commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2020-09-23 18:37:47 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.4249 (New) Package is "openvpn" Wed Sep 23 18:37:47 2020 rev:89 rq:834319 version:2.4.9 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2020-09-03 01:13:17.376451479 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new.4249/openvpn.changes 2020-09-23 18:38:27.605215278 +0200 @@ -1,0 +2,19 @@ +Fri Sep 11 11:52:54 UTC 2020 - Dirk Mueller + +- update to 2.4.9 (CVE-2020-11810, bsc#1169925O): + * Allow unicode search string in --cryptoapicert option (Windows) + * Skip expired certificates in Windows certificate store (Windows) (trac #966) + * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623) + * fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float"). + This can be used to disrupt service to a freshly connected client (no session + keys negotiated yet). It can not be used to inject or steal VPN traffic. + CVE-2020-11810). + * fix combination of async push (deferred auth) and NCP (trac #1259) + * Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228) + * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs + * mbedTLS: Make sure TLS session survives move (trac #880) + * Fix OpenSSL private key passphrase notices + * Fix building with --enable-async-push in FreeBSD (trac #1256) + * Fix broken fragmentation logic when using NCP (trac #1140) + +--- Old: openvpn-2.4.8.tar.xz openvpn-2.4.8.tar.xz.asc New: openvpn-2.4.9.tar.xz openvpn-2.4.9.tar.xz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.PFTb7F/_old 2020-09-23 18:38:32.077219174 +0200 +++ /var/tmp/diff_new_pack.PFTb7F/_new 2020-09-23 18:38:32.077219174 +0200 @@ -29,7 +29,7 @@ %define _rundir %{_localstatedir}/run %endif Name: openvpn -Version:2.4.8 +Version:2.4.9 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.1-only ++ openvpn-2.4.8.tar.xz -> openvpn-2.4.9.tar.xz ++ 4805 lines of diff (skipped) retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openvpn-2.4.8/ChangeLog new/openvpn-2.4.9/ChangeLog --- old/openvpn-2.4.8/ChangeLog 2019-10-30 13:37:55.0 +0100 +++ new/openvpn-2.4.9/ChangeLog 2020-04-16 15:26:45.0 +0200 @@ -1,6 +1,43 @@ OpenVPN Change Log Copyright (C) 2002-2018 OpenVPN Inc +2020.04.16 -- Version 2.4.9 +Antonio Quartulli (1): + socks: use the right function when printing struct openvpn_sockaddr + +Arne Schwabe (3): + Fetch OpenSSL versions via source/old links + Fix OpenSSL error stack handling of tls_ctx_add_extra_certs + Fix OpenSSL 1.1.1 not using auto elliptic curve selection + +Lev Stipakov (4): + Fix broken fragmentation logic when using NCP + Fix building with --enable-async-push in FreeBSD + Fix broken async push with NCP is used + Fix illegal client float (CVE-2020-11810) + +Maxim Plotnikov (1): + OpenSSL: Fix --crl-verify not loading multiple CRLs in one file + +Santtu Lakkala (1): + Fix OpenSSL private key passphrase notices + +Selva Nair (7): + Swap the order of checks for validating interactive service user + Move querying username/password from management interface to a function + When auth-user-pass file has no password query the management interface (if available). + Fix possibly uninitialized return value in GetOpenvpnSettings() + Fix possible access of uninitialized pipe handles + Skip expired certificates in Windows certificate store + Allow unicode search string in --cryptoapicert option + +Tom van Leeuwen (1): + mbedTLS: Make sure TLS session survives move + +WGH (1): + docs: Add reference to X509_LOOKUP_hash_dir(3) + + 2019.10.30 -- Version 2.4.8 Antonio Quartulli (1): mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2020-09-03 01:12:56 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.3399 (New) Package is "openvpn" Thu Sep 3 01:12:56 2020 rev:88 rq:830245 version:2.4.8 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2020-03-11 18:45:18.495375851 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new.3399/openvpn.changes 2020-09-03 01:13:17.376451479 +0200 @@ -1,0 +2,18 @@ +Wed Aug 26 17:12:44 UTC 2020 - Franck Bui + +- Modernize openvpn.service + * /var/run has been obsoleted since a long time. + * on reload, send HUP signal directly rather than relying on +killproc to look for the main process. + +--- +Wed Aug 26 17:00:43 UTC 2020 - Franck Bui + +- Explicitly requires sysvinit-tools as some of the tools shipped by + this package are used in various places regardless of whether + openvpn is built for systemd or non systemd systems. + + For the context: sysvinit-tools was pulled in by systemd since 2014 + but it's no longer the case so better to be safe than sorry. + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.A3YPjT/_old 2020-09-03 01:13:19.864452394 +0200 +++ /var/tmp/diff_new_pack.A3YPjT/_new 2020-09-03 01:13:19.868452395 +0200 @@ -62,6 +62,7 @@ BuildRequires: xz Requires: iproute2 Requires: pkcs11-helper >= 1.11 +Requires: sysvinit-tools %if %{with_systemd} BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(systemd) ++ openvpn.service ++ --- /var/tmp/diff_new_pack.A3YPjT/_old 2020-09-03 01:13:19.984452438 +0200 +++ /var/tmp/diff_new_pack.A3YPjT/_new 2020-09-03 01:13:19.984452438 +0200 @@ -6,10 +6,10 @@ [Service] Type=notify PrivateTmp=true -PIDFile=/var/run/openvpn/%i.pid -ExecStart=/usr/sbin/openvpn --daemon openvpn@%i --suppress-timestamps --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf +PIDFile=/run/openvpn/%i.pid +ExecStart=/usr/sbin/openvpn --daemon openvpn@%i --suppress-timestamps --writepid /run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf # boo#1142830: "reload" does not work if openvpn drops root privileges after startup. -ExecReload=/sbin/killproc -p /var/run/openvpn/%i.pid -HUP /usr/sbin/openvpn +ExecReload=/usr/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target openvpn.target
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2020-03-11 18:43:09 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.3160 (New) Package is "openvpn" Wed Mar 11 18:43:09 2020 rev:87 rq:782856 version:2.4.8 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2020-02-03 11:11:44.653797196 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new.3160/openvpn.changes 2020-03-11 18:45:18.495375851 +0100 @@ -1,0 +2,7 @@ +Wed Mar 4 07:30:38 UTC 2020 - Fabian Vogt + +- Fix inconsistency in openvpn.service: + * It uses the unescape instance name as config file basename, +so use that in the description as well + +--- Other differences: -- ++ openvpn.service ++ --- /var/tmp/diff_new_pack.HlIMFS/_old 2020-03-11 18:45:22.527378324 +0100 +++ /var/tmp/diff_new_pack.HlIMFS/_new 2020-03-11 18:45:22.551378339 +0100 @@ -1,5 +1,5 @@ [Unit] -Description=OpenVPN tunneling daemon instance using /etc/openvpn/%I.conf +Description=OpenVPN tunneling daemon instance using /etc/openvpn/%i.conf After=network.target PartOf=openvpn.target
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2020-02-03 11:11:28 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.26092 (New) Package is "openvpn" Mon Feb 3 11:11:28 2020 rev:86 rq:768341 version:2.4.8 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2020-01-19 20:54:02.747943351 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new.26092/openvpn.changes 2020-02-03 11:11:44.653797196 +0100 @@ -1,0 +2,10 @@ +Fri Jan 24 11:22:01 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut through the -mini flavors. +- Use %systemd_ordering instead of systemd_requires: in fact, + systemd is not a hard requirement for openvpn. But in case a + system is being installed with systemd, we want systemd to be + there before openvpn is being installed. + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.pDGwhg/_old 2020-02-03 11:11:45.873797813 +0100 +++ /var/tmp/diff_new_pack.pDGwhg/_new 2020-02-03 11:11:45.877797815 +0100 @@ -63,17 +63,13 @@ Requires: iproute2 Requires: pkcs11-helper >= 1.11 %if %{with_systemd} -%{?systemd_requires} +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(systemd) +%systemd_ordering %else PreReq: %fillup_prereq PreReq: %insserv_prereq %endif -%if %{with_systemd} -BuildRequires: systemd -%endif -%if %{with_systemd} -BuildRequires: pkgconfig(libsystemd) -%endif %description OpenVPN is a full-featured SSL VPN solution which can accommodate a wide
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2020-01-19 20:53:28 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.26092 (New) Package is "openvpn" Sun Jan 19 20:53:28 2020 rev:85 rq:764977 version:2.4.8 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2019-10-25 18:40:14.703790049 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new.26092/openvpn.changes 2020-01-19 20:54:02.747943351 +0100 @@ -1,0 +2,35 @@ +Tue Jan 7 21:28:42 UTC 2020 - Bjørn Lie + +- Update to version 2.4.8: + * mbedtls: fix segfault by calling mbedtls_cipher_free() in +cipher_ctx_free() + * cleanup: Remove RPM openvpn.spec build approach + * docs: Update INSTALL + * build: Package missing mock_msg.h + * Increase listen() backlog queue to 32 + * Force combinationation of --socks-proxy and --proto UDP to use +IPv4. + * Wrong FILETYPE in .rc files + * Do not set pkcs11-helper 'safe fork mode' + * tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. + * Fix various compiler warnings + * Fix regression, reinstate LibreSSL support. + * man: correct the description of --capath and --crl-verify +regarding CRLs + * Fix typo in NTLM proxy debug message + * Ignore --pull-filter for --mode server + * openssl: Fix compilation without deprecated OpenSSL 1.1 APIs + * Better error message when script fails due to script-security +setting + * Correct the return value of cryptoapi RSA signature callbacks + * Handle PSS padding in cryptoapicert + * cmocka: use relative paths + * Fix documentation of tls-verify script argument + +--- +Thu Dec 19 15:30:15 UTC 2019 - Dominique Leuenberger + +- BuildRequire pkgconfig(libsystemd) instead of systemd-devel: + Allow OBS to shortcut through the -mini flavors. + +--- Old: openvpn-2.4.7.tar.xz openvpn-2.4.7.tar.xz.asc New: openvpn-2.4.8.tar.xz openvpn-2.4.8.tar.xz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.LWbDIu/_old 2020-01-19 20:54:03.603943801 +0100 +++ /var/tmp/diff_new_pack.LWbDIu/_new 2020-01-19 20:54:03.607943804 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,12 +29,12 @@ %define _rundir %{_localstatedir}/run %endif Name: openvpn -Version:2.4.7 +Version:2.4.8 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.1-only Group: Productivity/Networking/Security -Url:http://openvpn.net/ +URL:http://openvpn.net/ Source: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz Source1: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz.asc Source2:%{name}.init @@ -72,7 +72,7 @@ BuildRequires: systemd %endif %if %{with_systemd} -BuildRequires: systemd-devel +BuildRequires: pkgconfig(libsystemd) %endif %description ++ openvpn-2.4.7.tar.xz -> openvpn-2.4.8.tar.xz ++ 4119 lines of diff (skipped)
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2019-10-25 18:40:12 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.2990 (New) Package is "openvpn" Fri Oct 25 18:40:12 2019 rev:84 rq:741878 version:2.4.7 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2019-08-15 12:24:01.546626766 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new.2990/openvpn.changes 2019-10-25 18:40:14.703790049 +0200 @@ -1,0 +2,5 @@ +Wed Sep 18 06:52:56 UTC 2019 - Michal Hrusecky + +- Add p11kit build time dependency for pkcs providers autodetection + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.0ttwPr/_old 2019-10-25 18:40:15.555790851 +0200 +++ /var/tmp/diff_new_pack.0ttwPr/_new 2019-10-25 18:40:15.563790858 +0200 @@ -56,6 +56,7 @@ BuildRequires: libselinux-devel BuildRequires: lzo-devel BuildRequires: openssl-devel +BuildRequires: p11-kit-devel BuildRequires: pam-devel BuildRequires: pkcs11-helper-devel >= 1.11 BuildRequires: xz
