Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2021-06-09 21:51:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.32437 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ocserv"
Wed Jun 9 21:51:54 2021 rev:16 rq:894668 version:1.1.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes 2020-08-29
20:42:31.085469367 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.32437/ocserv.changes 2021-06-09
21:52:09.314459036 +0200
@@ -1,0 +2,40 @@
+Mon Dec 7 15:32:12 UTC 2020 - Martin Hauke <mar...@gmx.de>
+
+- Update to version 1.1.2
+ * Allow setup of new DTLS session concurrent with old session.
+ * Fixed an infinite loop on sec-mod crash when server-drain-ms
+ is set.
+ * Don't apply BanIP checks to clients on the same subnet.
+ * Don't attempt TLS if the client closes the connection with
+ zero data sent.
+ * Increased the maximum configuration line; this allows banner
+ messages longer than 200 characters.
+ * Removed the listen-clear-file config option. This option was
+ incompatible with several clients, and thus is unusable for a
+ generic server.
+
+-------------------------------------------------------------------
+Mon Sep 21 15:27:14 UTC 2020 - Martin Hauke <mar...@gmx.de>
+
+- Update to version 1.1.1:
+ * Improved rate-limit-ms and made it dependent on secmod backlog.
+ This makes the server more resilient (and prevents connection
+ failures) on multiple concurrent connections
+ - Added namespace support for listen address by introducing the
+ listen-netns option.
+ - Disable TLS1.3 when cisco client compatibility is enabled. New
+ anyconnect clients seem to supporting TLS1.3 but are unable to
+ handle a client with an RSA key.
+ - Enable a race free user disconnection via occtl.
+ - Added the config option of a pre-login-banner.
+ - Ocserv siwtched to using multiple ocserv-sm processes to
+ improve scale, with the number of ocserv-sm process dependent
+ on maximum clients and number of CPUs. Configuration option
+ sec-mod-scale can be used to override the heuristics.
+ - Fixed issue with group selection on radius servers sending
+ multiple group class attribute.
+- Update patch:
+ * ocserv-enable-systemd.patch
+ * ocserv.config.patch
+
+-------------------------------------------------------------------
Old:
----
ocserv-1.1.0.tar.xz
ocserv-1.1.0.tar.xz.sig
New:
----
ocserv-1.1.2.tar.xz
ocserv-1.1.2.tar.xz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ocserv.spec ++++++
--- /var/tmp/diff_new_pack.R4R4AB/_old 2021-06-09 21:52:10.050460348 +0200
+++ /var/tmp/diff_new_pack.R4R4AB/_new 2021-06-09 21:52:10.054460355 +0200
@@ -17,7 +17,7 @@
Name: ocserv
-Version: 1.1.0
+Version: 1.1.2
Release: 0
Summary: OpenConnect VPN Server
License: GPL-2.0-only
@@ -144,7 +144,7 @@
%files
%defattr(-,root,root)
-%doc AUTHORS NEWS README.md TODO
+%doc AUTHORS NEWS README.md
%license COPYING LICENSE
%config %{_sysconfdir}/ocserv
%config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf
++++++ ocserv-1.1.0.tar.xz -> ocserv-1.1.2.tar.xz ++++++
++++ 20596 lines of diff (skipped)
++++++ ocserv-enable-systemd.patch ++++++
--- /var/tmp/diff_new_pack.R4R4AB/_old 2021-06-09 21:52:10.442461047 +0200
+++ /var/tmp/diff_new_pack.R4R4AB/_new 2021-06-09 21:52:10.442461047 +0200
@@ -1,8 +1,8 @@
-Index: ocserv-0.10.5/configure.ac
-===================================================================
---- ocserv-0.10.5.orig/configure.ac
-+++ ocserv-0.10.5/configure.ac
-@@ -297,11 +297,7 @@ AC_ARG_ENABLE(systemd,
+diff --git a/configure.ac b/configure.ac
+index 2e4a0e8..81ac3bd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -423,11 +423,7 @@ AC_ARG_ENABLE(systemd,
if [ test "$systemd_enabled" = "yes" ];then
AC_LIB_HAVE_LINKFLAGS(systemd,, [#include <systemd/sd-daemon.h>],
[sd_listen_fds(0);])
@@ -13,4 +13,4 @@
- fi
fi
- AC_ARG_ENABLE(anyconnect-compat,
+ AC_ARG_ENABLE(namespaces,
++++++ ocserv.config.patch ++++++
--- /var/tmp/diff_new_pack.R4R4AB/_old 2021-06-09 21:52:10.450461062 +0200
+++ /var/tmp/diff_new_pack.R4R4AB/_new 2021-06-09 21:52:10.450461062 +0200
@@ -1,7 +1,7 @@
-Index: ocserv-0.12.0/doc/sample.config
