Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package openvpn for openSUSE:Factory checked 
in at 2021-08-16 10:09:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvpn (Old)
 and      /work/SRC/openSUSE:Factory/.openvpn.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "openvpn"

Mon Aug 16 10:09:00 2021 rev:94 rq:911848 version:2.5.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes  2021-06-15 
16:37:24.177700340 +0200
+++ /work/SRC/openSUSE:Factory/.openvpn.new.1899/openvpn.changes        
2021-08-16 10:13:54.402931761 +0200
@@ -1,0 +2,33 @@
+Thu Aug  5 14:07:14 UTC 2021 - Reinhard Max <m...@suse.com>
+
+- Update to 2.5.3:
+
+  * Removal of BF-CBC support in default configuration
+    *** POSSIBLE INCOMPATIBILITY ***
+    See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
+
+  * Connections setup is now much faster
+  * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
+  * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
+  * Client-specific tls-crypt keys (--tls-crypt-v2)
+  * Improved Data channel cipher negotiation
+  * HMAC based auth-token support for seamless reconnects to
+    standalone servers or a group of servers
+  * Asynchronous (deferred) authentication support for auth-pam
+    plugin
+  * Asynchronous (deferred) support for client-connect scripts and
+    plugins
+  * Support IPv4 configs with /31 netmasks
+  * 802.1q VLAN support on TAP servers
+  * Support IPv6-only tunnels
+  * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
+  * Support Virtual Routing and Forwarding (VRF)
+  * Netlink integration (OpenVPN no longer needs to execute
+    ifconfig/route or ip commands)
+  * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
+
+- bsc#1062157: The fix for bsc#934237 causes problems with the
+  crypto self-test of newer openvpn versions.
+  Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
+
+-------------------------------------------------------------------

Old:
----
  openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
  openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
  openvpn-2.4.11.tar.xz
  openvpn-2.4.11.tar.xz.asc

New:
----
  openvpn-2.5.3.tar.xz
  openvpn-2.5.3.tar.xz.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openvpn.spec ++++++
--- /var/tmp/diff_new_pack.XVSEKh/_old  2021-08-16 10:13:54.946931065 +0200
+++ /var/tmp/diff_new_pack.XVSEKh/_new  2021-08-16 10:13:54.950931061 +0200
@@ -24,7 +24,7 @@
 %define _rundir %{_localstatedir}/run
 %endif
 Name:           openvpn
-Version:        2.4.11
+Version:        2.5.3
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        LGPL-2.1-only AND SUSE-GPL-2.0-with-openssl-exception
@@ -42,8 +42,6 @@
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
 Patch6:         %{name}-fips140-2.3.2.patch
-Patch7:         openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
-Patch8:         openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
 Patch9:         0001-preform-deferred-authentication-in-the-background.patch
 BuildRequires:  iproute2
 BuildRequires:  libselinux-devel
@@ -127,10 +125,8 @@
 %prep
 %setup -q
 %patch1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
+%patch6
+%patch9
 
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c

++++++ 0001-preform-deferred-authentication-in-the-background.patch ++++++
--- /var/tmp/diff_new_pack.XVSEKh/_old  2021-08-16 10:13:54.982931020 +0200
+++ /var/tmp/diff_new_pack.XVSEKh/_new  2021-08-16 10:13:54.982931020 +0200
@@ -1,7 +1,5 @@
-Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
-===================================================================
---- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.c
-+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
+--- src/plugins/auth-pam/auth-pam.c.orig
++++ src/plugins/auth-pam/auth-pam.c
 @@ -43,6 +43,7 @@
  #include <stdlib.h>
  #include <sys/types.h>
@@ -18,7 +16,7 @@
  
  /* Response codes for background -> foreground communication */
  #define RESPONSE_INIT_SUCCEEDED   10
-@@ -115,6 +117,7 @@ struct user_pass {
+@@ -120,6 +122,7 @@ struct user_pass {
      char password[128];
      char common_name[128];
      char response[128];
@@ -26,8 +24,8 @@
  
      const struct name_value_list *name_value_list;
  };
-@@ -776,6 +779,21 @@ pam_auth(const char *service, const stru
-     return ret;
+@@ -884,6 +887,21 @@ do_deferred_pam_auth(int fd, const char
+     exit(0);
  }
  