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2019-08-15 12:24:00 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.9556 (New) Package is "openvpn" Thu Aug 15 12:24:00 2019 rev:83 rq:720978 version:2.4.7 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2019-07-29 17:23:12.910372756 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new.9556/openvpn.changes 2019-08-15 12:24:01.546626766 +0200 @@ -1,0 +2,6 @@ +Mon Jul 29 07:43:00 UTC 2019 - Reinhard Max + +- Clarify in the service file that the reload action doesn't work + when dropping root privileges (boo#1142830). + +--- Other differences: -- ++ openvpn.service ++ --- /var/tmp/diff_new_pack.JxSH3o/_old 2019-08-15 12:24:02.570626511 +0200 +++ /var/tmp/diff_new_pack.JxSH3o/_new 2019-08-15 12:24:02.570626511 +0200 @@ -8,6 +8,7 @@ PrivateTmp=true PIDFile=/var/run/openvpn/%i.pid ExecStart=/usr/sbin/openvpn --daemon openvpn@%i --suppress-timestamps --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf +# boo#1142830: "reload" does not work if openvpn drops root privileges after startup. ExecReload=/sbin/killproc -p /var/run/openvpn/%i.pid -HUP /usr/sbin/openvpn [Install]
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2019-07-29 17:23:11 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.4126 (New) Package is "openvpn" Mon Jul 29 17:23:11 2019 rev:82 rq:717528 version:2.4.7 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2018-04-30 22:56:46.345203820 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new.4126/openvpn.changes 2019-07-29 17:23:12.910372756 +0200 @@ -1,0 +2,80 @@ +Tue Jun 25 19:15:00 UTC 2019 - Michael Ströder + +- Updated openvpn.keyring with public key downloaded from + https://swupdate.openvpn.net/community/keys/security-key-2019.asc + +--- +Thu Feb 21 18:26:42 UTC 2019 - Franck Bui + +- Drop use of $FIRST_ARG in openvpn.spec + + The use of $FIRST_ARG was probably required because of the + %service_* rpm macros were playing tricks with the shell positional + parameters. This is bad practice and error prones so let's assume + that no macros should do that anymore and hence it's safe to assume + that positional parameters remains unchanged after any rpm macro + call. + +--- +Wed Feb 20 21:22:25 UTC 2019 - Michael Ströder + +- Update to 2.4.7: + Adam Ciarcin?ski (1): +* Fix subnet topology on NetBSD (2.4). + Antonio Quartulli (3): +* add support for %lu in argv_printf and prevent ASSERT +* buffer_list: add functions documentation +* ifconfig-ipv6(-push): allow using hostnames + Arne Schwabe (7): +* Properly free tuntap struct on android when emulating persist-tun +* Add OpenSSL compat definition for RSA_meth_set_sign +* Add support for tls-ciphersuites for TLS 1.3 +* Add better support for showing TLS 1.3 ciphersuites in --show-tls +* Use right function to set TLS1.3 restrictions in show-tls +* Add message explaining early TLS client hello failure +* Fallback to password authentication when auth-token fails + Christian Ehrhardt (1): +* systemd: extend CapabilityBoundingSet for auth_pam + David Sommerseth (1): +* plugin: Export base64 encode and decode functions + Gert Doering (3): +* Add %d, %u and %lu tests to test_argv unit tests. +* Fix combination of --dev tap and --topology subnet across multiple platforms. +* Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. + Gert van Dijk (1): +* Minor reliability layer documentation fixes + James Bekkema (1): +* Resolves small IV_GUI_VER typo in the documentation. + Jonathan K. Bullard (1): +* Clarify and expand management interface documentation + Lev Stipakov (5): +* Refactor NCP-negotiable options handling +* init.c: refine functions names and description +* interactive.c: fix usage of potentially uninitialized variable +* options.c: fix broken unary minus usage +* Remove extra token after #endif + Richard van den Berg via Openvpn-devel (1): +* Fix error message when using RHEL init script + Samy Mahmoudi (1): +* man: correct a --redirection-gateway option flag + Selva Nair (7): +* Replace M_DEBUG with D_LOW as the former is too verbose +* Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' +* Bump version of openvpn plugin argument structs to 5 +* Move get system directory to a separate function +* Enable dhcp on tap adapter using interactive service +* Pass the hash without the DigestInfo header to NCryptSignHash() +* White-list pull-filter and script-security in interactive service + Simon Rozman (2): +* Add Interactive Service developer documentation +* Detect TAP interfaces with root-enumerated hardware ID + Steffan Karger (7): +* man: add security considerations to --compress section +* mbedtls: print warning if random personalisation fails +* Fix memory leak after sighup +* travis: add OpenSSL 1.1 Windows build +* Fix --disable-crypto build +* Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' +* buffer_list_aggregate_separator(): simplify code + +--- Old: openvpn-2.4.6.tar.xz openvpn-2.4.6.tar.xz.asc New: openvpn-2.4.7.tar.xz openvpn-2.4.7.tar.xz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.4lE9MG/_old 2019-07-29 17:23:13.710372460 +0200 +++ /var/tmp/diff_new_pack.4lE9MG/_new 2019-07-29 17:23:13.710372460 +0200 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +#
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2018-04-30 22:54:10 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Mon Apr 30 22:54:10 2018 rev:81 rq:601900 version:2.4.6 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2018-02-21 14:12:40.839576730 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2018-04-30 22:56:46.345203820 +0200 @@ -1,0 +2,95 @@ +Fri Apr 27 12:25:19 UTC 2018 - m...@suse.com + +- Update to 2.4.6: + * CVE-2018-9336, bsc#1090839: Fix potential double-free() in +Interactive Service + * Delete the IPv6 route to the "connected" network on tun close + * Management: warn about password only when the option is in use + * Avoid overflow in wakeup time computation + +--- +Tue Apr 10 14:29:18 UTC 2018 - m...@suse.com + +- Remove --askpass again, because it was also asking for a password + when none was needed. As a workaround for keys that need a + password, the "askpass" statement should be added to the config + file (bsc#1078026). +- Use Type=notify in openvpn.service to reflect what openvpn is + actually doing. +- Import the new signing key from upstream. +- Remove obsolete configure switch --enable-password-save . + +--- +Tue Mar 13 01:32:52 UTC 2018 - avin...@opensuse.org + +- Update to 2.4.5 + * New features ++ The new option --tls-cert-profile can be used to restrict the + set of allowed crypto algorithms in TLS certificates in mbed + TLS builds. The default profile is 'legacy' for now, which + allows SHA1+, RSA-1024+ and any elliptic curve certificates. + The default will be changed to the 'preferred' profile in the + future, which requires SHA2+, RSA-2048+ and any curve. ++ openvpnserv: Add support for multi-instances (to support + multiple parallel OpenVPN installations, like EduVPN and + regular OpenVPN) ++ Use P_DATA_V2 for server->client packets too (better packet + alignment) ++ improve management interface documentation ++ rework registry key handling for OpenVPN service, notably + making most registry values optional, falling back to + reasonable defaults ++ accept IPv6 address for pushed "dhcp-option DNS ..." (make + OpenVPN 2 option compatible with OpenVPN 3 iOS and Android + clients) + * Bug fixes ++ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ ++ Fix lots of compiler warnings (format string, type casts, ...) ++ reload HTTP proxy credentials when moving to the next + connection profile ++ Fix build with LibreSSL (multiple times) ++ Remove non-useful warning on pushed tun-ipv6 option. ++ autoconf: Fix engine checks for openssl 1.1 ++ lz4: Rebase compat-lz4 against upstream v1.7.5 ++ lz4: Fix broken builds when pkg-config is not present but + system library is ++ Fix '--bind ipv6only' ++ Allow learning iroutes with network made up of all 0s +- Includes 2.4.4 + * Bug fixes ++ Fix issues when a pushed cipher via the Negotiable Crypto + Parameters (NCP) is rejected by the remote side ++ Ignore --keysize when NCP have resulted in a changed cipher ++ Configurations using --auth-nocache and the management + interface to provide user credentials (like NetworkManager) + on client side with servers implementing authentication + tokens (for example, using --auth-gen-token) will now behave + correctly and not query the user for an, to them, unknown + authentication token on renegotiations of the tunnel. ++ Invalid or corrupt SOCKS port number when changing the proxy + via the management interface. ++ man page should now have proper escaping of hyphen/minus + characters and other minor corrections. + * User-visible Changes ++ Linux servers with systemd which use the openvpn-server@.service + unit file for server configurations will now utilize the + automatic restart feature in systemd. If the OpenVPN server + process dies unexpectedly, systemd will ensure the OpenVPN + configuration will be restarted automatically. + * Deprecated ++ --no-replay (will be removed in 2.5) ++ --keysize (will be removed in 2.6) + * Security ++ CVE-2017-12166: Fix bounds check for configurations using + --key-method 1. Before this fix, attackers could send a + malformed packet to trigger a stack overflow. This is + considered to be a low risk issue, as --key-method 2 has + been the default since 2.0 (released on 2005-04-17). This + option is already deprecated in v2.4 and
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2018-02-21 14:12:37 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Wed Feb 21 14:12:37 2018 rev:80 rq:578447 version:2.4.3 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-11-25 08:43:58.399384512 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2018-02-21 14:12:40.839576730 +0100 @@ -1,0 +2,8 @@ +Tue Feb 13 17:49:09 UTC 2018 - m...@suse.com + +- Add --askpass to ExecStart, so that the user name and password + are correctly being queried from the user. + (bsc#1078026, boo#985798, boo#1031748) +- Use %service_add/del macros throughout (bsc#1038406). + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.bTcJIS/_old 2018-02-21 14:12:43.519480221 +0100 +++ /var/tmp/diff_new_pack.bTcJIS/_new 2018-02-21 14:12:43.523480077 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -211,6 +211,9 @@ rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}} find sample -name .gitignore | xargs rm -f +%pre +%service_add_pre %{name}.target + %post %if %{with_systemd} systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: @@ -262,7 +265,7 @@ %postun %if %{with_systemd} -/bin/systemctl --system daemon-reload &>/dev/null || : +%service_del_postun %{name}.target %else %{?insserv_cleanup:%insserv_cleanup} %endif ++ openvpn.service ++ --- /var/tmp/diff_new_pack.bTcJIS/_old 2018-02-21 14:12:43.667474891 +0100 +++ /var/tmp/diff_new_pack.bTcJIS/_new 2018-02-21 14:12:43.667474891 +0100 @@ -7,7 +7,7 @@ Type=forking PrivateTmp=true PIDFile=/var/run/openvpn/%i.pid -ExecStart=/usr/sbin/openvpn --daemon --suppress-timestamps --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf +ExecStart=/usr/sbin/openvpn --daemon --askpass --suppress-timestamps --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf ExecReload=/sbin/killproc -p /var/run/openvpn/%i.pid -HUP /usr/sbin/openvpn [Install]
