commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2024-12-08 11:37:52
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.21547 (New)
Package is "ocserv"
Sun Dec 8 11:37:52 2024 rev:26 rq:1228988 version:1.3.0
Changes:
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2024-08-25
12:10:56.373383597 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.21547/ocserv.changes 2024-12-08
11:38:45.505679513 +0100
@@ -1,0 +2,7 @@
+Sat Nov 30 00:19:36 UTC 2024 - Richard Rahl
+
+- use https for downloading sources (over ftp)
+- actually verify tarballs
+- use as many pkgconfig and rubygem names
+
+---
Old:
gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
New:
ocserv.keyring
Other differences:
--
++ ocserv.spec ++
--- /var/tmp/diff_new_pack.ZUMazy/_old 2024-12-08 11:38:47.565765095 +0100
+++ /var/tmp/diff_new_pack.ZUMazy/_new 2024-12-08 11:38:47.581765760 +0100
@@ -16,6 +16,8 @@
#
+#!BuildIgnore: pkgconfig(libevent)
+
Name: ocserv
Version:1.3.0
Release:0
@@ -23,16 +25,15 @@
License:GPL-2.0-only
Group: Productivity/Networking/Security
URL:https://ocserv.gitlab.io/www/
-#Git-Clone: https://gitlab.com/openconnect/ocserv.git
-Source: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
-Source1:
ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
+Source:
https://www.infradead.org/%{name}/download/%{name}-%{version}.tar.xz
+Source1:
https://www.infradead.org/%{name}/download/%{name}-%{version}.tar.xz.sig
Source2:ca.tmpl
Source3:server.tmpl
Source4:user.tmpl
Source5:ocserv-forwarding.sh
Source6:ocserv.firewalld.xml
Source99: README.SUSE
-Source100: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+Source100:
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x1f42418905d8206aa754ccdc29ee58b996865171#/%{name}.keyring
#PATCH-FIX-UPSTREAM marguer...@opensuse.org $LIBSYSTEMD_DAEMON env is not set
on openSUSE
Patch1: %{name}-enable-systemd.patch
#PATCH-FIX-UPSTREAM marguer...@opensuse.org tweak configuration
@@ -40,33 +41,37 @@
#PATCH-FIX-OPENSUSE marguer...@opensuse.org leap doesn't have
LZ4_compress_default
Patch3: %{name}-LZ4_compress_default.patch
BuildRequires: autogen
-BuildRequires: dbus-1-devel
BuildRequires: firewall-macros
+BuildRequires: firewalld
BuildRequires: freeradius-client-devel
BuildRequires: gperf
BuildRequires: gpg2
BuildRequires: ipcalc
-BuildRequires: libev-devel
-#!BuildIgnore: libevent-devel
-BuildRequires: /usr/bin/ronn
-BuildRequires: libgnutls-devel >= 3.1.10
-BuildRequires: liblz4-devel
-BuildRequires: libmaxminddb-devel
-BuildRequires: libnl3-devel
-BuildRequires: libprotobuf-c-devel
-BuildRequires: libseccomp-devel
-BuildRequires: libtalloc-devel
BuildRequires: libtool
-BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: protobuf-c
-BuildRequires: readline-devel
+BuildRequires: pkgconfig(dbus-1)
+BuildRequires: pkgconfig(gnutls) >= 3.1.10
+BuildRequires: pkgconfig(libev)
+BuildRequires: pkgconfig(liblz4)
+BuildRequires: pkgconfig(libmaxminddb)
+BuildRequires: pkgconfig(libnl-3.0)
BuildRequires: pkgconfig(liboath)
+BuildRequires: pkgconfig(libprotobuf-c)
+BuildRequires: pkgconfig(libseccomp)
BuildRequires: pkgconfig(libsystemd)
+BuildRequires: pkgconfig(pam)
+BuildRequires: pkgconfig(readline)
+BuildRequires: pkgconfig(talloc)
+BuildRequires: rubygem(ronn-ng)
# /usr/bin/certtool for generating certificates
Requires: gnutls >= 3.1.10
%{?systemd_requires}
+%if 0%{?suse_version} < 1600
+ExclusiveArch: do_not_build
+%endif
+
%description
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
be a secure, small, fast and configurable VPN server. It implements
@@ -97,62 +102,59 @@
--disable-rpath \
--enable-local-libopts \
--enable-libopts-install
-make V=1 %{?_smp_mflags}
+%make_build
%install
-make %{?_smp_mflags} DESTDIR=%{buildroot} install
+%make_install DESTDIR=%{buildroot}
-install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
-install -D -m 644 %{SOURCE6}
%{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
+install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/%{name}-forwarding
+install -D -m 644 %{SOURCE6}
%{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
-install -d %{buildroot}%{_sysconfdir}/ocserv/certificates
-install -m 0644 %{SOURCE2} %{buildroot}%{_sy
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2024-06-04 12:51:13
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.24587 (New)
Package is "ocserv"
Tue Jun 4 12:51:13 2024 rev:24 rq:1178350 version:1.3.0
Changes:
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2024-03-01
23:40:06.667234832 +0100
+++ /work/SRC/openSUSE:Factory/.ocserv.new.24587/ocserv.changes 2024-06-04
12:51:42.349077842 +0200
@@ -1,0 +2,31 @@
+Wed May 15 12:58:13 UTC 2024 - ÐндÑей ÐÑвÑинов
+
+- Update to version 1.3.0
+ * Switch to https://github.com/nodejs/llhttp from http-parser.
