Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ocserv for openSUSE:Factory checked in at 2026-03-14 22:22:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ocserv (Old) and /work/SRC/openSUSE:Factory/.ocserv.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ocserv" Sat Mar 14 22:22:54 2026 rev:27 rq:1338864 version:1.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes 2024-12-08 11:38:45.505679513 +0100 +++ /work/SRC/openSUSE:Factory/.ocserv.new.8177/ocserv.changes 2026-03-14 22:24:21.934027989 +0100 @@ -1,0 +2,41 @@ +Sat Mar 14 12:07:45 UTC 2026 - Richard Rahl <[email protected]> + +- Update to version 1.4.1: + * [SECURITY] Fixed authentication bypass (medium severity) when combined + password with certificate authentication with cert-user-oid set to + SAN(rfc822name): a client presenting a valid CA-signed certificate without the + expected RFC822 SAN field could authenticate using password credentials alone, + bypassing the intended certificate-to-username binding. Requires the attacker + to possess both a valid CA-signed certificate and valid user credentials + * Fixed a bug where session timeout could be bypassed by reconnecting + * occtl: show user command now includes a Session started at: field, + indicating when the VPN session was established + * occtl: Fix column misalignment in ban command outputs + * occtl: Fix show ip bans may produce invalid JSON + * Handle dotted client hostnames (e.g., .local) by stripping the domain suffix + * Renamed min-reauth-time configuration option to ban-time to better reflect + its purpose + * Fixed ocserv-worker process title + * Fixed ignored udp-port in vhost +- Update to version 1.4.0: + * Fixed issues with PAM authentication when combined with pam_sssd + * Enhanced the seccomp filters to address issue in testing + * Fixed unexpected URL errors for Cisco AnyConnect clients + * Fixed the ping-leases option, which was broken since version 1.1.1 + * Fixed maximum MTU tracking in server statistics + * Fixed iroute option processing to handle multiple routes + * Fixed session accounting for roaming users + * occtl: fix invalid JSON output in occtl -j show iroutes + * occtl: fix regression with trailing commas in occtl -j show sessions + * occtl: fix missing column headers in show ip bans output + * occtl: show ip bans no longer shows expired bans + * Fixed DTLS not working with systemd socket activation + * Fixed a bug in the ban timer logic that could prevent IP addresses + from being banned or cause premature unbans + * Session statistics are now reported at consistent intervals + for RADIUS compatibility + * Single form to enter username and password +- revert my own require rubygem(ronn-ng), oversaw that ronn binary is + enough + +------------------------------------------------------------------- Old: ---- ocserv-1.3.0.tar.xz ocserv-1.3.0.tar.xz.sig New: ---- ocserv-1.4.1.tar.xz ocserv-1.4.1.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ocserv.spec ++++++ --- /var/tmp/diff_new_pack.t5DCDQ/_old 2026-03-14 22:24:22.506051686 +0100 +++ /var/tmp/diff_new_pack.t5DCDQ/_new 2026-03-14 22:24:22.510051851 +0100 @@ -1,7 +1,7 @@ # # spec file for package ocserv # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,14 +16,11 @@ # -#!BuildIgnore: pkgconfig(libevent) - Name: ocserv -Version: 1.3.0 +Version: 1.4.1 Release: 0 Summary: OpenConnect VPN Server License: GPL-2.0-only -Group: Productivity/Networking/Security URL: https://ocserv.gitlab.io/www/ Source: https://www.infradead.org/%{name}/download/%{name}-%{version}.tar.xz Source1: https://www.infradead.org/%{name}/download/%{name}-%{version}.tar.xz.sig @@ -40,6 +37,7 @@ Patch2: %{name}.config.patch #PATCH-FIX-OPENSUSE [email protected] leap doesn't have LZ4_compress_default Patch3: %{name}-LZ4_compress_default.patch +BuildRequires: /usr/bin/ronn BuildRequires: autogen BuildRequires: firewall-macros BuildRequires: firewalld @@ -63,15 +61,10 @@ BuildRequires: pkgconfig(pam) BuildRequires: pkgconfig(readline) BuildRequires: pkgconfig(talloc) -BuildRequires: rubygem(ronn-ng) # /usr/bin/certtool for generating certificates Requires: gnutls >= 3.1.10 %{?systemd_requires} -%if 0%{?suse_version} < 1600 -ExclusiveArch: do_not_build -%endif - %description OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements ++++++ ocserv-1.3.0.tar.xz -> ocserv-1.4.1.tar.xz ++++++ ++++ 58748 lines of diff (skipped)