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-11-25 08:43:50 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Sat Nov 25 08:43:50 2017 rev:79 rq:545137 version:2.4.3 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-10-11 23:02:07.986852519 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-11-25 08:43:58.399384512 +0100 @@ -1,0 +2,6 @@ +Thu Nov 23 13:52:15 UTC 2017 - rbr...@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.lj0pq9/_old 2017-11-25 08:43:59.823332631 +0100 +++ /var/tmp/diff_new_pack.lj0pq9/_new 2017-11-25 08:43:59.827332485 +0100 @@ -16,6 +16,11 @@ # +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + %if 0%{?suse_version} > 1210 %define with_systemd 1 %else @@ -194,9 +199,9 @@ install -D -m 755 $RPM_SOURCE_DIR/openvpn.init %{buildroot}/%{_sysconfdir}/init.d/openvpn ln -sv %{_sysconfdir}/init.d/openvpn %{buildroot}/%{_sbindir}/rcopenvpn # the /etc/sysconfig/openvpn template only with sysvinit, no needed with systemd -install -d -m0755 %{buildroot}%{_localstatedir}/adm/fillup-templates +install -d -m0755 %{buildroot}%{_fillupdir} install-m0600 $RPM_SOURCE_DIR/openvpn.sysconfig \ - %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.openvpn + %{buildroot}%{_fillupdir}/sysconfig.openvpn %endif cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE install -m 755 $RPM_SOURCE_DIR/client-netconfig.up sample/sample-scripts/client-netconfig.up @@ -214,7 +219,7 @@ if test ${FIRST_ARG:-$1} -ge 1 -a \ -x /bin/systemctl -a \ -f %{_sysconfdir}/sysconfig/openvpn -a \ - -f %{_localstatedir}/adm/fillup-templates/sysconfig.openvpn && \ + -f %{_fillupdir}/sysconfig.openvpn && \ /bin/systemctl --quiet is-enabled openvpn.service &>/dev/null ; then . %{_sysconfdir}/sysconfig/openvpn @@ -282,7 +287,7 @@ %dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/ %else %config %{_sysconfdir}/init.d/openvpn -%{_localstatedir}/adm/fillup-templates/sysconfig.openvpn +%{_fillupdir}/sysconfig.openvpn %dir %attr(750,root,root) %{_rundir}/openvpn/ %endif %{_sbindir}/rcopenvpn
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-10-11 23:02:04 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Wed Oct 11 23:02:04 2017 rev:78 rq:533032 version:2.4.3 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-10-05 12:05:47.721421506 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-10-11 23:02:07.986852519 +0200 @@ -1,0 +2,6 @@ +Tue Oct 10 14:10:30 CEST 2017 - n...@suse.de + +- Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877). + [+ 0002-Fix-bounds-check-in-read_key.patch] + +--- New: 0002-Fix-bounds-check-in-read_key.patch Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.WdjALE/_old 2017-10-11 23:02:09.738775765 +0200 +++ /var/tmp/diff_new_pack.WdjALE/_new 2017-10-11 23:02:09.754775064 +0200 @@ -54,6 +54,7 @@ Patch7: openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch Patch8: openvpn-2.3.x-fixed-multiple-low-severity-issues.patch Patch9: 0001-preform-deferred-authentication-in-the-background.patch +Patch10:0002-Fix-bounds-check-in-read_key.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: iproute2 BuildRequires: lzo-devel @@ -141,6 +142,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c ++ 0002-Fix-bounds-check-in-read_key.patch ++ >From 3b1a61e9fb27213c46f76312f4065816bee8ed01 Mon Sep 17 00:00:00 2001 From: Steffan KargerDate: Tue, 15 Aug 2017 10:04:33 +0200 Subject: [PATCH] Fix bounds check in read_key() The bounds check in read_key() was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack buffer overflow. Fix this by moving the input validation to before the writes. Note that 'key-method 1' has been replaced by 'key method 2' as the default in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4 and marked for removal in 2.5. This should limit the amount of users impacted by this issue. CVE: 2017-12166 Signed-off-by: Steffan Karger Acked-by: Gert Doering Acked-by: David Sommerseth Message-Id: <80690690-67ac-3320-1891-9fecedc6a...@fox-it.com> URL: https://www.mail-archive.com/search?l=mid=80690690-67ac-3320-1891-9fecedc6a...@fox-it.com Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 131257e5..3f3caa1c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1666,6 +1666,11 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf) goto read_err; } +if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length) +{ +goto key_len_err; +} + if (!buf_read(buf, key->cipher, cipher_length)) { goto read_err; @@ -1675,11 +1680,6 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf) goto read_err; } -if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length) -{ -goto key_len_err; -} - return 1; read_err: -- 2.13.6
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-10-05 12:02:06 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Thu Oct 5 12:02:06 2017 rev:77 rq:531163 version:2.4.3 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-06-20 09:41:10.277504005 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-10-05 12:05:47.721421506 +0200 @@ -1,0 +2,50 @@ +Fri Aug 11 13:43:39 UTC 2017 - sebix+novell@sebix.at + +- Do not package empty /usr/lib64/tmpfiles.d + +--- +Fri Jun 23 11:47:38 CEST 2017 - n...@suse.de + +- Update to 2.4.3 (bsc#1045489) +- Ignore auth-nocache for auth-user-pass if auth-token is pushed +- crypto: Enable SHA256 fingerprint checking in --verify-hash +- copyright: Update GPLv2 license texts +- auth-token with auth-nocache fix broke --disable-crypto builds +- OpenSSL: don't use direct access to the internal of X509 +- OpenSSL: don't use direct access to the internal of EVP_PKEY +- OpenSSL: don't use direct access to the internal of RSA +- OpenSSL: don't use direct access to the internal of DSA +- OpenSSL: force meth->name as non-const when we free() it +- OpenSSL: don't use direct access to the internal of EVP_MD_CTX +- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX +- OpenSSL: don't use direct access to the internal of HMAC_CTX +- Fix NCP behaviour on TLS reconnect. +- Remove erroneous limitation on max number of args for --plugin +- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. +- Fix potential 1-byte overread in TCP option parsing. +- Fix remotely-triggerable ASSERT() on malformed IPv6 packet. +- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) +- refactor my_strupr +- Fix 2 memory leaks in proxy authentication routine +- Fix memory leak in add_option() for option 'connection' +- Ensure option array p[] is always NULL-terminated +- Fix a null-pointer dereference in establish_http_proxy_passthru() +- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data +- Fix an unaligned access on OpenBSD/sparc64 +- Missing include for socket-flags TCP_NODELAY on OpenBSD +- Make openvpn-plugin.h self-contained again. +- Pass correct buffer size to GetModuleFileNameW() +- Log the negotiated (NCP) cipher +- Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) +- Skip tls-crypt unit tests if required crypto mode not supported +- openssl: fix overflow check for long --tls-cipher option +- Add a DSA test key/cert pair to sample-keys +- Fix mbedtls fingerprint calculation +- mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) +- mbedtls: require C-string compatible types for --x509-username-field +- Fix remote-triggerable memory leaks (CVE-2017-7521) +- Restrict --x509-alt-username extension types +- Fix potential double-free in --x509-alt-username (CVE-2017-7521) +- Fix gateway detection with OpenBSD routing domains + +--- @@ -9 +59 @@ -- Update tp 2.4.2 +- Update to 2.4.2 Old: openvpn-2.4.2.tar.xz openvpn-2.4.2.tar.xz.asc New: openvpn-2.4.3.tar.xz openvpn-2.4.3.tar.xz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.WtTiAp/_old 2017-10-05 12:05:51.072949419 +0200 +++ /var/tmp/diff_new_pack.WtTiAp/_new 2017-10-05 12:05:51.072949419 +0200 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.4.2 +Version:2.4.3 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -273,7 +273,7 @@ %doc %{_mandir}/man8/openvpn.8.gz %config(noreplace) %{_sysconfdir}/openvpn/ %if %{with_systemd} -%dir %{_libdir}/tmpfiles.d +%dir %{_tmpfilesdir} %{_unitdir}/%{name}@.service %{_unitdir}/%{name}.target %{_tmpfilesdir}/%{name}.conf ++ openvpn-2.3.x-fixed-multiple-low-severity-issues.patch ++ --- /var/tmp/diff_new_pack.WtTiAp/_old 2017-10-05 12:05:51.128941532 +0200 +++ /var/tmp/diff_new_pack.WtTiAp/_new 2017-10-05 12:05:51.128941532 +0200 @@ -1,8 +1,8 @@ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 09659aa..b35d884 100644 +index ff0f9a7..fb27b36 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c -@@ -119,7 +119,7 @@ openvpn_encrypt_aead(struct buffer
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-06-20 09:41:09 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Tue Jun 20 09:41:09 2017 rev:76 rq:504783 version:2.4.2 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-06-12 15:30:42.230982401 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-06-20 09:41:10.277504005 +0200 @@ -1,0 +2,5 @@ +Wed Jun 14 12:05:14 CEST 2017 - n...@suse.de + +- use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223) + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.arGeIw/_old 2017-06-20 09:41:11.105387278 +0200 +++ /var/tmp/diff_new_pack.arGeIw/_new 2017-06-20 09:41:11.105387278 +0200 @@ -180,12 +180,14 @@ %if %{with_systemd} rm %{buildroot}%{_libdir}/systemd/system/openvpn-client@.service rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service +#use one proveded by suse +rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name} # tmpfiles.d -mkdir -p %{buildroot}%{_libdir}/tmpfiles.d -install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libdir}/tmpfiles.d/%{name}.conf +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf %else install -D -m 755 $RPM_SOURCE_DIR/openvpn.init %{buildroot}/%{_sysconfdir}/init.d/openvpn ln -sv %{_sysconfdir}/init.d/openvpn %{buildroot}/%{_sbindir}/rcopenvpn @@ -204,7 +206,7 @@ %post %if %{with_systemd} -systemd-tmpfiles --create %{_libdir}/tmpfiles.d/%{name}.conf ||: +systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||: %service_add_post %{name}.target # try to migrate openvpn.service autostart to openvpn@.service if test ${FIRST_ARG:-$1} -ge 1 -a \ @@ -274,7 +276,7 @@ %dir %{_libdir}/tmpfiles.d %{_unitdir}/%{name}@.service %{_unitdir}/%{name}.target -%{_libdir}/tmpfiles.d/%{name}.conf +%{_tmpfilesdir}/%{name}.conf %dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/ %else %config %{_sysconfdir}/init.d/openvpn
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-06-12 15:30:13 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Mon Jun 12 15:30:13 2017 rev:75 rq:501452 version:2.4.2 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-05-08 19:03:00.964127085 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-06-12 15:30:42.230982401 +0200 @@ -1,0 +2,20 @@ +Tue Jun 6 14:59:29 CEST 2017 - n...@suse.de + +- Update tp 2.4.2 +- auth-token: Ensure tokens are always wiped on de-auth +- Make --cipher/--auth none more explicit on the risks +- Use SHA256 for the internal digest, instead of MD5 +- Deprecate --ns-cert-type +- Deprecate --no-iv +- Support --block-outside-dns on multiple tunnels +- Limit --reneg-bytes to 64MB when using small block ciphers +- Fix --tls-version-max in mbed TLS builds + Details changelogs are avilable in + https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 + [*0001-preform-deferred-authentication-in-the-background.patch + *openvpn-2.3.x-fixed-multiple-low-severity-issues.patch + *openvpn-fips140-2.3.2.patch] +- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2 +- cleanup the spec file + +--- Old: openvpn-2.3.14.tar.xz openvpn-2.3.14.tar.xz.asc New: openvpn-2.4.2.tar.xz openvpn-2.4.2.tar.xz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.QHVtIS/_old 2017-06-12 15:30:47.802196665 +0200 +++ /var/tmp/diff_new_pack.QHVtIS/_new 2017-06-12 15:30:47.806196101 +0200 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.14 +Version:2.4.2 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -63,8 +63,8 @@ BuildRequires: systemd %endif BuildRequires: libselinux-devel -BuildRequires: pkcs11-helper-devel -Requires: pkcs11-helper +BuildRequires: pkcs11-helper-devel >= 1.11 +Requires: pkcs11-helper >= 1.11 %if %{with_systemd} BuildRequires: systemd-devel %endif @@ -147,14 +147,14 @@ sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \ -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \ -i doc/openvpn.8 -sed -e "s|/var/run|%{_rundir}|g" < \ +sed -e "s|%{_localstatedir}/run|%{_rundir}|g" < \ $RPM_SOURCE_DIR/%{name}.service > %{name}.service # %%doc items shouldn't be executable. find contrib sample -type f -exec chmod a-x \{\} \; %build -export CFLAGS="$RPM_OPT_FLAGS $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing" +export CFLAGS="%{optflags} $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing" export LDFLAGS %configure \ --enable-iproute2 \ @@ -169,52 +169,54 @@ --enable-plugin-auth-pam\ CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS" \ LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins" -make +make %{_smp_mflags} %install make DESTDIR=$RPM_BUILD_ROOT install -find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn -mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn -mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn +find %{buildroot} -type f -name "*.la" -delete -print +mkdir -p %{buildroot}/%{_sysconfdir}/openvpn +mkdir -p %{buildroot}/%{_rundir}/openvpn +mkdir -p %{buildroot}/%{_datadir}/openvpn %if %{with_systemd} +rm %{buildroot}%{_libdir}/systemd/system/openvpn-client@.service +rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name} # tmpfiles.d -mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d -install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf +mkdir -p %{buildroot}%{_libdir}/tmpfiles.d +install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libdir}/tmpfiles.d/%{name}.conf %else -install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn -ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn +install -D -m 755 $RPM_SOURCE_DIR/openvpn.init %{buildroot}/%{_sysconfdir}/init.d/openvpn +ln -sv %{_sysconfdir}/init.d/openvpn %{buildroot}/%{_sbindir}/rcopenvpn # the /etc/sysconfig/openvpn template