+http-parser was a liability as an unmaintained project (#598)
+ * Bump the number of groups per account from 128 to 512 (#219)
+ * Allow connecting users to select an authgroup by appending the
+group name to the URL, as in https://vpn.example.com/groupname;
+this introduces the select-group-by-url config option (#597).
+ * Informational messages due to configuration loading are not printed
+during worker initialization.
+- Update to version 1.2.4
+ * Get connection speed limits (traffic shaping) from RADIUS (#554)
+ * Fix logging to stderr: add missing newline.
+ * Fixed compatibility with AnyConnect clients on Linux (#544)
+ * Detect the new AnyConnect-compatible identifier of OpenConnect clients
+ * occtl: Print bit rates as kb/s.
+- Update to version 1.2.3
+ * Treat unknown clients as capable of IPv6 routes and DNS servers
+ * Introduced new ocserv options --log-stderr and --syslog that redirect
+logging to stderr or syslog explicitly. The stderr option allows for better
+integration with logging on containers or under systemd. The default
remains
+syslog.
+ * Warn when more than 2 DNS server IPv6 addresses are sent by Radius.
+ * Improved server shutdown (#563)
+ * Modified Camouflage functionality to allow AnyConnect clients (#544)
+ * ocserv-fw: Move under libexec.
+ * ocserv-fw: Fixed clean_all_rules logic on multiple similar devices (!384)
+ * occtl: added machine-readable raw_connected_at field for user stats
+
+---
Old:
ocserv-1.2.2.tar.xz
ocserv-1.2.2.tar.xz.sig
New:
ocserv-1.3.0.tar.xz
ocserv-1.3.0.tar.xz.sig
Other differences:
--
++ ocserv.spec ++
--- /var/tmp/diff_new_pack.ujcBAP/_old 2024-06-04 12:51:43.005101647 +0200
+++ /var/tmp/diff_new_pack.ujcBAP/_new 2024-06-04 12:51:43.009101793 +0200
@@ -17,7 +17,7 @@
Name: ocserv
-Version:1.2.2
+Version:1.3.0
Release:0
Summary:OpenConnect VPN Server
License:GPL-2.0-only
@@ -45,6 +45,7 @@
BuildRequires: freeradius-client-devel
BuildRequires: gperf
BuildRequires: gpg2
+BuildRequires: ipcalc
BuildRequires: libev-devel
#!BuildIgnore: libevent-devel
BuildRequires: libgnutls-devel >= 3.1.10
@@ -145,7 +146,7 @@
%{_bindir}/occtl
%{_bindir}/ocpasswd
%{_bindir}/ocserv-script
-%{_bindir}/ocserv-fw
+%{_libexecdir}/ocserv-fw
%{_sbindir}/ocserv
%{_sbindir}/ocserv-forwarding
%{_sbindir}/ocserv-worker
++ ocserv-1.2.2.tar.xz -> ocserv-1.3.0.tar.xz ++
30272 lines of diff (skipped)
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2024-03-01 23:40:05
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.1770 (New)
Package is "ocserv"
Fri Mar 1 23:40:05 2024 rev:23 rq:1154177 version:1.2.2
Changes:
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2023-09-29
21:15:31.053956387 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.1770/ocserv.changes 2024-03-01
23:40:06.667234832 +0100
@@ -1,0 +2,6 @@
+Mon Feb 26 12:40:44 UTC 2024 - Dominique Leuenberger
+
+- Use %autosetup macro. Allows to eliminate the usage of deprecated
+ PatchN.
+
+---
Other differences:
--
++ ocserv.spec ++
--- /var/tmp/diff_new_pack.OqTecA/_old 2024-03-01 23:40:07.271256673 +0100
+++ /var/tmp/diff_new_pack.OqTecA/_new 2024-03-01 23:40:07.271256673 +0100
@@ -87,14 +87,10 @@
A management interface allows for viewing and querying logged-in users.
