Search
j0ke.net Open Build Service
>
Projects
>
server:network
>
openvpn
> openvpn.changes
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File openvpn.changes of Package openvpn (Revision 6)
Currently displaying revision
6
,
show latest
------------------------------------------------------------------- Wed Jan 27 18:31:02 UTC 2016 - cs@linux-administrator.com - Update to release 2.3.10 ------------------------------------------------------------------- Tue Dec 2 08:34:28 UTC 2014 - cs@linux-administrator.com - Update to security release 2.3.6 ------------------------------------------------------------------- Fri Oct 18 13:04:30 UTC 2013 - cs@linux-administrator.com - Update to release 2.3.2 ------------------------------------------------------------------- Wed Jan 9 22:15:13 UTC 2013 - cs@linux-administrator.com - Update to release 2.3.0 with full IPv6 implementation ------------------------------------------------------------------- Sat Jul 3 19:41:54 UTC 2010 - cs@linux-administrator.com - added Gert Doerings IPv6 patch. ------------------------------------------------------------------- Tue Jun 15 09:31:56 UTC 2010 - mt@suse.de - Improved netconfig based client up and down sample scripts. ------------------------------------------------------------------- Fri Jun 11 17:07:11 CEST 2010 - anschneider@exsuse.de - Added netconfig based client up and down scripts to samples. ------------------------------------------------------------------- Thu Mar 11 08:51:39 UTC 2010 - mt@suse.de - Updated to openvpn 2.1.1; linux related changes since 2.1_rc20: * Fixed a couple issues in sample plugins auth-pam.c and down-root.c. (1) Fail gracefully rather than segfault if calloc returns NULL. (2) The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle (Thanks to David Sommerseth for finding this bug). * Documented "multihome" option in the man page. * Added a hard failure when peer provides a certificate chain with depth > 16. Previously, a warning was issued. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain. - Improved openvpn init script adding messages giving a hint about pid write failure and to look into the log messages (bnc#559041). - Added -fno-strict-aliasing to compile flags in the spec file. ------------------------------------------------------------------- Fri Dec 17 23:00:46 CET 2009 - mt@suse.de - Updated to openvpn 2.1 2.1_rc20, fixing problems in route and option handling provided by the from server (bnc#552440). For complete list of changes, see ChangeLog file, here just the IMO most important: * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. * Optimized PUSH_REQUEST handshake sequence to shave several seconds off of a typical client connection initiation. * The maximum number of "route" directives (specified in the config file or pulled from a server) can now be configured via the new "max-routes" directive. * Eliminated the limitation on the number of options that can be pushed to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. * Added --server-poll-timeout option : when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. * Added the ability for the server to provide a custom reason string when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. * client-kill management interface command, when issued on server, will now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list. ------------------------------------------------------------------- Fri Oct 2 15:14:51 CEST 2009 - mt@suse.de - Added network-remotefs to init script dependencies (bnc#522279). ------------------------------------------------------------------- Wed Jun 10 10:24:06 CEST 2009 - mt@suse.de - Updated to openvpn 2.1 [2.1_rc18] series (fate#305289). - Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558). - Adopted spec file and patches, improved init script. - Disabled installation of easy-rsa for Windows. ------------------------------------------------------------------- Tue Feb 17 18:22:23 CET 2009 - mt@suse.de - Improved init script to show config name in action messages and allow to specify a config name in the second argument. ------------------------------------------------------------------- Mon Dec 1 10:58:12 CET 2008 - mt@suse.de - Removed restart_on_update rpm install hook that may break the update process, e.g. when openvpn asks for auth data or the update process is running over the tunnel (bnc#450390). ------------------------------------------------------------------- Tue Oct 28 12:13:45 CET 2008 - mt@suse.de - Fixed init script to handle pid files correctly (bnc#435421). ------------------------------------------------------------------- Thu May 29 15:16:03 CEST 2008 - mt@suse.de - Added $time $named to Should-Start in the init script to avoid time related certificate errors and name resolving problems. - Added iproute2 to BuildRequires to avoid openvpn rely on PATH. ------------------------------------------------------------------- Mon May 26 07:53:38 CEST 2008 - mt@suse.de - Reverted init script changes adding startproc, since they break user auth query and multiple tunnels (bnc#394360, bnc#394353). ------------------------------------------------------------------- Thu May 22 18:21:59 CEST 2008 - mt@suse.de - Added -lpam to LDFLAGS of openvpn, because linking the openvpn auth-pam plugin against pam is not sufficient. Many pam modules that are loaded by pam during the authentication process are not linked against pam and contain undefined symbols, causing the authentication to fail (bnc#334773). - Replaced patch loading plugins from /usr/%_lib/openvpn/plugin/lib with -rpath linker flags (bnc#334773). - Fixed init script to use startproc to return 0 when started twice. ------------------------------------------------------------------- Tue Feb 19 11:32:55 CET 2008 - mt@suse.de - Fixed spec file to not set pie flags when building plugins ------------------------------------------------------------------- Thu Jan 17 19:44:41 CET 2008 - mt@suse.de - Bug #334773: Enabled build of down-root and auth-pam plugins, sub-packaged as openvpn-auth-pam-plugin/down-root-plugin. - Added patch to load plugins from /usr/%_lib/openvpn/plugin/lib first, when the plugin name is specified as basename only. - Added patch adoptiong plugin path informations in openvpn.8. - Added patch to build plugins with RPM_OPT_FLAGS. - Fixed init script to use Should-Start/Stop LSB info tags. - Bug #343106: Enabled iproute2 support / usage ------------------------------------------------------------------- Mon Jun 4 10:14:03 CEST 2007 - mt@suse.de - fixed easy-rsa installation (no exec in doc directory) - improved spec to use configure directory variables and cleaned up macro calls in RPM pre/post scripts. - fixed openvpn binary check in the init script. ------------------------------------------------------------------- Fri Oct 27 10:40:59 CEST 2006 - mt@suse.de - upstream 2.0.9, Windows related fixes only * Windows installer updated with OpenSSL 0.9.7l DLLs to fix published vulnerabilities. * Fixed TAP-Win32 bug that caused BSOD on Windows Vista (Henry Nestler). The TAP-Win32 driver has now been upgraded to version 8.4. ------------------------------------------------------------------- Wed Sep 27 14:34:48 CEST 2006 - poeml@suse.de - upstream 2.0.8 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix RSA Signature Forgery (CVE-2006-4339). * No changes to OpenVPN source code between 2.0.7 and 2.0.8. ------------------------------------------------------------------- Fri Jun 23 11:55:10 CEST 2006 - poeml@suse.de - upstream 2.0.7, with bug fixes: * When deleting routes under Linux, use the route metric as a differentiator to ensure that the route teardown process only deletes the identical route which was originally added via the "route" directive (Roy Marples). * Fixed bug where --server directive in --dev tap mode claimed that it would support subnets of /30 or less but actually would only accept /29 or less. * Extend byte counters to 64 bits (M. van Cuijk). * Better sanity checking of --server and --server-bridge IP pool ranges, so as not to hit the assertion at pool.c:119 (2.0.5). * Fixed bug where --daemon and --management-query-passwords used together would cause OpenVPN to block prior to daemonization. * Fixed client/server race condition which could occur when --auth-retry interact is set and the initially provided auth-user-pass credentials are incorrect, forcing a username/password re-query. * Fixed bug where if --daemon and --management-hold are used together, --user or --group options would be ignored. * fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed to clients from the server) - build with fPIE/pie on SUSE 10.0 or newer, or on any other platform ------------------------------------------------------------------- Wed Apr 19 13:10:56 CEST 2006 - poeml@suse.de - security fix (CVE-2006-1629): disallow "setenv" to be pushed to clients from the server [#165123] ------------------------------------------------------------------- Wed Jan 25 21:39:08 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Thu Nov 3 15:25:01 CET 2005 - poeml@suse.de - update to 2.0.5, with two security fixes -- see below. [#132003] 2005.11.02 -- Version 2.0.5 * Fixed bug in Linux get_default_gateway function introduced in 2.0.4, which would cause redirect-gateway on Linux clients to fail. * Restored easy-rsa/2.0 tree (backported from 2.1 beta series) which accidentally disappeared in 2.0.2 -> 2.0.4 transition. 2005.11.01 -- Version 2.0.4 * Security fix -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). CVE-2005-3393 * Security fix -- Potential DoS vulnerability on the server in TCP mode. If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. CVE-2005-3409 * Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). * Added ".PHONY: plugin" to Makefile.am to work around "make dist" issue. * Fixed double fork issue that occurs when --management-hold is used. * Moved TUN/TAP read/write log messages from --verb 8 to 6. * Warn when multiple clients having the same common name or username usurp each other when --duplicate-cn is not used. * Modified Windows and Linux versions of get_default_gateway to return the route with the smallest metric if multiple 0.0.0.0/0.0.0.0 entries are present. 