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-05-08 19:02:41 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Mon May 8 19:02:41 2017 rev:74 rq:492826 version:2.3.14 Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-01-25 23:33:51.207649062 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-05-08 19:03:00.964127085 +0200 @@ -1,0 +2,13 @@ +Fri Apr 21 14:55:09 CEST 2017 - n...@suse.de + +- Preform deferred authentication in the background to not + cause main daemon processing delays when the underlying pam mechanism (e.g. + ldap) needs longer to response (bsc#959511). + [+ 0001-preform-deferred-authentication-in-the-background.patch] +- Added fix for possible heap overflow on read accessing getaddrinfo + result (bsc#959714). + [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] +- Added a patch to fix multiple low severity issues (bsc#934237). + [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch] + +--- New: 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.56XWf9/_old 2017-05-08 19:03:01.879997703 +0200 +++ /var/tmp/diff_new_pack.56XWf9/_new 2017-05-08 19:03:01.883997138 +0200 @@ -51,6 +51,9 @@ Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif Patch6: %{name}-fips140-2.3.2.patch +Patch7: openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch +Patch8: openvpn-2.3.x-fixed-multiple-low-severity-issues.patch +Patch9: 0001-preform-deferred-authentication-in-the-background.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: iproute2 BuildRequires: lzo-devel @@ -135,6 +138,9 @@ %setup -q -n %{name}-%{version} %patch1 -p0 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c ++ 0001-preform-deferred-authentication-in-the-background.patch ++ >From 8c39dbd45d3551e838310732a73e05f6d2d2e784 Mon Sep 17 00:00:00 2001 From: Nirmoy DasDate: Thu, 12 May 2016 12:08:56 +0200 Subject: [PATCH] preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response. References: bsc#959511 diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index bd71792..119fc31 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -55,6 +55,7 @@ /* Command codes for foreground -> background communication */ #define COMMAND_VERIFY 0 #define COMMAND_EXIT 1 +#define COMMAND_VERIFY_V2 2 /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 10 @@ -108,6 +109,7 @@ struct user_pass { char username[128]; char password[128]; char common_name[128]; + char auth_control_file[PATH_MAX]; const struct name_value_list *name_value_list; }; @@ -687,6 +689,21 @@ pam_auth (const char *service, const struct user_pass *up) return ret; } +static int handle_auth_control_file(char *auth_control_file, int status) +{ + FILE *fp = fopen(auth_control_file, "w"); + + if (fp) { + if (fprintf (fp, "%d\n", status) < 0) { + fclose(fp); + return -1; + } + fclose(fp); + return 0; + } + return -1; +} + /* * Background process -- runs with privilege. */ @@ -781,6 +798,41 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list } break; + case COMMAND_VERIFY_V2: + if (recv_string (fd, up.username, sizeof (up.username)) == -1 + || recv_string (fd, up.password, sizeof (up.password)) == -1 + || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1 + || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", + command); + goto done; + } + + if (DEBUG (verb)) + { +#if 0 + fprintf
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-01-25 23:33:47 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-01-10 10:52:01.367138159 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-01-25 23:33:51.207649062 +0100 @@ -1,0 +2,34 @@ +Sun Jan 22 15:21:17 UTC 2017 - mrueck...@suse.de + +- silence warning about %{_rundir}/openvpn + - for non systemd case: just package the %{_rundir}/openvpn in +the package + - for systemd case: call systemd-tmpfiles and own the dir as +%ghost in the filelist + +--- +Sun Jan 22 14:51:44 UTC 2017 - mrueck...@suse.de + +- refreshed patches to apply cleanly again + openvpn-2.3-plugin-man.dif + openvpn-fips140-2.3.2.patch + +--- +Sun Jan 22 14:47:39 UTC 2017 - mrueck...@suse.de + +- update to 2.3.14 + - update year in copyright message + - Document the --auth-token option + - Repair topology subnet on FreeBSD 11 + - Repair topology subnet on OpenBSD + - Drop recursively routed packets + - Support --block-outside-dns on multiple tunnels + - When parsing '--setenv opt xx ..' make sure a third parameter +is present + - Map restart signals from event loop to SIGTERM during +exit-notification wait + - Correctly state the default dhcp server address in man page + - Clean up format_hex_ex() +- enabled pkcs11 support + +--- Old: openvpn-2.3.13.tar.xz openvpn-2.3.13.tar.xz.asc New: openvpn-2.3.14.tar.xz openvpn-2.3.14.tar.xz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.NzaYsJ/_old 2017-01-25 23:33:52.127510450 +0100 +++ /var/tmp/diff_new_pack.NzaYsJ/_new 2017-01-25 23:33:52.131509847 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.13 +Version:2.3.14 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -154,6 +154,7 @@ --enable-iproute2 \ --enable-x509-alt-username \ --enable-password-save \ + --enable-pkcs11 \ %if %{with_systemd} --enable-systemd\ %endif @@ -194,8 +195,8 @@ find sample -name .gitignore | xargs rm -f %post -%__mkdir_p -m750 %{_rundir}/openvpn %if %{with_systemd} +systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf ||: %service_add_post %{name}.target # try to migrate openvpn.service autostart to openvpn@.service if test ${FIRST_ARG:-$1} -ge 1 -a \ @@ -265,13 +266,14 @@ %{_unitdir}/%{name}@.service %{_unitdir}/%{name}.target %{_libexecdir}/tmpfiles.d/%{name}.conf +%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/ %else %config %{_sysconfdir}/init.d/openvpn /var/adm/fillup-templates/sysconfig.openvpn +%dir %attr(750,root,root) %{_rundir}/openvpn/ %endif %{_sbindir}/rcopenvpn %{_sbindir}/openvpn -%attr(0750,root,root) %dir %ghost %{_rundir}/openvpn %files down-root-plugin %defattr(-,root,root) ++ openvpn-2.3-plugin-man.dif ++ --- /var/tmp/diff_new_pack.NzaYsJ/_old 2017-01-25 23:33:52.191500807 +0100 +++ /var/tmp/diff_new_pack.NzaYsJ/_new 2017-01-25 23:33:52.191500807 +0100 @@ -1,6 +1,8 @@ doc/openvpn.8 -+++ doc/openvpn.8 2015/03/02 08:58:02 -@@ -2569,12 +2569,11 @@ plug-in modules, see the README file in +Index: doc/openvpn.8 +=== +--- doc/openvpn.8.orig doc/openvpn.8 +@@ -2690,12 +2690,11 @@ plug-in modules, see the README file in .B plugin folder of the OpenVPN source distribution. ++ openvpn-2.3.13.tar.xz -> openvpn-2.3.14.tar.xz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/ChangeLog new/openvpn-2.3.14/ChangeLog --- old/openvpn-2.3.13/ChangeLog2016-11-03 09:52:28.0 +0100 +++ new/openvpn-2.3.14/ChangeLog2016-12-07 12:35:43.0 +0100 @@ -1,6 +1,30 @@ OpenVPN Change Log Copyright (C) 2002-2015 OpenVPN Technologies,
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2016-11-29 12:50:18 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2016-09-16 11:01:44.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2016-11-29 12:50:19.0 +0100 @@ -1,0 +2,6 @@ +Mon Nov 28 16:33:34 UTC 2016 - matwey.korni...@gmail.com + +- Require iproute2 explicitly. openvpn uses /bin/ip from iproute2, + so it should be installed + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.mKyYnz/_old 2016-11-29 12:50:20.0 +0100 +++ /var/tmp/diff_new_pack.mKyYnz/_new 2016-11-29 12:50:20.0 +0100 @@ -67,6 +67,7 @@ %if %{with_systemd} BuildRequires: systemd-devel %endif +Requires: iproute2 BuildRequires: xz %description
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2016-09-16 11:01:41 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2016-06-07 23:48:42.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2016-09-16 11:01:44.0 +0200 @@ -1,0 +2,8 @@ +Thu Sep 8 13:26:16 UTC 2016 - astie...@suse.com + +- Add an example for a FIPS 140-2 approved cipher configuration to + the sample configuration files. Fixes bsc#988522 + adding openvpn-fips140-AES-cipher-in-config-template.patch +- remove gpg-offline signature verification, now a source service + +--- New: openvpn-fips140-AES-cipher-in-config-template.patch Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.zI3Rao/_old 2016-09-16 11:01:46.0 +0200 +++ /var/tmp/diff_new_pack.zI3Rao/_new 2016-09-16 11:01:46.0 +0200 @@ -52,8 +52,8 @@ Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff Patch6: %{name}-fips140-2.3.2.patch +Patch7: openvpn-fips140-AES-cipher-in-config-template.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: gpg-offline BuildRequires: iproute2 BuildRequires: lzo-devel BuildRequires: openssl-devel @@ -133,11 +133,11 @@ This package provides the header file to build external plugins. %prep -%gpg_verify %{S:1} %setup -q -n %{name}-%{version} %patch1 -p0 %patch5 -p0 %patch6 -p1 +%patch7 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c ++ openvpn-fips140-AES-cipher-in-config-template.patch ++ From: Andreas StiegerDate: Thu, 08 Sep 2016 15:23:12 +0200 Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00 Upstream: no The 2.3 default is blowfish which does not work in FIPS mode. This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode. Index: openvpn-2.3.8/sample/sample-config-files/client.conf === --- openvpn-2.3.8.orig/sample/sample-config-files/client.conf 2015-07-17 07:43:32.0 +0200 +++ openvpn-2.3.8/sample/sample-config-files/client.conf2016-09-08 15:12:32.650248879 +0200 @@ -111,6 +111,8 @@ remote-cert-tls server # If the cipher option is used on the server # then you must also specify it here. ;cipher x +# Use a FIPS 140-2 approved cipher in FIPS mode +;cipher AES-256-CBC # AES-256 # Enable compression on the VPN link. # Don't enable this unless it is also Index: openvpn-2.3.8/sample/sample-config-files/server.conf === --- openvpn-2.3.8.orig/sample/sample-config-files/server.conf 2015-07-17 07:43:32.0 +0200 +++ openvpn-2.3.8/sample/sample-config-files/server.conf2016-09-08 15:11:55.869874892 +0200 @@ -249,6 +249,8 @@ keepalive 10 120 ;cipher BF-CBC# Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES +# Use a FIPS 140-2 approved cipher in FIPS mode +;cipher AES-256-CBC # AES-256 # Enable compression on the VPN link. # If you enable it here, you must also