%prep
-gpg --import %{SOURCE100} && gpg --verify %{SOURCE1}
-%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-autoreconf -fiv
+%autosetup -p1
%build
+autoreconf -fiv
%configure --enable-systemd \
--enable-seccomp \
--disable-rpath \
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2023-09-29 21:14:04
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.28202 (New)
Package is "ocserv"
Fri Sep 29 21:14:04 2023 rev:22 rq:1114117 version:1.2.2
Changes:
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2023-09-02
22:08:32.553170775 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.28202/ocserv.changes 2023-09-29
21:15:31.053956387 +0200
@@ -1,0 +2,9 @@
+Mon Sep 25 08:41:26 UTC 2023 - Martin Hauke
+
+- Update to version 1.2.2
+ * Fix session and accounting data tracking of ocserv. This
+ reverts fix for #444 (#541)
+ * No longer account ICMP and IGMP data for idle session detection
+- Update URL
+
+---
Old:
ocserv-1.2.1.tar.xz
ocserv-1.2.1.tar.xz.sig
New:
ocserv-1.2.2.tar.xz
ocserv-1.2.2.tar.xz.sig
Other differences:
--
++ ocserv.spec ++
--- /var/tmp/diff_new_pack.oQ6dMl/_old 2023-09-29 21:15:32.850021189 +0200
+++ /var/tmp/diff_new_pack.oQ6dMl/_new 2023-09-29 21:15:32.850021189 +0200
@@ -17,12 +17,13 @@
Name: ocserv
-Version:1.2.1
+Version:1.2.2
Release:0
Summary:OpenConnect VPN Server
License:GPL-2.0-only
Group: Productivity/Networking/Security
-URL:http://www.infradead.org/ocserv
+URL:https://ocserv.gitlab.io/www/
+#Git-Clone: https://gitlab.com/openconnect/ocserv.git
Source: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
Source1:
ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
Source2:ca.tmpl
@@ -40,15 +41,14 @@
Patch3: %{name}-LZ4_compress_default.patch
BuildRequires: autogen
BuildRequires: dbus-1-devel
-%if 0%{suse_version} >= 1500
BuildRequires: firewall-macros
-%endif
BuildRequires: freeradius-client-devel
BuildRequires: gperf
BuildRequires: gpg2
BuildRequires: libev-devel
#!BuildIgnore: libevent-devel
BuildRequires: libgnutls-devel >= 3.1.10
+BuildRequires: liblz4-devel
BuildRequires: libmaxminddb-devel
BuildRequires: libnl3-devel
BuildRequires: libprotobuf-c-devel
@@ -64,11 +64,7 @@
BuildRequires: rubygem(ronn)
# /usr/bin/certtool for generating certificates
Requires: gnutls >= 3.1.10
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{?systemd_requires}
-%if 0%{?suse_version} > 1310
-BuildRequires: liblz4-devel
-%endif
%description
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
@@ -110,9 +106,7 @@
make %{?_smp_mflags} DESTDIR=%{buildroot} install
install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
-%if 0%{suse_version} >= 1500
install -D -m 644 %{SOURCE6}
%{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
-%endif
install -d %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ocserv/certificates
@@ -136,9 +130,7 @@
%post
%service_add_post ocserv.service ocserv.socket
-%if 0%{suse_version} >= 1500
%firewalld_reload
-%endif
%preun
%service_del_preun ocserv.service ocserv.socket
@@ -151,11 +143,9 @@
%doc AUTHORS NEWS README.md
%license COPYING
%config %{_sysconfdir}/ocserv
-%if 0%{suse_version} >= 1500
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/ocserv.xml
-%endif
%{_bindir}/occtl
%{_bindir}/ocpasswd
%{_bindir}/ocserv-script
++ ocserv-1.2.1.tar.xz -> ocserv-1.2.2.tar.xz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ocserv-1.2.1/AUTHORS new/ocserv-1.2.2/AUTHORS
--- old/ocserv-1.2.1/AUTHORS2023-08-22 15:11:05.0 +0200
+++ new/ocserv-1.2.2/AUTHORS2023-09-21 21:14:26.0 +0200
@@ -16,11 +16,11 @@
William Dauchy
Alexey Dotsenko
Daniel Lenski
+Dimitri Papadopoulos <3234522+DimitriPapadopoulos at users.noreply.github.com>
Frank Huang
Joerg Mayer
Björn Ketelaars
David Woodhouse
-Dimitri Papadopoulos <3234522+DimitriPapadopoulos at users.noreply.github.com>
Faidon Liambotis
John Thiltges
Leendert van Doorn
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ocserv-1.2.1/ChangeLog new/ocserv-1.2.2/ChangeLog
--- old/ocserv-1.2.1/ChangeLog 2023-08-22 15:11:06.0 +0200
+++ new/ocserv-1.2.2/ChangeLog 2023-09-21 21:14:27.0 +0200
@@ -1,3 +1,181 @@
+commit f616475643783995c4208ae205e288019eec18e5
+Author: Nikos Mavrogiannopoulos
+Date: Thu Sep 21 21:14:05 2023 +0200
+
+released 1.2.2
+
+Signed-off-by: Nikos Mavr
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2023-09-02 22:07:48
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.1766 (New)
Package is "ocserv"
Sat Sep 2 22:07:48 2023 rev:21 rq:1108560 version:1.2.1
Changes:
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2023-03-07
16:51:23.057916405 +0100
+++ /work/SRC/openSUSE:Factory/.ocserv.new.1766/ocserv.changes 2023-09-02
22:08:32.553170775 +0200
@@ -1,0 +2,33 @@
+Tue Aug 29 12:37:56 UTC 2023 - Martin Hauke
+
+- Update to version 1.2.1
+ * Accept the Clavister OneConnect VPN Android client.