2005.09.25 -- Version 2.0.3-rc1 * openvpn_plugin_abort_v1 function wasn't being properly registered on Windows. * Fixed a bug where --mode server --proto tcp-server --cipher none operation could cause tunnel packet truncation. ------------------------------------------------------------------- Tue Aug 30 15:05:08 CEST 2005 - poeml@suse.de - update to 2.0.2 [#106258] relevant changes: * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects. * Modified pkitool script to be /bin/sh compatible (Johnny Lam). ------------------------------------------------------------------- Tue Aug 23 13:56:27 CEST 2005 - poeml@suse.de - update to 2.0.1 [#106258] * Security Fix -- DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2531). * Security Fix -- DoS attack against server by authenticated client. This bug presents a potential DoS attack vector against the server which can only be initiated by a connected and authenticated client. If the client sends a packet which fails to decrypt on the server, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client (CAN-2005-2532). * Security Fix -- DoS attack against server by authenticated client. A malicious client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its internal routing table. A --max-routes-per-client directive has been added (default=256) to limit the maximum number of routes in OpenVPN's internal routing table which can be associated with a given client (CAN-2005-2533). * Security Fix -- DoS attack against server by authenticated client. If two or more client machines try to connect to the server at the same time via TCP, using the same client certificate, and when --duplicate-cn is not enabled on the server, a race condition can crash the server with "Assertion failed at mtcp.c:411" (CAN-2005-2534). * Fixed server bug where under certain circumstances, the client instance object deletion function would try to delete iroutes which had never been added in the first place, triggering "Assertion failed at mroute.c:349". * Added --auth-retry option to prevent auth errors from being fatal on the client side, and to permit username/password requeries in case of error. Also controllable via new "auth-retry" management interface command. See man page for more info. * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' would fail to build. * Implement "make check" to perform loopback tests (Matthias Andree). - drop obsolete patch which fixed finding lzo libraries ------------------------------------------------------------------- Tue Jun 28 14:27:17 CEST 2005 - mrueckert@suse.de - The previous patch didnt work with lzo1 based distros. Fixed. ------------------------------------------------------------------- Tue Jun 28 11:25:32 CEST 2005 - cthiel@suse.de - fixed build with lzo2 (added lzo2.diff) ------------------------------------------------------------------- Thu Jun 23 01:48:38 CEST 2005 - ro@suse.de - build with fPIE/pie ------------------------------------------------------------------- Thu Jun 2 18:01:18 CEST 2005 - hvogel@suse.de - lzo headers are in a subdirectory now ------------------------------------------------------------------- Tue Apr 19 10:28:32 CEST 2005 - cthiel@suse.de - update to 2.0 ------------------------------------------------------------------- Thu Feb 17 21:57:20 CET 2005 - poeml@suse.de - update to 2.0_rc14 - add README.SUSE ------------------------------------------------------------------- Fri Jan 28 10:52:55 CET 2005 - poeml@suse.de - update to 2.0_rc10 ------------------------------------------------------------------- Wed Dec 29 14:10:20 CET 2004 - poeml@suse.de - update to 2.0_rc6 ------------------------------------------------------------------- Wed Dec 29 10:35:28 CET 2004 - poeml@suse.de - update to 2.0_rc1 (closing #45979) IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. -> see http://openvpn.net/20notes.html - remove lzo sources, which come in a separate package since 9.2 ------------------------------------------------------------------- Mon Jul 26 15:43:00 CEST 2004 - poeml@suse.de - update to 1.6_rc4 - bzip2 sources ------------------------------------------------------------------- Sun Jan 11 11:33:35 CET 2004 - adrian@suse.de - build as user ------------------------------------------------------------------- Tue Dec 16 16:07:29 CET 2003 - wengel@suse.de - update to version 1.5.0 ------------------------------------------------------------------- Sun Sep 7 18:41:23 CEST 2003 - poeml@suse.de - add an init script - use RPM_OPT_FLAGS - add /var/run/openvpn directory for pid files ------------------------------------------------------------------- Thu Jul 31 14:24:14 CEST 2003 - wengel@suse.de - update to new version -> 1.4.2 ------------------------------------------------------------------- Tue May 27 10:45:35 CEST 2003 - coolo@suse.de - use BuildRoot - package a bit more straightforward ------------------------------------------------------------------- Mon May 19 08:41:42 CEST 2003 - wengel@suse.de - update to version 1.4.1 ------------------------------------------------------------------- Mon Jan 20 17:05:53 CET 2003 - wengel@suse.de - initial package