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2016-06-07 23:48:41 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2016-01-07 00:25:26.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2016-06-07 23:48:42.0 +0200 @@ -1,0 +2,13 @@ +Tue May 10 16:16:02 UTC 2016 - idon...@suse.com + +- Update to version 2.3.11 + * Fixed port-share bug with DoS potential + * Fix buffer overflow by user supplied data + * Fix undefined signed shift overflow + * Ensure input read using systemd-ask-password is null terminated + * Support reading the challenge-response from console + * hardening: add safe FD_SET() wrapper openvpn_fd_set() + * Restrict default TLS cipher list +- Add BuildRequires on xz for SLE11 + +--- Old: openvpn-2.3.10.tar.gz openvpn-2.3.10.tar.gz.asc New: openvpn-2.3.11.tar.xz openvpn-2.3.11.tar.xz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.Yymv6f/_old 2016-06-07 23:48:43.0 +0200 +++ /var/tmp/diff_new_pack.Yymv6f/_new 2016-06-07 23:48:43.0 +0200 @@ -32,13 +32,13 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.10 +Version:2.3.11 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 Group: Productivity/Networking/Security -Source: http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz -Source1: http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz.asc +Source: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz +Source1: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz.asc Source2:%{name}.init Source6:%{name}.sysconfig Source3:%{name}.README.SUSE @@ -67,6 +67,7 @@ %if %{with_systemd} BuildRequires: systemd-devel %endif +BuildRequires: xz %description OpenVPN is a full-featured SSL VPN solution which can accommodate a wide
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2016-01-07 00:25:14 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2015-12-20 10:52:43.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2016-01-07 00:25:26.0 +0100 @@ -1,0 +2,34 @@ +Mon Jan 4 17:22:37 UTC 2016 - idon...@suse.com + +- Update to version 2.3.10 + * Warn user if their certificate has expired + * Fix regression in setups without a client certificate + +--- +Wed Dec 16 14:30:49 UTC 2015 - idon...@suse.com + +- Update to version 2.3.9 + * Show extra-certs in current parameters. + * Do not set the buffer size by default but rely on the operation system default. + * Remove --enable-password-save option + * Detect config lines that are too long and give a warning/error + * Log serial number of revoked certificate + * Avoid partial authentication state when using --disabled in CCD configs + * Replace unaligned 16bit access to TCP MSS value with bytewise access + * Fix possible heap overflow on read accessing getaddrinfo() result. + * Fix isatty() check for good. (obsoletes revert-daemonize.patch) + * Client-side part for server restart notification + * Fix privilege drop if first connection attempt fails + * Support for username-only auth file. + * Increase control channel packet size for faster handshakes + * hardening: add insurance to exit on a failed ASSERT() + * Fix memory leak in auth-pam plugin + * Fix (potential) memory leak in init_route_list() + * Fix unintialized variable in plugin_vlog() + * Add macro to ensure we exit on fatal errors + * Fix memory leak in add_option() by simplifying get_ipv6_addr + * openssl: properly check return value of RAND_bytes() + * Fix rand_bytes return value checking + * Fix "White space before end tags can break the config parser" + +--- Old: openvpn-2.3.8.tar.gz openvpn-2.3.8.tar.gz.asc revert-daemonize.patch New: openvpn-2.3.10.tar.gz openvpn-2.3.10.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.dlC3Ne/_old 2016-01-07 00:25:28.0 +0100 +++ /var/tmp/diff_new_pack.dlC3Ne/_new 2016-01-07 00:25:28.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.8 +Version:2.3.10 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -52,7 +52,6 @@ Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff Patch6: %{name}-fips140-2.3.2.patch -Patch7: revert-daemonize.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gpg-offline BuildRequires: iproute2 @@ -138,7 +137,7 @@ %patch1 -p0 %patch5 -p0 %patch6 -p1 -%patch7 -p1 + sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \ ++ openvpn-2.3.8.tar.gz -> openvpn-2.3.10.tar.gz ++ 4350 lines of diff (skipped)
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2015-12-20 10:52:41 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is "openvpn" Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2015-08-23 17:45:54.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2015-12-20 10:52:43.0 +0100 @@ -1,0 +2,5 @@ +Thu Dec 3 14:07:17 UTC 2015 - m...@suse.com + +- Adjust /var/run to _rundir macro value in openvpn@.service too. + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.EDjZOx/_old 2015-12-20 10:52:44.0 +0100 +++ /var/tmp/diff_new_pack.EDjZOx/_new 2015-12-20 10:52:44.0 +0100 @@ -144,6 +144,8 @@ sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \ -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \ -i doc/openvpn.8 +sed -e "s|/var/run|%{_rundir}|g" < \ +$RPM_SOURCE_DIR/%{name}.service > %{name}.service # %%doc items shouldn't be executable. find contrib sample -type f -exec chmod a-x \{\} \; @@ -172,7 +174,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn %if %{with_systemd} -install -D -m 644 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}@.service +install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name} # tmpfiles.d
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2015-08-23 15:43:34 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2015-08-17 15:35:12.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2015-08-23 17:45:54.0 +0200 @@ -1,0 +2,6 @@ +Thu Aug 20 08:43:33 UTC 2015 - m...@suse.com + +- Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS. +- Moved openvpn-plugin.h into a devel package, removed .gitignore + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.NlbTzL/_old 2015-08-23 17:45:55.0 +0200 +++ /var/tmp/diff_new_pack.NlbTzL/_new 2015-08-23 17:45:55.0 +0200 @@ -124,6 +124,14 @@ even if you drop openvpn daemon privileges using the user, group, or chroot directives. +%package devel +Summary:OpenVPN plugin header +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version} + +%description devel +This package provides the header file to build external plugins. + %prep %gpg_verify %{S:1} %setup -q -n %{name}-%{version} @@ -153,8 +161,7 @@ --enable-plugins\ --enable-plugin-down-root \ --enable-plugin-auth-pam\ - --with-lzo-headers=%_includedir/lzo \ - CFLAGS=$CFLAGS -fPIE $PLUGIN_DEFS \ + CFLAGS=$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS \ LDFLAGS=$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins make @@ -185,6 +192,7 @@ # we install docs via spec into _defaultdocdir/name/management-notes.txt rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} +find sample -name .gitignore | xargs rm -f %post %__mkdir_p -m750 %{_rundir}/openvpn @@ -265,7 +273,6 @@ %{_sbindir}/rcopenvpn %{_sbindir}/openvpn %attr(0750,root,root) %dir %ghost %{_rundir}/openvpn -%{_includedir}/%{name}-plugin.h %files down-root-plugin %defattr(-,root,root) @@ -279,4 +286,8 @@ %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so +%files devel +%defattr(-,root,root) +%{_includedir}/%{name}-plugin.h + %changelog
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2015-08-17 15:35:10 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2015-08-11 08:27:06.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2015-08-17 15:35:12.0 +0200 @@ -1,0 +2,7 @@ +Thu Aug 13 08:29:35 UTC 2015 - idon...@suse.com + +- Add revert-daemonize.patch, looks like under systemd the stdin + and stdout are not TTYs by default. This reverts to previous + behaviour fixing bsc#941569 + +--- New: revert-daemonize.patch Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.GZqkMp/_old 2015-08-17 15:35:13.0 +0200 +++ /var/tmp/diff_new_pack.GZqkMp/_new 2015-08-17 15:35:13.0 +0200 @@ -52,6 +52,7 @@ Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff Patch6: %{name}-fips140-2.3.2.patch +Patch7: revert-daemonize.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gpg-offline BuildRequires: iproute2 @@ -129,6 +130,7 @@ %patch1 -p0 %patch5 -p0 %patch6 -p1 +%patch7 -p1 sed -e s|\ __DATE__|$(date '+%b %e %Y' -r version.m4)\|g \ -i src/openvpn/options.c sed -e s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g \ ++ revert-daemonize.patch ++ Index: openvpn-2.3.8/src/openvpn/misc.c === --- openvpn-2.3.8.orig/src/openvpn/misc.c +++ openvpn-2.3.8/src/openvpn/misc.c @@ -1088,12 +1088,6 @@ get_user_pass_cr (struct user_pass *up, */ else if (from_stdin) { -#ifndef WIN32 - /* did we --daemon'ize before asking for passwords? */ - if ( !isatty(0) !isatty(2) ) - { msg(M_FATAL, neither stdin nor stderr are a tty device, can't ask for %s password. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache., prefix ); } -#endif - #ifdef ENABLE_CLIENT_CR if (auth_challenge (flags GET_USER_PASS_DYNAMIC_CHALLENGE)) {
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2015-08-11 08:27:04 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2015-06-30 10:16:18.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2015-08-11 08:27:06.0 +0200 @@ -1,0 +2,17 @@ +Wed Aug 5 12:03:33 UTC 2015 - idon...@suse.com + +- Update to version 2.3.8 + * Report missing endtags of inline files as warnings + * Fix commit e473b7c if an inline file happens to have a +line break exactly at buffer limit + * Produce a meaningful error message if --daemon gets in the way of +asking for passwords. + * Document --daemon changes and consequences (--askpass, --auth-nocache) + * Del ipv6 addr on close of linux tun interface + * Fix --askpass not allowing for password input via stdin + * Write pid file immediately after daemonizing + * Fix regression: query password before becoming daemon + * Fix using management interface to get passwords + * Fix overflow check in openvpn_decrypt() + +--- Old: openvpn-2.3.7.tar.gz openvpn-2.3.7.tar.gz.asc New: openvpn-2.3.8.tar.gz openvpn-2.3.8.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.WcwPm0/_old 2015-08-11 08:27:07.0 +0200 +++ /var/tmp/diff_new_pack.WcwPm0/_new 2015-08-11 08:27:07.0 +0200 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.7 +Version:2.3.8 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 ++ openvpn-2.3.7.tar.gz - openvpn-2.3.8.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.7/ChangeLog new/openvpn-2.3.8/ChangeLog --- old/openvpn-2.3.7/ChangeLog 2015-06-08 08:16:35.0 +0200 +++ new/openvpn-2.3.8/ChangeLog 2015-08-04 09:24:25.0 +0200 @@ -1,6 +1,29 @@ OpenVPN Change Log Copyright (C) 2002-2015 OpenVPN Technologies, Inc. sa...@openvpn.net +2015.08.03 -- Version 2.3.8 +Arne Schwabe (2): + Report missing endtags of inline files as warnings + Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit + +Gert Doering (2): + Produce a meaningful error message if --daemon gets in the way of asking for passwords. + Document --daemon changes and consequences (--askpass, --auth-nocache). + +Holger Kummert (1): + Del ipv6 addr on close of linux tun interface + +James Geboski (1): + Fix --askpass not allowing for password input via stdin + +Steffan Karger (5): + write pid file immediately after daemonizing + Make __func__ work with Visual Studio too + fix regression: query password before becoming daemon + Fix using management interface to get passwords. + Fix overflow check in openvpn_decrypt() + + 2015.06.02 -- Version 2.3.7 Alexander Pyhalov (1): Default gateway can't be determined on illumos/Solaris platforms diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.7/aclocal.m4 new/openvpn-2.3.8/aclocal.m4 --- old/openvpn-2.3.7/aclocal.m42015-06-08 08:19:03.0 +0200 +++ new/openvpn-2.3.8/aclocal.m42015-08-04 09:29:52.0 +0200 @@ -103,9 +103,10 @@ # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], -[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl -# Expand $ac_aux_dir to an absolute path. -am_aux_dir=`cd $ac_aux_dir pwd` +[dnl Rely on autoconf to set up CDPATH properly. +AC_PREREQ([2.50])dnl +# expand $ac_aux_dir to an absolute path +am_aux_dir=`cd $ac_aux_dir pwd` ]) # AM_CONDITIONAL-*- Autoconf -*- @@ -572,8 +573,7 @@ END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi -fi -]) +fi]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.7/config.sub new/openvpn-2.3.8/config.sub --- old/openvpn-2.3.7/config.sub2015-06-01 11:10:52.0 +0200 +++ new/openvpn-2.3.8/config.sub2015-08-04 09:29:54.0 +0200 @@ -2,7 +2,7 @@ # Configuration validation subroutine script. # Copyright 1992-2014 Free Software Foundation, Inc.