+ * No longer require to set device name per vhost.
+ * Account the correct number of points when proxyproto is in use
+ * nuttcp tests were replaced with iperf3 that is available
+in more environments
+ * occtl: fix duplicate key in `occtl --json show users` output
+- Update to version 1.2.0
+ * Add support for Cisco Enterprise phones to authenticate via
+the /svc endpoint and the 'cisco-svc-client-compat' config
+option.
+ * Enhanced radius group support to enable radius servers send
+multiple group class attributes
+See doc/README-radius.md for more information.
+ * Enhanced the seccomp filters to open files related to FIPS
+compliance on SuSe.
+ * Added "Camouflage" functionality that makes ocserv look like a
+web server to unauthorized parties.
+ * Avoid login failure when the end point of server URI
+contains a query string.
+ * Make sure we print proper JSON with `occtl --debug --json`
+ * Eliminated the need for using the gnulib portability library.
+- Update to version 1.1.7
+ * Emit a LOG_ERR error message with plain authentication fails
+ * The bundled inih was updated to r56.
+ * The bundled protobuf-c was updated to 1.4.1.
+ * Enhanced the seccomp filters for ARMv7 compatibility and musl
+libc
+ * HTTP headers always capitalised as in RFC 9110
+
+---
Old:
ocserv-1.1.6.tar.xz
ocserv-1.1.6.tar.xz.sig
New:
ocserv-1.2.1.tar.xz
ocserv-1.2.1.tar.xz.sig
Other differences:
--
++ ocserv.spec ++
--- /var/tmp/diff_new_pack.cpwnpW/_old 2023-09-02 22:08:35.641281123 +0200
+++ /var/tmp/diff_new_pack.cpwnpW/_new 2023-09-02 22:08:35.693282981 +0200
@@ -17,7 +17,7 @@
Name: ocserv
-Version:1.1.6
+Version:1.2.1
Release:0
Summary:OpenConnect VPN Server
License:GPL-2.0-only
@@ -149,7 +149,7 @@
%files
%defattr(-,root,root)
%doc AUTHORS NEWS README.md
-%license COPYING LICENSE
+%license COPYING
%config %{_sysconfdir}/ocserv
%if 0%{suse_version} >= 1500
%dir %{_prefix}/lib/firewalld
++ ocserv-1.1.6.tar.xz -> ocserv-1.2.1.tar.xz ++
83353 lines of diff (skipped)
++ ocserv.config.patch ++
--- /var/tmp/diff_new_pack.cpwnpW/_old 2023-09-02 22:08:36.737320288 +0200
+++ /var/tmp/diff_new_pack.cpwnpW/_new 2023-09-02 22:08:36.741320431 +0200
@@ -1,5 +1,5 @@
diff --git a/doc/sample.config b/doc/sample.config
-index 0e33484f..60ab3e93 100644
+index 4c8c8c6..7a4697f 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -48,7 +48,7 @@
@@ -22,18 +22,19 @@
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
-@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket
+@@ -126,9 +126,8 @@ socket-file = /var/run/ocserv-socket
#server-cert = /etc/ocserv/server-cert.pem
#server-key = /etc/ocserv/server-key.pem
-server-cert = ../tests/certs/server-cert.pem
-server-key = ../tests/certs/server-key.pem
+-
+server-cert = /etc/ocserv/certificates/server-cert.pem
+server-key = /etc/ocserv/certificates/server-key.pem
-
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
-@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem
+ # Can be generated using:
+@@ -154,7 +153,7 @@ server-key = ../tests/certs/server-key.pem
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
@@ -42,16 +43,7 @@
# The number of sub-processes to use for the security module (authentication)
# processes. Typically this should not be set as the number of processes
-@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
- # the isolation was tested at. If you get random failures on worker
processes, try
- # disabling that option and report the failures you, along with system and
debugging
- # information at: https://gitlab.com/ocserv/ocserv/issues
--
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2023-03-07 16:50:57
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.31432 (New)
Package is "ocserv"
Tue Mar 7 16:50:57 2023 rev:20 rq:1069915 version:1.1.6
Changes:
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2022-08-15
20:00:24.377425835 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.31432/ocserv.changes 2023-03-07
16:51:23.057916405 +0100
@@ -1,0 +2,9 @@
+Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner
+
+- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
+ installed into /etc by a more tailored mechanism. Enabling IP routing
+ globally and permanently, just because the package is installed is quite
+ invasive. This new script will be invoked before and after the ocserv
+ service to switch on and off forwarding, if necessary (bsc#1174722).