-===================================================================
---- ocserv-0.12.0.orig/doc/sample.config
-+++ ocserv-0.12.0/doc/sample.config
+diff --git a/doc/sample.config b/doc/sample.config
+index 6a677c9..1cd1d96 100644
+--- a/doc/sample.config
++++ b/doc/sample.config
@@ -48,7 +48,7 @@
#auth = "pam"
#auth = "pam[gid-min=1000]"
@@ -11,8 +11,8 @@
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
-@@ -83,8 +83,8 @@ auth = "plain[passwd=./sample.passwd]"
- #listen-host-is-dyndns = true
+@@ -90,8 +90,8 @@ auth = "plain[passwd=./sample.passwd]"
+ # listen-netns = "foo"
# TCP and UDP port number
-tcp-port = 443
@@ -20,9 +20,9 @@
+tcp-port = 9000
+udp-port = 9001
- # Accept connections using a socket file. It accepts HTTP
- # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -132,8 +132,8 @@ socket-file = /var/run/ocserv-socket
+ # The user the worker processes will be run as. This should be a dedicated
+ # unprivileged user (e.g., 'ocserv') and no other services should run as this
+@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket
#server-cert = /etc/ocserv/server-cert.pem
#server-key = /etc/ocserv/server-key.pem
@@ -33,7 +33,7 @@
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
-@@ -160,7 +160,7 @@ server-key = ../tests/certs/server-key.pem
+@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
@@ -42,25 +42,25 @@
### All configuration options below this line are reloaded on a SIGHUP.
-@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
+@@ -174,7 +174,7 @@ ca-cert = ../tests/certs/ca.pem
# the isolation was tested at. If you get random failures on worker
processes, try
# disabling that option and report the failures you, along with system and
debugging
# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
+isolate-workers = false
- # A banner to be displayed on clients
+ # A banner to be displayed on clients after connection
#banner = "Welcome"
-@@ -243,7 +243,7 @@ mobile-dpd = 1800
+@@ -242,7 +242,7 @@ mobile-dpd = 1800
switch-to-tcp-timeout = 25
# MTU discovery (DPD must be enabled)
-try-mtu-discovery = false
+try-mtu-discovery = true
- # If you have a certificate from a CA that provides an OCSP
- # service you may provide a fresh OCSP status response within
-@@ -407,8 +407,8 @@ rekey-method = ssl
+ # To enable load-balancer connection draining, set server-drain-ms to a value
+ # higher than your load-balancer health probe interval.
+@@ -412,8 +412,8 @@ rekey-method = ssl
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.
@@ -69,9 +69,9 @@
+#connect-script = /usr/bin/ocserv-script
+#disconnect-script = /usr/bin/ocserv-script
- # UTMP
- # Register the connected clients to utmp. This will allow viewing
-@@ -478,7 +478,8 @@ ipv4-netmask = 255.255.255.0
+ # This script is to be called when the client's advertised hostname becomes
+ # available. It will contain REASON with "host-update" value and the
+@@ -491,7 +491,8 @@ ipv4-netmask = 255.255.255.0
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
@@ -81,7 +81,7 @@
# The NBNS server (if any)
#nbns = 192.168.1.3
-@@ -517,8 +518,8 @@ ping-leases = false
+@@ -530,8 +531,8 @@ ping-leases = false
# comment out all routes from the server, or use the special keyword
# 'default'.
@@ -92,7 +92,7 @@
#route = fef4:db8:1000:1001::/64
#route = default
-@@ -682,18 +683,18 @@ dtls-legacy = true
+@@ -698,18 +699,18 @@ dtls-legacy = true
# An example virtual host with different authentication methods serviced
# by this server.
@@ -119,11 +119,10 @@
-cert-user-oid = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
-
-Index: ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
-===================================================================
---- ocserv-0.12.0.orig/doc/systemd/socket-activated/ocserv.socket
-+++ ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
+diff --git a/doc/systemd/socket-activated/ocserv.socket
b/doc/systemd/socket-activated/ocserv.socket
+index 9444f19..a0ac362 100644
+--- a/doc/systemd/socket-activated/ocserv.socket
++++ b/doc/systemd/socket-activated/ocserv.socket
@@ -2,8 +2,8 @@
Description=OpenConnect SSL VPN server Socket