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2015-06-30 10:16:16 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2015-03-11 09:58:00.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2015-06-30 10:16:18.0 +0200 @@ -1,0 +2,35 @@ +Tue Jun 9 15:51:06 UTC 2015 - idon...@suse.com + +- Update to version 2.3.7 + * down-root plugin: Replaced system() calls with execve() + * sockets: Remove the limitation of --tcp-nodelay to be server-only + * pkcs11: Load p11-kit-proxy.so module by default + * New approach to handle peer-id related changes to link-mtu + * Fix incorrect use of get_ipv6_addr() for iroute options + * Print helpful error message on --mktun/--rmtun if not available + * Explain effect of --topology subnet on --ifconfig + * Add note about file permissions and --crl-verify to manpage + * Repair --dev null breakage caused by db950be85d37 + * Correct note about DNS randomization in openvpn.8 + * Disallow usage of --server-poll-timeout in --secret key mode + * Slightly enhance documentation about --cipher + * On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo() + * Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo() + * Fix --redirect-private in --dev tap mode + * Updated manpage for --rport and --lport + * Properly escape dashes on the man-page + * Improve documentation in --script-security section of the man-page + * Really fix '--cipher none' regression + * Set tls-version-max to 1.1 if cryptoapicert is used + * Account for peer-id in frame size calculation + * Disable SSL compression + * Fix frame size calculation for non-CBC modes. + * Allow for CN/username of 64 characters (fixes off-by-one) + * Re-enable TLS version negotiation by default + * Remove size limit for files inlined in config + * Improve --tls-cipher and --show-tls man page description + * Re-read auth-user-pass file on (re)connect if required + * Clarify --capath option in manpage + * Call daemon() before initializing crypto library + +--- Old: openvpn-2.3.6.tar.gz openvpn-2.3.6.tar.gz.asc New: openvpn-2.3.7.tar.gz openvpn-2.3.7.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.afNh9b/_old 2015-06-30 10:16:19.0 +0200 +++ /var/tmp/diff_new_pack.afNh9b/_new 2015-06-30 10:16:19.0 +0200 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.6 +Version:2.3.7 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 ++ openvpn-2.3.6.tar.gz - openvpn-2.3.7.tar.gz ++ 8142 lines of diff (skipped)
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2015-03-11 09:57:59 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2015-02-27 11:00:24.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2015-03-11 09:58:00.0 +0100 @@ -2 +2 @@ -Wed Feb 18 17:20:46 UTC 2015 - m...@suse.de +Mon Mar 2 08:26:08 UTC 2015 - m...@suse.de @@ -4 +4,3 @@ -- Fixed to use correct sha digest data length (boo#914166) +- Fixed to use correct sha digest data length and in fips mode, + use aes instead of the disallowed blowfish crypto (boo#914166). +- Fixed to provide actual plugin/doc dirs in openvpn(8) man page. Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.BgQ9kc/_old 2015-03-11 09:58:01.0 +0100 +++ /var/tmp/diff_new_pack.BgQ9kc/_new 2015-03-11 09:58:01.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -129,7 +129,11 @@ %patch1 -p0 %patch5 -p0 %patch6 -p1 -sed -e s|\ __DATE__|$(date '+%b %e %Y' -r version.m4)\|g -i src/openvpn/options.c +sed -e s|\ __DATE__|$(date '+%b %e %Y' -r version.m4)\|g \ +-i src/openvpn/options.c +sed -e s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g \ +-e s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g \ +-i doc/openvpn.8 # %%doc items shouldn't be executable. find contrib sample -type f -exec chmod a-x \{\} \; @@ -148,8 +152,8 @@ --enable-plugin-down-root \ --enable-plugin-auth-pam\ --with-lzo-headers=%_includedir/lzo \ - CFLAGS=$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS \ - LDFLAGS=$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugin/lib + CFLAGS=$CFLAGS -fPIE $PLUGIN_DEFS \ + LDFLAGS=$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins make %install ++ openvpn-2.3-plugin-man.dif ++ --- /var/tmp/diff_new_pack.BgQ9kc/_old 2015-03-11 09:58:01.0 +0100 +++ /var/tmp/diff_new_pack.BgQ9kc/_new 2015-03-11 09:58:01.0 +0100 @@ -1,20 +1,20 @@ -Index: openvpn.8 -=== doc/openvpn.8.orig -+++ doc/openvpn.8 -@@ -2563,11 +2563,10 @@ +--- doc/openvpn.8 doc/openvpn.8 2015/03/02 08:58:02 +@@ -2569,12 +2569,11 @@ plug-in modules, see the README file in + .B plugin folder of the OpenVPN source distribution. - If you are using an RPM install of OpenVPN, see +-If you are using an RPM install of OpenVPN, see -/usr/share/openvpn/plugin. The documentation is -in -.B doc -and the actual plugin modules are in -.B lib. -+@PLUGIN_DIR@. The actual plugin modules are in ++If you are using an RPM install of OpenVPN, the actual ++plugin modules are in +.B @PLUGIN_LIBDIR@ +and the documentation is in -+.B @PLUGIN_DOCDIR@. ++.B @PLUGIN_DOCDIR@/README.plugin-name. Multiple plugin modules can be cascaded, and modules can be used in tandem with scripts. The modules will be called by ++ openvpn-fips140-2.3.2.patch ++ --- /var/tmp/diff_new_pack.BgQ9kc/_old 2015-03-11 09:58:01.0 +0100 +++ /var/tmp/diff_new_pack.BgQ9kc/_new 2015-03-11 09:58:01.0 +0100 @@ -1,6 +1,5 @@ -diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_backend.h openvpn-2.3.2/src/openvpn/crypto_backend.h openvpn-2.3.2.orig/src/openvpn/crypto_backend.h2013-08-13 03:24:16.465313821 +0200 -+++ openvpn-2.3.2/src/openvpn/crypto_backend.h 2013-08-13 05:55:40.914256287 +0200 +--- openvpn-2.3.2/src/openvpn/crypto_backend.h openvpn-2.3.2/src/openvpn/crypto_backend.h 2015/02/19 09:15:02 @@ -452,10 +452,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_ * @param key The key to use for the HMAC * @param key_len The key length to use @@ -14,9 +13,8 @@ /* * Free the given HMAC context. -diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto.c openvpn-2.3.2/src/openvpn/crypto.c openvpn-2.3.2.orig/src/openvpn/crypto.c2013-08-13 03:24:16.466313824 +0200 -+++ openvpn-2.3.2/src/openvpn/crypto.c 2013-08-13 05:54:09.655008218 +0200 +--- openvpn-2.3.2/src/openvpn/crypto.c openvpn-2.3.2/src/openvpn/crypto.c 2015/02/19 09:15:02 @@ -486,7 +486,7 @@ init_key_ctx (struct key_ctx *ctx, struc if (kt-digest kt-hmac_length 0) { @@ -104,9 +102,8 @@ }
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2015-02-27 10:59:47 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-12-03 22:48:19.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2015-02-27 11:00:24.0 +0100 @@ -1,0 +2,5 @@ +Wed Feb 18 17:20:46 UTC 2015 - m...@suse.de + +- Fixed to use correct sha digest data length (boo#914166) + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.Yh4grf/_old 2015-02-27 11:00:26.0 +0100 +++ /var/tmp/diff_new_pack.Yh4grf/_new 2015-02-27 11:00:26.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ openvpn-fips140-2.3.2.patch ++ --- /var/tmp/diff_new_pack.Yh4grf/_old 2015-02-27 11:00:26.0 +0100 +++ /var/tmp/diff_new_pack.Yh4grf/_new 2015-02-27 11:00:26.0 +0100 @@ -121,8 +121,9 @@ }; -struct md5_digest { +- uint8_t digest [MD5_DIGEST_LENGTH]; +struct sha1_digest { - uint8_t digest [MD5_DIGEST_LENGTH]; ++ uint8_t digest [SHA_DIGEST_LENGTH]; }; -const char *md5sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-12-03 22:47:57 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-11-07 09:06:41.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-12-03 22:48:19.0 +0100 @@ -1,0 +2,8 @@ +Mon Dec 1 19:37:29 UTC 2014 - m...@suse.de + +- Update to version 2.3.6 fixing a denial-of-service vulnerability + where an authenticated client could stop the server by triggering + a server-side ASSERT (bnc#907764,CVE-2014-8104). + See ChangeLog file for a complete list of changes. + +--- Old: openvpn-2.3.5.tar.gz openvpn-2.3.5.tar.gz.asc New: openvpn-2.3.6.tar.gz openvpn-2.3.6.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.RqeCqG/_old 2014-12-03 22:48:20.0 +0100 +++ /var/tmp/diff_new_pack.RqeCqG/_new 2014-12-03 22:48:20.0 +0100 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.5 +Version:2.3.6 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 ++ openvpn-2.3.5.tar.gz - openvpn-2.3.6.tar.gz ++ 1918 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-11-07 09:06:08 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-08-28 21:05:51.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-11-07 09:06:41.0 +0100 @@ -1,0 +2,7 @@ +Thu Oct 30 12:28:48 UTC 2014 - idon...@suse.com + +- Update to version 2.3.5 + * See included changelog +- Depend on systemd-devel for the daemon check functionality + +--- Old: openvpn-2.3.4.tar.gz openvpn-2.3.4.tar.gz.asc New: openvpn-2.3.5.tar.gz openvpn-2.3.5.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.Oa97nk/_old 2014-11-07 09:06:42.0 +0100 +++ /var/tmp/diff_new_pack.Oa97nk/_new 2014-11-07 09:06:42.0 +0100 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.4 +Version:2.3.5 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -65,7 +65,7 @@ BuildRequires: pkcs11-helper-devel Requires: pkcs11-helper %if %{with_systemd} -BuildRequires: systemd +BuildRequires: systemd-devel %endif %description ++ openvpn-2.3.4.tar.gz - openvpn-2.3.5.tar.gz ++ 2713 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-08-28 21:05:32 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-06-10 14:39:20.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-08-28 21:05:51.0 +0200 @@ -1,0 +2,7 @@ +Mon Aug 25 09:12:08 UTC 2014 - idon...@suse.com + +- Update to version 2.3.4 + * Add support for client-cert-not-required for PolarSSL. + * Introduce safety check for http proxy options. + +--- Old: openvpn-2.3.2.tar.gz openvpn-2.3.2.tar.gz.asc New: openvpn-2.3.4.tar.gz openvpn-2.3.4.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.zEaw7q/_old 2014-08-28 21:05:52.0 +0200 +++ /var/tmp/diff_new_pack.zEaw7q/_new 2014-08-28 21:05:52.0 +0200 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.2 +Version:2.3.4 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 ++ openvpn-2.3.2.tar.gz - openvpn-2.3.4.tar.gz ++ 13864 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-06-10 14:39:19 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-05-21 16:20:42.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-06-10 14:39:20.0 +0200 @@ -1,0 +2,5 @@ +Mon May 26 15:41:34 UTC 2014 - crrodrig...@opensuse.org + +- Build with large file support in 32 bit systems. + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.NMkW6H/_old 2014-06-10 14:39:21.0 +0200 +++ /var/tmp/diff_new_pack.NMkW6H/_new 2014-06-10 14:39:21.0 +0200 @@ -135,7 +135,7 @@ find contrib sample -type f -exec chmod a-x \{\} \; %build -export CFLAGS=$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing +export CFLAGS=$RPM_OPT_FLAGS $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing export LDFLAGS %configure \ --enable-iproute2 \ @@ -148,7 +148,7 @@ --enable-plugin-down-root \ --enable-plugin-auth-pam\ --with-lzo-headers=%_includedir/lzo \ - CFLAGS=$CFLAGS -fPIE $PLUGIN_DEFS \ + CFLAGS=$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS \ LDFLAGS=$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugin/lib make -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-05-21 16:20:41 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-01-23 15:50:51.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-05-21 16:20:42.0 +0200 @@ -1,0 +2,6 @@ +Sun May 11 07:58:52 UTC 2014 - co...@suse.com + +- use %_rundir for %ghost directory - leaving /var/run everywhere + else + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.oqpxhI/_old 2014-05-21 16:20:46.0 +0200 +++ /var/tmp/diff_new_pack.oqpxhI/_new 2014-05-21 16:20:46.0 +0200 @@ -21,6 +21,9 @@ %else %define with_systemd 0 %endif +%if ! %{defined _rundir} +%define _rundir %{_localstatedir}/run +%endif Name: openvpn Url:http://openvpn.net/ @@ -153,7 +156,7 @@ make DESTDIR=$RPM_BUILD_ROOT install find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn -mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/openvpn +mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn %if %{with_systemd} install -D -m 644 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}@.service @@ -178,7 +181,7 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} %post -%__mkdir_p -m750 %{_localstatedir}/run/openvpn +%__mkdir_p -m750 %{_rundir}/openvpn %if %{with_systemd} %service_add_post %{name}.target # try to migrate openvpn.service autostart to openvpn@CONF.service @@ -255,7 +258,7 @@ %endif %{_sbindir}/rcopenvpn %{_sbindir}/openvpn -%attr(0750,root,root) %dir %ghost %{_localstatedir}/run/openvpn +%attr(0750,root,root) %dir %ghost %{_rundir}/openvpn %{_includedir}/%{name}-plugin.h %files down-root-plugin -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-01-20 16:24:24 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-01-14 19:52:24.