 +static int handle_auth_control_file(char *auth_control_file, int status)
@@ -48,7 +46,7 @@
  /*
   * Background process -- runs with privilege.
   */
-@@ -878,6 +896,42 @@ pam_server(int fd, const char *service,
+@@ -1002,6 +1020,42 @@ pam_server(int fd, const char *service,
                  plugin_secure_memzero(up.password, sizeof(up.password));
                  break;
  
@@ -91,7 +89,7 @@
              case COMMAND_EXIT:
                  goto done;
  
-@@ -905,3 +959,56 @@ done:
+@@ -1029,3 +1083,56 @@ done:
  
      return;
  }
@@ -148,10 +146,8 @@
 +                      return OPENVPN_PLUGIN_FUNC_ERROR;
 +      }
 +}
-Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports
-===================================================================
---- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.exports
-+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports
+--- src/plugins/auth-pam/auth-pam.exports.orig
++++ src/plugins/auth-pam/auth-pam.exports
 @@ -1,4 +1,5 @@
  openvpn_plugin_open_v3
  openvpn_plugin_func_v1

++++++ openvpn-2.3-plugin-man.dif ++++++
--- /var/tmp/diff_new_pack.XVSEKh/_old  2021-08-16 10:13:55.022930969 +0200
+++ /var/tmp/diff_new_pack.XVSEKh/_new  2021-08-16 10:13:55.026930964 +0200
@@ -1,22 +1,15 @@
-Index: doc/openvpn.8
-===================================================================
 --- doc/openvpn.8.orig
 +++ doc/openvpn.8
-@@ -2690,12 +2690,11 @@ plug-in modules, see the README file in
- .B plugin
- folder of the OpenVPN source distribution.
- 
+@@ -6059,9 +6059,9 @@ For more information and examples on how
+ modules, see the README file in the \fBplugin\fP folder of the OpenVPN
+ source distribution.
+ .sp
 -If you are using an RPM install of OpenVPN, see
--/usr/share/openvpn/plugin.  The documentation is
--in
--.B doc
--and the actual plugin modules are in
--.B lib.
-+If you are using an RPM install of OpenVPN, the actual
-+plugin modules are in
-+.B @PLUGIN_LIBDIR@
-+and the documentation is in
-+.B @PLUGIN_DOCDIR@/README.<plugin-name>.
- 
- Multiple plugin modules can be cascaded, and modules can be
- used in tandem with scripts.  The modules will be called by
+-\fB/usr/share/openvpn/plugin\fP\&. The documentation is in \fBdoc\fP and
+-the actual plugin modules are in \fBlib\fP\&.
++If you are using an RPM install of OpenVPN, the actual plugin modules
++are in \fB@PLUGIN_LIBDIR@\fP\& and the documentation is in
++\fB@PLUGIN_DOCDIR@/README.<plugin-name>\fP\&.
+ .sp
+ Multiple plugin modules can be cascaded, and modules can be used in
+ tandem with scripts. The modules will be called by OpenVPN in the order

++++++ openvpn-2.4.11.tar.xz -> openvpn-2.5.3.tar.xz ++++++
++++ 96410 lines of diff (skipped)

++++++ openvpn-fips140-2.3.2.patch ++++++
--- /var/tmp/diff_new_pack.XVSEKh/_old  2021-08-16 10:13:55.546930299 +0200
+++ /var/tmp/diff_new_pack.XVSEKh/_new  2021-08-16 10:13:55.546930299 +0200
@@ -13,11 +13,9 @@
  src/openvpn/ssl.c            | 4 ++--
  6 files changed, 15 insertions(+), 6 deletions(-)
 
-diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
-index 5f482d0..ff0f9a7 100644
---- a/src/openvpn/crypto.c
-+++ b/src/openvpn/crypto.c
-@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
+--- src/openvpn/crypto.c.orig
++++ src/openvpn/crypto.c
+@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
      if (kt->digest && kt->hmac_length > 0)
      {
          ctx->hmac = hmac_ctx_new();
@@ -26,11 +24,9 @@
  
          msg(D_HANDSHAKE,
              "%s: Using %d bit message hash '%s' for HMAC authentication",
-diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
-index b7f519b..2911248 100644
---- a/src/openvpn/crypto_backend.h
-+++ b/src/openvpn/crypto_backend.h
-@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
+--- src/openvpn/crypto_backend.h.orig
++++ src/openvpn/crypto_backend.h
+@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
   * @param key           The key to use for the HMAC
   * @param key_len       The key length to use
   * @param kt            Static message digest parameters
@@ -43,11 +39,9 @@
  
  /*
   * Free the given HMAC context.
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index a55e65c..79f5530 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -926,11 +926,15 @@
+--- src/openvpn/crypto_openssl.c.orig
++++ src/openvpn/crypto_openssl.c
+@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
  
  void
  hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
@@ -64,11 +58,9 @@
      HMAC_Init_ex(ctx, key, key_len, kt, NULL);
  
      /* make sure we used a big enough key */
-diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
-index 0b1163e..93283bc 100644
---- a/src/openvpn/ntlm.c
-+++ b/src/openvpn/ntlm.c
-@@ -88,7 +88,7 @@
+--- src/openvpn/ntlm.c.orig
++++ src/openvpn/ntlm.c
+@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
      const md_kt_t *md5_kt = md_kt_get("MD5");
      hmac_ctx_t *hmac_ctx = hmac_ctx_new();
  
@@ -77,28 +69,50 @@
      hmac_ctx_update(hmac_ctx, data, data_len);
      hmac_ctx_final(hmac_ctx, result);
      hmac_ctx_cleanup(hmac_ctx);
-diff --git a/src/openvpn/options.c b/src/openvpn/options.c
-index fef5e90..33b6976 100644
---- a/src/openvpn/options.c
-+++ b/src/openvpn/options.c
-@@ -850,6 +850,10 @@ init_options(struct options *o, const bool init_gc)
- #endif
- #ifdef ENABLE_CRYPTO
-     o->ciphername = "BF-CBC";
+--- src/openvpn/options.c.orig
++++ src/openvpn/options.c
+@@ -850,6 +850,10 @@ init_options(struct options *o, const bo
+     o->tcp_queue_limit = 64;
+     o->max_clients = 1024;
+     o->max_routes_per_client = 256;
 +#ifdef OPENSSL_FIPS
 +      if(FIPS_mode())
 +              o->ciphername = "AES-256-CBC";
 +#endif
- #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
-     o->ncp_enabled = true;
- #else
-diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
-index 15cd94a..21f50f1 100644
---- a/src/openvpn/ssl.c
-+++ b/src/openvpn/ssl.c
-@@ -1635,8 +1635,8 @@ tls1_P_hash(const md_kt_t *md_kt,
-     chunk = md_kt_size(md_kt);
-     A1_len = md_kt_size(md_kt);
+     o->stale_routes_check_interval = 0;
+     o->ifconfig_pool_persist_refresh_freq = 600;
+ #if P2MP
+@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option
+         if (!o->ciphername)
+         {
+             o->ciphername = "BF-CBC";
++#ifdef OPENSSL_FIPS
++          if (FIPS_mode())
++          {
++             o->ciphername = "AES-256-CBC";
++          }
++#endif
+         }
+         return;
+     }
+@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option
+         /* We still need to set the ciphername to BF-CBC since various other
+          * parts of OpenVPN assert that the ciphername is set */
+         o->ciphername = "BF-CBC";
++#ifdef OPENSSL_FIPS
++      if (FIPS_mode())
++      {
++         o->ciphername = "AES-256-CBC";
++      }
++#endif
+     }
+     else if (!o->enable_ncp_fallback
+              && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
+--- src/openvpn/ssl.c.orig
++++ src/openvpn/ssl.c
+@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt,
+     int chunk = md_kt_size(md_kt);
+     unsigned int A1_len = md_kt_size(md_kt);
  
 -    hmac_ctx_init(ctx, sec, sec_len, md_kt);
 -    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
@@ -107,6 +121,3 @@
  
      hmac_ctx_update(ctx,seed,seed_len);
      hmac_ctx_final(ctx, A1);
--- 
-2.13.1
-

Reply via email to