+
+---
Old:
ocserv.sysctl
New:
ocserv-forwarding.sh
Other differences:
--
++ ocserv.spec ++
--- /var/tmp/diff_new_pack.PBmhf8/_old 2023-03-07 16:51:23.785920243 +0100
+++ /var/tmp/diff_new_pack.PBmhf8/_new 2023-03-07 16:51:23.793920285 +0100
@@ -1,7 +1,7 @@
#
# spec file for package ocserv
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@
Source2:ca.tmpl
Source3:server.tmpl
Source4:user.tmpl
-Source5:ocserv.sysctl
+Source5:ocserv-forwarding.sh
Source6:ocserv.firewalld.xml
Source99: README.SUSE
Source100: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
@@ -109,7 +109,7 @@
%install
make %{?_smp_mflags} DESTDIR=%{buildroot} install
-install -Dm 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysctl.d/60-ocserv.conf
+install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
%if 0%{suse_version} >= 1500
install -D -m 644 %{SOURCE6}
%{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
%endif
@@ -128,6 +128,9 @@
install -m 0644 doc/systemd/socket-activated/ocserv.socket
%{buildroot}%{_unitdir}
install -m 0644 doc/systemd/socket-activated/ocserv.service
%{buildroot}%{_unitdir}
+sed -i '/^\[Service\].*/a ExecStopPost=%{_sbindir}/ocserv-forwarding
--disable' %{buildroot}%{_unitdir}/ocserv.service
+sed -i '/^\[Service\].*/a ExecStartPre=%{_sbindir}/ocserv-forwarding --enable'
%{buildroot}%{_unitdir}/ocserv.service
+
%pre
%service_add_pre ocserv.service ocserv.socket
@@ -148,7 +151,6 @@
%doc AUTHORS NEWS README.md
%license COPYING LICENSE
%config %{_sysconfdir}/ocserv
-%config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf
%if 0%{suse_version} >= 1500
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
@@ -159,6 +161,7 @@
%{_bindir}/ocserv-script
%{_bindir}/ocserv-fw
%{_sbindir}/ocserv
+%{_sbindir}/ocserv-forwarding
%{_sbindir}/ocserv-worker
%{_unitdir}/ocserv.service
%{_unitdir}/ocserv.socket
++ ocserv-forwarding.sh ++
#!/bin/bash
set -o errexit
# This script enables IP forwarding only for the time of ocserv running
#
# The script should be run as a pre and post script via the systemd service
# unit.
#
# It only touches a sysctl if it doesn't have the required value and is able
# to restore it back to the original value by keeping track of changed
# settings in a state file.
STATEDIR="/run/ocserv"
STATEFILE="$STATEDIR/changed_sysctls"
# the sysctls that need to be at '1' for ocserv to work properly
CONTROLS=("net.ipv4.ip_forward" "net.ipv6.conf.default.forwarding"
"net.ipv6.conf.all.forwarding")
errecho() {
echo $* 1>&2
}
usage() {
errecho "Usage: $0 [--enable|--disable]"
errecho
errecho "--enable: enable IP forwarding kernel settings, if necessary"
errecho "--disable: restore IP forwarding kernel settings that have
previously been changed via --enable"
errecho
errecho "This script temporarily enables IP forwarding while ocserv is
running"
exit 1
}
# make sure we don't create anything world readable for other users
umask 077
if [ $# -ne 1 ]; then
usage
fi
SYSCTL=`which sysctl`
if [ -z "$SYSCTL" ]; then
errecho "Couldn't find 'sysctl'. You need to be root to run this
script."
