Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openvpn for openSUSE:Factory checked
in at 2023-11-15 21:07:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvpn (Old)
and /work/SRC/openSUSE:Factory/.openvpn.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn"
Wed Nov 15 21:07:03 2023 rev:111 rq:1126538 version:2.6.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2023-08-18
19:28:01.679280269 +0200
+++ /work/SRC/openSUSE:Factory/.openvpn.new.17445/openvpn.changes
2023-11-15 21:07:38.762168600 +0100
@@ -1,0 +2,39 @@
+Wed Nov 15 07:41:26 UTC 2023 - Mohd Saquib <mohd.saq...@suse.com>
+
+- update to 2.6.7:
+ * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
+ use a send buffer after it has been free()d in some circumstances,
+ causing some free()d memory to be sent to the peer. All configurations
+ using TLS (e.g. not using --secret) are affected by this issue.
+ * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
+ restore --fragment configuration in some circumstances, leading to a
+ division by zero when --fragment is used. On platforms where division
+ by zero is fatal, this will cause an OpenVPN crash.
+ * DCO: warn if DATA_V1 packets are sent by the other side - this a hard
+ incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4
+ server, and the only fix is to use --disable-dco.
+ * Remove OpenSSL Engine method for loading a key. This had to be removed
+ because the original author did not agree to relicensing the code with
+ the new linking exception added. This was a somewhat obsolete feature
+ anyway as it only worked with OpenSSL 1.x, which is end-of-support.
+ * add warning if p2p NCP client connects to a p2mp server - this is a
+ combination that used to work without cipher negotiation (pre 2.6 on
+ both ends), but would fail in non-obvious ways with 2.6 to 2.6.
+ * add warning to --show-groups that not all supported groups are listed
+ (this is due the internal enumeration in OpenSSL being a bit weird,
+ omitting X448 and X25519 curves).
+ * --dns: remove support for exclude-domains argument (this was a new 2.6
+ option, with no backend support implemented yet on any platform, and it
+ turns out that no platform supported it at all - so remove option again)
+ * warn user if INFO control message too long, do not forward to management
+ client (safeguard against protocol-violating server implementations)
+ * DCO-WIN: get and log driver version (for easier debugging).
+ * print "peer temporary key details" in TLS handshake
+ * log OpenSSL errors on failure to set certificate, for example if the
+ algorithms used are in acceptable to OpenSSL (misleading message would be
+ printed in cryptoapi / pkcs11 scenarios)
+ * add CMake build system for MinGW and MSVC builds
+ * remove old MSVC build system
+ * improve cmocka unit test building for Windows
+
+-------------------------------------------------------------------
Old:
----
openvpn-2.6.6.tar.gz
openvpn-2.6.6.tar.gz.asc
New:
----
openvpn-2.6.7.tar.gz
openvpn-2.6.7.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openvpn.spec ++++++
--- /var/tmp/diff_new_pack.YlQDb7/_old 2023-11-15 21:07:39.518196494 +0100
+++ /var/tmp/diff_new_pack.YlQDb7/_new 2023-11-15 21:07:39.518196494 +0100
@@ -20,7 +20,7 @@
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
-Version: 2.6.6
+Version: 2.6.7
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: GPL-2.0-only WITH openvpn-openssl-exception
++++++ openvpn-2.6.6.tar.gz -> openvpn-2.6.7.tar.gz ++++++
++++ 15509 lines of diff (skipped)