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-01-23 15:50:51.0 +0100 @@ -7,0 +8,7 @@ +Thu Jan 9 14:14:19 UTC 2014 - meiss...@suse.com + +- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in + some internal checking routines. This allows operation in FIPS 140-2 + mode. + +--- New: openvpn-fips140-2.3.2.patch Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.9fwUmU/_old 2014-01-23 15:50:52.0 +0100 +++ /var/tmp/diff_new_pack.9fwUmU/_new 2014-01-23 15:50:52.0 +0100 @@ -48,6 +48,7 @@ Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff +Patch6: %{name}-fips140-2.3.2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gpg-offline BuildRequires: iproute2 @@ -124,6 +125,7 @@ %setup -q -n %{name}-%{version} %patch1 -p0 %patch5 -p0 +%patch6 -p1 sed -e s|\ __DATE__|$(date '+%b %e %Y' -r version.m4)\|g -i src/openvpn/options.c # %%doc items shouldn't be executable. ++ openvpn-fips140-2.3.2.patch ++ diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_backend.h openvpn-2.3.2/src/openvpn/crypto_backend.h --- openvpn-2.3.2.orig/src/openvpn/crypto_backend.h 2013-08-13 03:24:16.465313821 +0200 +++ openvpn-2.3.2/src/openvpn/crypto_backend.h 2013-08-13 05:55:40.914256287 +0200 @@ -452,10 +452,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_ * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters + * @param prf_use Intended use for PRF in TLS protocol * */ void hmac_ctx_init (hmac_ctx_t *ctx, const uint8_t *key, int key_length, -const md_kt_t *kt); +const md_kt_t *kt, bool prf_use); /* * Free the given HMAC context. diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto.c openvpn-2.3.2/src/openvpn/crypto.c --- openvpn-2.3.2.orig/src/openvpn/crypto.c 2013-08-13 03:24:16.466313824 +0200 +++ openvpn-2.3.2/src/openvpn/crypto.c 2013-08-13 05:54:09.655008218 +0200 @@ -486,7 +486,7 @@ init_key_ctx (struct key_ctx *ctx, struc if (kt-digest kt-hmac_length 0) { ALLOC_OBJ(ctx-hmac, hmac_ctx_t); - hmac_ctx_init (ctx-hmac, key-hmac, kt-hmac_length, kt-digest); + hmac_ctx_init (ctx-hmac, key-hmac, kt-hmac_length, kt-digest, 0); msg (D_HANDSHAKE, %s: Using %d bit message hash '%s' for HMAC authentication, @@ -1409,61 +1409,61 @@ free_ssl_lib (void) #endif /* ENABLE_SSL */ /* - * md5 functions + * sha1 functions */ const char * -md5sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc) +sha1sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc) { - uint8_t digest[MD5_DIGEST_LENGTH]; - const md_kt_t *md5_kt = md_kt_get(MD5); + uint8_t digest[SHA_DIGEST_LENGTH]; + const md_kt_t *sha1_kt = md_kt_get(SHA1); - md_full(md5_kt, buf, len, digest); + md_full(sha1_kt, buf, len, digest); - return format_hex (digest, MD5_DIGEST_LENGTH, n_print_chars, gc); + return format_hex (digest, SHA_DIGEST_LENGTH, n_print_chars, gc); } void -md5_state_init (struct md5_state *s) +sha1_state_init (struct sha1_state *s) { - const md_kt_t *md5_kt = md_kt_get(MD5); + const md_kt_t *sha1_kt = md_kt_get(SHA1); - md_ctx_init(s-ctx, md5_kt); + md_ctx_init(s-ctx, sha1_kt); } void -md5_state_update (struct md5_state *s, void *data, size_t len) +sha1_state_update (struct sha1_state *s, void *data, size_t len) { md_ctx_update(s-ctx, data, len); } void -md5_state_final (struct md5_state *s, struct md5_digest *out) +sha1_state_final (struct sha1_state *s, struct sha1_digest *out) { md_ctx_final(s-ctx, out-digest); md_ctx_cleanup(s-ctx); } void -md5_digest_clear (struct md5_digest *digest) +sha1_digest_clear (struct sha1_digest *digest) { CLEAR (*digest); } bool -md5_digest_defined (const struct md5_digest *digest) +sha1_digest_defined (const struct sha1_digest *digest) { int i; - for (i = 0; i MD5_DIGEST_LENGTH; ++i) + for (i = 0; i SHA_DIGEST_LENGTH; ++i) if (digest-digest[i]) return true; return false; } bool -md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2) +sha1_digest_equal (const struct sha1_digest
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-01-14 19:52:22 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2014-01-02 11:15:20.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-01-14 19:52:24.0 +0100 @@ -1,0 +2,6 @@ +Tue Jan 14 10:43:19 UTC 2014 - m...@suse.de + +- Updated README.SUSE, documented also the rcopenvpn compatibility + wrapper script (bnc#848070). + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.2y1ioB/_old 2014-01-14 19:52:25.0 +0100 +++ /var/tmp/diff_new_pack.2y1ioB/_new 2014-01-14 19:52:25.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ openvpn.README.SUSE ++ --- /var/tmp/diff_new_pack.2y1ioB/_old 2014-01-14 19:52:25.0 +0100 +++ /var/tmp/diff_new_pack.2y1ioB/_new 2014-01-14 19:52:25.0 +0100 @@ -2,11 +2,27 @@ Notes about the OpenVPN package In a fresh installation, you will find an empty directory /etc/openvpn. -The directory is meant to contain *.conf files -- the openvpn init script -will automatically look for them there, so you can start/stop all tunnels with -rcopenvpn (start|stop), as well as starting them at boot time. - -With openSUSE post-12.3 either all instances are handled by calling -'systemctl start|stop|enable|disbale|status openvpn.target' or one named -service 'systemctl start|stop|enable|disbale|status openvpn@name.service' -while the configuration is stored in a file named /etc/openvpn/name.conf . +The directory is meant to contain *.conf files. + +With openSUSE post-12.3 either all enabled instances are handled by +calling + +'systemctl start|stop|status openvpn.target' + +or each one tunnel/config separately using openvpn service template: + +'systemctl start|stop|status|enable|disbale openvpn@name.service' + +while name is the name of the configuration file /etc/openvpn/name.conf. + +The OPENVPN_AUTOSTART sysconfig variable, which were specifying the +list of enabled configs is migrated to systemctl enable on update. + +Alternatively, you can also use the rcopenvpn compatiblity wrapper: + + rcopenvpn start|stop|status + +or per config/tunnel: + + rcopenvpn start|stop|status|enable|disable name + -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2014-01-02 11:15:18 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2013-11-04 07:08:38.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2014-01-02 11:15:20.0 +0100 @@ -1,0 +2,5 @@ +Tue Dec 17 15:26:16 UTC 2013 - m...@suse.de + +- Readded rcopenvpn helper script under systemd (bnc#848070) + +--- New: rcopenvpn Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.XGCALD/_old 2014-01-02 11:15:21.0 +0100 +++ /var/tmp/diff_new_pack.XGCALD/_new 2014-01-02 11:15:21.0 +0100 @@ -45,6 +45,7 @@ Source8:%{name}.service Source9:%{name}.target Source10: %{name}-tmpfile.conf +Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -155,6 +156,7 @@ %if %{with_systemd} install -D -m 644 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target +install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name} # tmpfiles.d mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf @@ -248,8 +250,8 @@ %else %config %{_sysconfdir}/init.d/openvpn /var/adm/fillup-templates/sysconfig.openvpn -%{_sbindir}/rcopenvpn %endif +%{_sbindir}/rcopenvpn %{_sbindir}/openvpn %attr(0750,root,root) %dir %ghost %{_localstatedir}/run/openvpn %{_includedir}/%{name}-plugin.h ++ rcopenvpn ++ #! /bin/bash SYSTEMD_NO_WRAP=1 . /etc/rc.status rc_reset action=$1 ; shift config=$1 ; shift if test -n $config ; then systemctl ${action} openvpn@${config}.service else case $action in status) n=0 l=`systemctl show -p ConsistsOf openvpn.target 2/dev/null` for s in ${l#ConsistsOf=} ; do case $s in openvpn@*.service) systemctl status $s rc_check ((++n)) ;; esac done if test $n -gt 0 ; then rc_status else rc_status -u fi ;; *) systemctl ${action} openvpn.target ;; esac fi rc_exit -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2013-11-04 07:08:37 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2013-08-28 21:16:24.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2013-11-04 07:08:38.0 +0100 @@ -1,0 +2,5 @@ +Thu Oct 31 18:45:02 UTC 2013 - m...@suse.de + +- Fixed invalid mode in exec bit removal call from doc files + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.ls2qPO/_old 2013-11-04 07:08:38.0 +0100 +++ /var/tmp/diff_new_pack.ls2qPO/_new 2013-11-04 07:08:39.0 +0100 @@ -126,8 +126,7 @@ sed -e s|\ __DATE__|$(date '+%b %e %Y' -r version.m4)\|g -i src/openvpn/options.c # %%doc items shouldn't be executable. -find contrib sample -type f -perm +100 \ --exec chmod a-x {} \; +find contrib sample -type f -exec chmod a-x \{\} \; %build export CFLAGS=$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2013-08-28 21:16:23 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2013-06-05 17:46:18.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2013-08-28 21:16:24.0 +0200 @@ -1,0 +2,6 @@ +Tue Aug 27 16:28:52 UTC 2013 - lmue...@suse.com + +- Add a section about how to control all or a named configuration with the + help of systemctl to the README.SUSE file. + +--- Other differences: -- ++ openvpn.README.SUSE ++ --- /var/tmp/diff_new_pack.zybqwP/_old 2013-08-28 21:16:25.0 +0200 +++ /var/tmp/diff_new_pack.zybqwP/_new 2013-08-28 21:16:25.0 +0200 @@ -2,6 +2,11 @@ Notes about the OpenVPN package In a fresh installation, you will find an empty directory /etc/openvpn. -The directory is meant to contain *.conf files -- the openvpn init script +The directory is meant to contain *.conf files -- the openvpn init script will automatically look for them there, so you can start/stop all tunnels with -rcopenvpn (start|stop), as well as start tham at boot time. +rcopenvpn (start|stop), as well as starting them at boot time. + +With openSUSE post-12.3 either all instances are handled by calling +'systemctl start|stop|enable|disbale|status openvpn.target' or one named +service 'systemctl start|stop|enable|disbale|status openvpn@name.service' +while the configuration is stored in a file named /etc/openvpn/name.conf . -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2013-06-05 17:46:17 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2013-05-16 11:18:49.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2013-06-05 17:46:18.0 +0200 @@ -1,0 +2,35 @@ +Mon Jun 3 22:09:09 UTC 2013 - mrd...@opensuse.org + +- Update to 2.3.2 + +Fixes since 2.3.0 +- Remove dead code path and putenv functionality +- Remove unused function xor +- Move static prototype definition from header into c file +- Remove unused function no_tap_ifconfig +- fix build with automake 1.13(.1) +- Fix corner case in NTLM authentication (trac #172) +- Update README.IPv6 to match what is in 2.3.0 +- Repair tcp server queue overflow brokenness, more stdbool.h fallout. +- Permit pool size of /64.../112 for ifconfig-ipv6-pool +- Add MIN() compatibility macro +- Fix directly connected routes for topology subnet on Solaris. +- close more file descriptors on exec +- Ignore UTF-8 byte order mark +- reintroduce --no-name-remapping option +- make --tls-remote compatible with pre 2.3 configs +- add new option for X.509 name verification +- add man page patch for missing options +- Fix parameter listing in non-debug builds at verb 4 +- (updated) [PATCH] Warn when using verb levels =7 without debug +- Enable TCP_NODELAY configuration on FreeBSD. +- Updated README +- Cleaned up and updated INSTALL +- PolarSSL-1.2 support +- Improve PolarSSL key_state_read_{cipher, plain}text messages +- Improve verify_callback messages +- Config compatibility patch. Added translate_cipher_name. +- Switch to IANA names for TLS ciphers. +- Fixed autoconf script to properly detect missing pkcs11 with polarssl. +- Use constant time memcmp when comparing HMACs in openvpn_decrypt. + +--- Old: openvpn-2.3.0.tar.gz openvpn-2.3.0.tar.gz.asc New: openvpn-2.3.2.tar.gz openvpn-2.3.2.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.vEf3mz/_old 2013-06-05 17:46:19.0 +0200 +++ /var/tmp/diff_new_pack.vEf3mz/_new 2013-06-05 17:46:19.0 +0200 @@ -29,7 +29,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.3.0 +Version:2.3.2 Release:0 Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 ++ openvpn-2.3.0.tar.gz - openvpn-2.3.2.tar.gz ++ 19812 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2013-05-16 11:18:49 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2013-04-23 17:25:36.