exit 1
fi
operation="$1"
if [ "$operation" = "-h" -o "$operation" = "--help" ]; then
usage
elif [ "$operation" = "--enable" ]; then
changed=()
for control in ${CONTROLS[@]}; do
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ocserv for openSUSE:Factory checked in at 2022-08-15 19:58:10 Comparing /work/SRC/openSUSE:Factory/ocserv (Old) and /work/SRC/openSUSE:Factory/.ocserv.new.1521 (New) Package is "ocserv" Mon Aug 15 19:58:10 2022 rev:19 rq:995042 version:1.1.6 Changes: --- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2022-07-06 15:42:31.078563057 +0200 +++ /work/SRC/openSUSE:Factory/.ocserv.new.1521/ocserv.changes 2022-08-15 20:00:24.377425835 +0200 @@ -1,0 +2,20 @@ +Sun Aug 14 14:11:34 UTC 2022 - Michael Du + +- Update to version 1.1.6 + * Fixed compatibility with clients on Windows ARM64. + * Added futex() to the accepted list of seccomp. +It is required by Fedora 36???s libc. + * Work around change of returned error code in GnuTLS 3.7.3 +for gnutls_privkey_import_x509_raw(). + +- Changes in version 1.1.5 + * Fixed manpage output. + +- Changes in version 1.1.4 + * Added newfstatat() and epoll_pwait() to the accepted list of +seccomp calls. This improves compatibility with certain libcs +and aarch64. + * Do not allow assigning the same IPv6 as tun device address and +to the client. This allows using /127 as prefix (#430). + +--- Old: ocserv-1.1.3.tar.xz ocserv-1.1.3.tar.xz.sig New: ocserv-1.1.6.tar.xz ocserv-1.1.6.tar.xz.sig Other differences: -- ++ ocserv.spec ++ --- /var/tmp/diff_new_pack.cjUJOH/_old 2022-08-15 20:00:25.025427642 +0200 +++ /var/tmp/diff_new_pack.cjUJOH/_new 2022-08-15 20:00:25.029427654 +0200 @@ -17,7 +17,7 @@ Name: ocserv -Version:1.1.3 +Version:1.1.6 Release:0 Summary:OpenConnect VPN Server License:GPL-2.0-only ++ ocserv-1.1.3.tar.xz -> ocserv-1.1.6.tar.xz ++ 8779 lines of diff (skipped) ++ ocserv.config.patch ++ --- /var/tmp/diff_new_pack.cjUJOH/_old 2022-08-15 20:00:25.505428981 +0200 +++ /var/tmp/diff_new_pack.cjUJOH/_new 2022-08-15 20:00:25.509428992 +0200 @@ -1,5 +1,5 @@ diff --git a/doc/sample.config b/doc/sample.config -index 6a677c9..1cd1d96 100644 +index 0e33484f..60ab3e93 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -48,7 +48,7 @@ @@ -40,9 +40,9 @@ -ca-cert = ../tests/certs/ca.pem +ca-cert = /etc/ocserv/certificates/ca-cert.pem - - ### All configuration options below this line are reloaded on a SIGHUP. -@@ -174,7 +174,7 @@ ca-cert = ../tests/certs/ca.pem + # The number of sub-processes to use for the security module (authentication) + # processes. Typically this should not be set as the number of processes +@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem # the isolation was tested at. If you get random failures on worker processes, try # disabling that option and report the failures you, along with system and debugging # information at: https://gitlab.com/ocserv/ocserv/issues @@ -51,7 +51,7 @@ # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -242,7 +242,7 @@ mobile-dpd = 1800 +@@ -249,7 +249,7 @@ mobile-dpd = 1800 switch-to-tcp-timeout = 25 # MTU discovery (DPD must be enabled) @@ -60,7 +60,7 @@ # To enable load-balancer connection draining, set server-drain-ms to a value # higher than your load-balancer health probe interval. -@@ -412,8 +412,8 @@ rekey-method = ssl +@@ -415,8 +415,8 @@ rekey-method = ssl # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes # output from the tun device, and the duration of the session in seconds. @@ -71,8 +71,8 @@ # This script is to be called when the client's advertised hostname becomes # available. It will contain REASON with "host-update" value and the -@@ -491,7 +491,8 @@ ipv4-netmask = 255.255.255.0 - # The advertized DNS server. Use multiple lines for +@@ -506,7 +506,8 @@ ipv4-netmask = 255.255.255.0 + # The advertised DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 -dns = 192.168.1.2 @@ -81,7 +81,7 @@ # The NBNS