* Try to ensure, that the tun/tap interface gets closed on non-graceful aborts.
* Several AUTH_FAILED reporting fixes causing the connection to fail without any error indication.
* Enable exponential backoff in reliability layer retransmits.
* Proxy improvements Please review the ChangeLog file for a complete and exact list.
* Wed Sep 08 2010 cristian.rodriguezAATTopensuse.org- Do not include build date in binaries
* Tue Jun 15 2010 mtAATTsuse.de- Improved netconfig based client up and down sample scripts.
* Fri Jun 11 2010 anschneiderAATTexsuse.de- Added netconfig based client up and down scripts to samples.
* Thu Mar 11 2010 mtAATTsuse.de- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20:
* Fixed a couple issues in sample plugins auth-pam.c and down-root.c. (1) Fail gracefully rather than segfault if calloc returns NULL. (2) The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle (Thanks to David Sommerseth for finding this bug).
* Documented \"multihome\" option in the man page.
* Added a hard failure when peer provides a certificate chain with depth > 16. Previously, a warning was issued.
* Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain.- Improved openvpn init script adding messages giving a hint about pid write failure and to look into the log messages (bnc#559041).- Added -fno-strict-aliasing to compile flags in the spec file.
* Thu Dec 17 2009 mtAATTsuse.de- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and option handling provided by the from server (bnc#552440). For complete list of changes, see ChangeLog file, here just the IMO most important:
* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored.
* Optimized PUSH_REQUEST handshake sequence to shave several seconds off of a typical client connection initiation.
* The maximum number of \"route\" directives (specified in the config file or pulled from a server) can now be configured via the new \"max-routes\" directive.
* Eliminated the limitation on the number of options that can be pushed to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string.
* Added --server-poll-timeout option : when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server.
* Added the ability for the server to provide a custom reason string when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface.
* client-kill management interface command, when issued on server, will now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list.
* Fri Oct 02 2009 mtAATTsuse.de- Added network-remotefs to init script dependencies (bnc#522279).
* Wed Jun 10 2009 mtAATTsuse.de- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289).- Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558).- Adopted spec file and patches, improved init script.- Disabled installation of easy-rsa for Windows.
  
ICM