server (if any) #nbns = 192.168.1.3 -@@ -530,8 +531,8 @@ ping-leases = false +@@ -545,8 +546,8 @@ ping-leases = false # comment out all routes from the server, or use the special keyword # 'default'. @@ -92,7 +92,7 @@ #route = fef4:db8:1000:1001::/64 #route = default -@@ -698,18 +699,18 @@ dtls-legacy = true +@@ -719,18 +720,18 @@ client-bypass-protocol = false # An example virtual host with different authentication methods serviced # by this server. @@ -120,7 +120,7 @@ -cert-user-oid = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 diff --git a/doc/systemd/socket-activated/
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ocserv for openSUSE:Factory checked in at 2022-07-06 15:42:16 Comparing /work/SRC/openSUSE:Factory/ocserv (Old) and /work/SRC/openSUSE:Factory/.ocserv.new.1548 (New) Package is "ocserv" Wed Jul 6 15:42:16 2022 rev:18 rq:986990 version:1.1.3 Changes: --- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2021-06-23 17:38:14.996472957 +0200 +++ /work/SRC/openSUSE:Factory/.ocserv.new.1548/ocserv.changes 2022-07-06 15:42:31.078563057 +0200 @@ -1,0 +2,6 @@ +Mon Jun 20 07:49:38 UTC 2022 - Dominique Leuenberger + +- explicitly buildignore libevent-devel, which is pulled in by + ubound. We use libev here and can get away with this. + +--- Other differences: -- ++ ocserv.spec ++ --- /var/tmp/diff_new_pack.qge7BX/_old 2022-07-06 15:42:31.682563947 +0200 +++ /var/tmp/diff_new_pack.qge7BX/_new 2022-07-06 15:42:31.686563953 +0200 @@ -1,7 +1,7 @@ # # spec file for package ocserv # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -47,6 +47,7 @@ BuildRequires: gperf BuildRequires: gpg2 BuildRequires: libev-devel +#!BuildIgnore: libevent-devel BuildRequires: libgnutls-devel >= 3.1.10 BuildRequires: libmaxminddb-devel BuildRequires: libnl3-devel
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ocserv for openSUSE:Factory checked in at 2021-06-23 17:38:12 Comparing /work/SRC/openSUSE:Factory/ocserv (Old) and /work/SRC/openSUSE:Factory/.ocserv.new.2625 (New) Package is "ocserv" Wed Jun 23 17:38:12 2021 rev:17 rq:901365 version:1.1.3 Changes: --- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2021-06-09 21:52:09.314459036 +0200 +++ /work/SRC/openSUSE:Factory/.ocserv.new.2625/ocserv.changes 2021-06-23 17:38:14.996472957 +0200 @@ -1,0 +2,12 @@ +Sat Jun 5 10:37:15 UTC 2021 - Martin Hauke + +- Update to version 1.1.3 + * No longer close stdin and stdout on worker processes as they +are already closed in main process. + * Advertise X-CSTP-Session-Timeout. + * No longer recommend building with system's libpcl but rather +the bundled as it is not a very common shared library. + * Corrected busyloop on failed DTLS handshakes. + * Emit OWASP best practice headers for HTTP. + +--- Old: ocserv-1.1.2.tar.xz ocserv-1.1.2.tar.xz.sig New: ocserv-1.1.3.tar.xz ocserv-1.1.3.tar.xz.sig Other differences: -- ++ ocserv.spec ++ --- /var/tmp/diff_new_pack.IjGtuY/_old 2021-06-23 17:38:15.696473920 +0200 +++ /var/tmp/diff_new_pack.IjGtuY/_new 2021-06-23 17:38:15.696473920 +0200 @@ -1,7 +1,7 @@ # # spec file for package ocserv # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: ocserv -Version:1.1.2 +Version:1.1.3 Release:0 Summary:OpenConnect VPN Server License:GPL-2.0-only ++ ocserv-1.1.2.tar.xz -> ocserv-1.1.3.tar.xz ++ 9023 lines of diff (skipped)
commit ocserv for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2021-06-09 21:51:54
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.32437 (New)
Package is "ocserv"
Wed Jun 9 21:51:54 2021 rev:16 rq:894668 version:1.1.2
Changes:
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes2020-08-29
20:42:31.085469367 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.32437/ocserv.changes 2021-06-09
21:52:09.314459036 +0200
@@ -1,0 +2,40 @@
+Mon Dec 7 15:32:12 UTC 2020 - Martin Hauke
+
+- Update to version 1.1.2
+ * Allow setup of new DTLS session concurrent with old session.
+ * Fixed an infinite loop on sec-mod crash when server-drain-ms
+is set.
+ * Don't apply BanIP checks to clients on the same subnet.
+ * Don't attempt TLS if the client closes the connection with
+zero data sent.
+ * Increased the maximum configuration line; this allows banner
+messages longer than 200 characters.
+ * Removed the listen-clear-file config option. This option was
+incompatible with several clients, and thus is unusable for a
+generic server.
+
+---
+Mon Sep 21 15:27:14 UTC 2020 - Martin Hauke
+
+- Update to version 1.1.1:
+ * Improved rate-limit-ms and made it dependent on secmod backlog.
+This makes the server more resilient (and prevents connection
+failures) on multiple concurrent connections
+ - Added namespace support for listen address by introducing the
+listen-netns option.
+ - Disable TLS1.3 when cisco client compatibility is enabled. New
+anyconnect clients seem to supporting TLS1.3 but are unable to
+ handle a client with an RSA key.
+ - Enable a race free user disconnection via occtl.
+ - Added the config option of a pre-login-banner.
+ - Ocserv siwtched to using multiple ocserv-sm processes to
+improve scale, with the number of ocserv-sm process dependent
+on maximum clients and number of CPUs. Configuration option
+sec-mod-scale can be used to override the heuristics.
+ - Fixed issue with group selection on radius servers sending
+multiple group class attribute.
+- Update patch:
+ * ocserv-enable-systemd.patch
+ * ocserv.config.patch
+
+---
Old:
ocserv-1.1.0.tar.xz
ocserv-1.1.0.tar.xz.sig
New:
ocserv-1.1.2.tar.xz
ocserv-1.1.2.tar.xz.sig
Other differences:
--
++ ocserv.spec ++
--- /var/tmp/diff_new_pack.R4R4AB/_old 2021-06-09 21:52:10.050460348 +0200
+++ /var/tmp/diff_new_pack.R4R4AB/_new 2021-06-09 21:52:10.054460355 +0200
@@ -17,7 +17,7 @@
Name: ocserv
-Version:1.1.0
+Version:1.1.2
Release:0
Summary:OpenConnect VPN Server
License:GPL-2.0-only
@@ -144,7 +144,7 @@
%files
%defattr(-,root,root)
-%doc AUTHORS NEWS README.md TODO
+%doc AUTHORS NEWS README.md
%license COPYING LICENSE
%config %{_sysconfdir}/ocserv
%config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf
++ ocserv-1.1.0.tar.xz -> ocserv-1.1.2.tar.xz ++
20596 lines of diff (skipped)
++ ocserv-enable-systemd.patch ++
--- /var/tmp/diff_new_pack.R4R4AB/_old 2021-06-09 21:52:10.442461047 +0200
+++ /var/tmp/diff_new_pack.R4R4AB/_new 2021-06-09 21:52:10.442461047 +0200
@@ -1,8 +1,8 @@
-Index: ocserv-0.10.5/configure.ac
-===
ocserv-0.10.5.orig/configure.ac
-+++ ocserv-0.10.5/configure.ac
-@@ -297,11 +297,7 @@ AC_ARG_ENABLE(systemd,
+diff --git a/configure.ac b/configure.ac
+index 2e4a0e8..81ac3bd 100644
+--- a/configure.ac
b/configure.ac
+@@ -423,11 +423,7 @@ AC_ARG_ENABLE(systemd,
if [ test "$systemd_enabled" = "yes" ];then
AC_LIB_HAVE_LINKFLAGS(systemd,, [#include ],
[sd_listen_fds(0);])
@@ -13,4 +13,4 @@
- fi
fi
- AC_ARG_ENABLE(anyconnect-compat,
+ AC_ARG_ENABLE(namespaces,
++ ocserv.config.patch ++
--- /var/tmp/diff_new_pack.R4R4AB/_old 2021-06-09 21:52:10.450461062 +0200
+++ /var/tmp/diff_new_pack.R4R4AB/_new 2021-06-09 21:52:10.450461062 +0200
@@ -1,7 +1,7 @@
-Index: ocserv-0.12.0/doc/sample.config
-===
ocserv-0.12.0.orig/doc/sample.config
-+++ ocserv-0.12.0/doc/sample.config
+diff --git a/doc/sample.config b/doc/sample.config
+index 6a677c9..1cd1d96 100644
+--- a/doc/sample.config
b/doc/sample.config
@@ -48,7 +48,7 @@
#auth = "pam"
#auth = "pam[gid-min=1000]"
@@ -11,8 +11,8 @@
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
-@@ -83