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2013-05-16 11:18:49.0 +0200 @@ -1,0 +2,6 @@ +Mon May 6 11:13:49 UTC 2013 - m...@suse.de + +- Try to migrate openvpn.service autostart to openvpn@CONF.service + instance enablement. + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.g9VTJT/_old 2013-05-16 11:18:50.0 +0200 +++ /var/tmp/diff_new_pack.g9VTJT/_new 2013-05-16 11:18:50.0 +0200 @@ -178,6 +178,40 @@ %__mkdir_p -m750 %{_localstatedir}/run/openvpn %if %{with_systemd} %service_add_post %{name}.target +# try to migrate openvpn.service autostart to openvpn@CONF.service +if test ${FIRST_ARG:-$1} -ge 1 -a \ + -x /bin/systemctl -a \ + -f /etc/sysconfig/openvpn -a \ + -f /var/adm/fillup-templates/sysconfig.openvpn \ + /bin/systemctl --quiet is-enabled openvpn.service /dev/null ; +then + . /etc/sysconfig/openvpn + try_service_cgroup_join() + { + local p=/var/run/openvpn/${1}.pid + local t=/sys/fs/cgroup/systemd/system/openvpn@.service/${1} + /sbin/checkproc -p $p %{_sbindir}/openvpn /dev/null || return 0 + test -d $t || mkdir -p $t 2/dev/null || return 1 + cat $p $t/tasks 2/dev/null || return 1 + } + if test X$OPENVPN_AUTOSTART != X ; then + for conf in $OPENVPN_AUTOSTART ; do + test -f /etc/openvpn/${conf}.conf \ + /bin/systemctl enable openvpn@${conf}.service \ + try_service_cgroup_join $conf || continue + done + else + shopt -s nullglob || : + for conf in /etc/openvpn/*.conf ; do + conf=${conf##*/} + conf=${conf%.conf} + test -f /etc/openvpn/${conf}.conf \ + /bin/systemctl enable openvpn@${conf}.service \ + try_service_cgroup_join $conf || continue + done + fi +fi +rm -f /etc/sysconfig/openvpn || : %else %{?fillup_and_insserv:%fillup_and_insserv} %endif -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2013-04-23 17:25:34 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2013-03-26 19:48:31.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2013-04-23 17:25:36.0 +0200 @@ -1,0 +2,12 @@ +Tue Apr 23 13:20:48 UTC 2013 - m...@suse.de + +- Fixed to enable systemd support in configure +- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group. +- Added openvpn.target file allowing to handle all instances at once. +- Fixed to install the service template correctly as openvpn@.service. + Use systemctl enable openvpn@foo.service to enable instance using + /etc/openvpn/foo.conf. +- Disabled systemd variant of restart on update rpm macro, adopted other + macros to use openvpn.target to e.g. stop all instances on uninstall. + +--- New: openvpn.target Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.UTQqM3/_old 2013-04-23 17:25:38.0 +0200 +++ /var/tmp/diff_new_pack.UTQqM3/_new 2013-04-23 17:25:38.0 +0200 @@ -43,7 +43,8 @@ Source5:client-netconfig.down Source7:%{name}.keyring Source8:%{name}.service -Source9:%{name}-tmpfile.conf +Source9:%{name}.target +Source10: %{name}-tmpfile.conf Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -135,6 +136,9 @@ --enable-iproute2 \ --enable-x509-alt-username \ --enable-password-save \ +%if %{with_systemd} + --enable-systemd\ +%endif --enable-plugins\ --enable-plugin-down-root \ --enable-plugin-auth-pam\ @@ -150,7 +154,8 @@ mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/openvpn mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn %if %{with_systemd} -install -D -m 644 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}.service +install -D -m 644 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}@.service +install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target # tmpfiles.d mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf @@ -170,22 +175,23 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} %post +%__mkdir_p -m750 %{_localstatedir}/run/openvpn %if %{with_systemd} -%service_add_post %{name}.service +%service_add_post %{name}.target %else %{?fillup_and_insserv:%fillup_and_insserv} %endif %preun %if %{with_systemd} -%service_del_preun %{name}.service +%service_del_preun %{name}.target %else %{?stop_on_removal:%stop_on_removal openvpn} %endif %postun %if %{with_systemd} -%service_del_postun %{name}.service +/bin/systemctl --system daemon-reload /dev/null || : %else %{?insserv_cleanup:%insserv_cleanup} %endif @@ -203,7 +209,8 @@ %doc %{_mandir}/man8/openvpn.8.gz %config(noreplace) %{_sysconfdir}/openvpn/ %if %{with_systemd} -%{_unitdir}/%{name}.service +%{_unitdir}/%{name}@.service +%{_unitdir}/%{name}.target %{_libexecdir}/tmpfiles.d/%{name}.conf %else %config %{_sysconfdir}/init.d/openvpn @@ -211,7 +218,7 @@ %{_sbindir}/rcopenvpn %endif %{_sbindir}/openvpn -%attr(0755,root,root) %dir %ghost %{_localstatedir}/run/openvpn +%attr(0750,root,root) %dir %ghost %{_localstatedir}/run/openvpn %{_includedir}/%{name}-plugin.h %files down-root-plugin ++ openvpn-tmpfile.conf ++ --- /var/tmp/diff_new_pack.UTQqM3/_old 2013-04-23 17:25:38.0 +0200 +++ /var/tmp/diff_new_pack.UTQqM3/_new 2013-04-23 17:25:38.0 +0200 @@ -1 +1 @@ -D /var/run/openvpn 0710 root openvpn - +D /var/run/openvpn 0750 root root - ++ openvpn.service ++ --- /var/tmp/diff_new_pack.UTQqM3/_old 2013-04-23 17:25:38.0 +0200 +++ /var/tmp/diff_new_pack.UTQqM3/_new 2013-04-23 17:25:38.0 +0200 @@ -1,14 +1,15 @@ [Unit] -Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I -After=syslog.target network.target +Description=OpenVPN tunneling daemon instance using /etc/openvpn/%I.conf +After=network.target +PartOf=openvpn.target [Service] -PrivateTmp=true Type=forking +PrivateTmp=true PIDFile=/var/run/openvpn/%i.pid -ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2013-03-26 19:48:27 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2013-01-29 06:46:28.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2013-03-26 19:48:31.0 +0100 @@ -1,0 +2,53 @@ +Tue Mar 26 14:38:48 UTC 2013 - a...@suse.com + +- Remove _unitdir definition, it is provided by systemd. +- Install service file without x permissions + +--- +Mon Mar 25 14:55:35 UTC 2013 - p.drou...@gmail.com + +Update to version 2.3.0: + * Full IPv6 support + * SSL layer modularised, enabling easier implementation for other SSL libraries + * PolarSSL support as a drop-in replacement for OpenSSL + * New plug-in API providing direct certificate access, improved logging API + and easier to extend in the future + * Added 'dev_type' environment variable to scripts and plug-ins - which is + set to 'TUN' or 'TAP' + * New feature: --management-external-key - to provide access to the encryption + keys via the management interface + * New feature: --x509-track option, more fine grained access to X.509 fields + in scripts and plug-ins + * New feature: --client-nat support + * New feature: --mark which can mark encrypted packets from the tunnel, suitable + for more advanced routing and firewalling + * New feature: --management-query-proxy - manage proxy settings via the management + interface (supercedes --http-proxy-fallback) + * New feature: --stale-routes-check, which cleans up the internal routing table + * New feature: --x509-username-field, where other X.509v3 fields can be used for + the authentication instead of Common Name + * Improved client-kill management interface command + * Improved UTF-8 support - and added --compat-names to provide backwards compatibility + with older scripts/plug-ins + * Improved auth-pam with COMMONNAME support, passing the certificate's common + name in the PAM conversation + * More options can now be used inside connection blocks + * Completely new build system, enabling easier cross-compilation and Windows builds + * Much of the code has been better documented + * Many documentation updates + * Plenty of bug fixes and other code clean-ups +- Add systemd native support for OpenSUSE 12.1 +- Adapt patchs to upstream release: + * openvpn-2.1-plugin-man.dif openvpn-2.3-plugin-man.dif + * openvpn-2.1.0-man-dot.diff openvpn-2.3.0-man-dot.diff +- Remove obsolete patchs; fixed or merged on upstream release: + * 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch + * openvpn-2.1-plugin-build.dif + * openvpn-2.1-systemd-passwd.patch +- Rebase specfile to upstream changes: + * easy-rsa is not provided anymore with main package + * remove %clean section + * autoreconf -fi is no needed +- Update openvpn.keyring file for upstream release asc key + +--- Old: 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch openvpn-2.1-plugin-build.dif openvpn-2.1-plugin-man.dif openvpn-2.1-systemd-passwd.patch openvpn-2.2.1-man-dot.diff openvpn-2.2.2.tar.gz openvpn-2.2.2.tar.gz.asc New: openvpn-2.3-plugin-man.dif openvpn-2.3.0-man-dot.diff openvpn-2.3.0.tar.gz openvpn-2.3.0.tar.gz.asc openvpn-tmpfile.conf openvpn.service Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.0m0wjr/_old 2013-03-26 19:48:33.0 +0100 +++ /var/tmp/diff_new_pack.0m0wjr/_new 2013-03-26 19:48:33.0 +0100 @@ -16,46 +16,51 @@ # +%if 0%{?suse_version} 1210 +%define with_systemd 1 +%else +%define with_systemd 0 +%endif + Name: openvpn Url:http://openvpn.net/ -%if 0%{?suse_version} +%if %{with_systemd} +%{?systemd_requires} +%else PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.2.2 +Version:2.3.0 Release:0 -%define upstream_version %version Summary:Full-featured SSL VPN solution using a TUN/TAP Interface License:SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 Group: Productivity/Networking/Security -Source: http://swupdate.openvpn.org/community/releases/openvpn-%{upstream_version}.tar.gz -Source1: http://swupdate.openvpn.org/community/releases/openvpn-%{upstream_version}.tar.gz.asc -Source2:openvpn.init -Source3:openvpn.README.SUSE +Source: http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2013-01-29 06:46:26 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2012-12-14 10:14:38.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2013-01-29 06:46:28.0 +0100 @@ -1,0 +2,6 @@ +Mon Jan 28 13:59:07 UTC 2013 - m...@suse.com + +- Join openvpn.service systemd cgroup in start when needed, e.g. + when starting with further parameters. (bnc#781106) + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.uiOEQt/_old 2013-01-29 06:46:30.0 +0100 +++ /var/tmp/diff_new_pack.uiOEQt/_new 2013-01-29 06:46:30.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ openvpn.init ++ --- /var/tmp/diff_new_pack.uiOEQt/_old 2013-01-29 06:46:30.0 +0100 +++ /var/tmp/diff_new_pack.uiOEQt/_new 2013-01-29 06:46:30.0 +0100 @@ -72,6 +72,35 @@ action=$1 ; shift config=$1 ; shift +systemd_cgroup_dir=/sys/fs/cgroup/systemd +openvpn_cgroup_dir=${systemd_cgroup_dir}/system/openvpn.service + +join_openvpn_service_cgroup() +{ + local pid dummy + + # when the systemd cgroup mountpoint does not exists, + # assume we run unter systemv init - nothing to do. + /bin/mountpoint -q ${systemd_cgroup_dir} || return 0 + + # create the openvpn.service cgroup when needed + if test ! -d ${openvpn_cgroup_dir} ; then + /bin/mkdir -p ${openvpn_cgroup_dir} || return 1 + fi + + # check if the openvpn.service cgroup task list exists + if test -f ${openvpn_cgroup_dir}/tasks ; then + # when we're already a member, all is done + while read pid dummy ; do + test $pid = $$ return 0 + done ${openvpn_cgroup_dir}/tasks + + # otherwise join the openvpn.service cgroup + echo $$ ${openvpn_cgroup_dir}/tasks return 0 + fi + return 1 +} + autostart_filter() { test x$config != xreturn 0 @@ -84,6 +113,8 @@ case $action in start) + join_openvpn_service_cgroup + /sbin/modprobe tun /dev/null name= -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2012-12-14 10:14:36 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2012-09-25 10:43:29.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2012-12-14 10:14:38.0 +0100 @@ -1,0 +2,5 @@ +Thu Nov 29 18:19:40 CET 2012 - sbra...@suse.cz + +- Verify GPG signature. + +--- New: openvpn.keyring Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.9c1Rn1/_old 2012-12-14 10:14:40.0 +0100 +++ /var/tmp/diff_new_pack.9c1Rn1/_new 2012-12-14 10:14:40.0 +0100 @@ -34,6 +34,7 @@ Source4:client-netconfig.up Source5:client-netconfig.down Source6:openvpn.sysconfig +Source7:%{name}.keyring Patch1: %{name}-2.1-plugin-man.dif Patch2: %{name}-2.1-plugin-build.dif Patch3: openvpn-2.1-systemd-passwd.patch @@ -41,6 +42,7 @@ Patch5: openvpn-2.2.1-man-dot.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake +BuildRequires: gpg-offline BuildRequires: iproute2 BuildRequires: lzo-devel BuildRequires: openssl-devel @@ -129,6 +131,7 @@ James Yonan j...@yonan.net %prep +%gpg_verify %{S:1} %setup -q -n %{name}-%{upstream_version} %patch1 -p0 %patch2 -p0 ++ openvpn.keyring ++ pub 1024D/1FBF51F3 2003-11-20 uid James Yonan j...@yonan.net sub 2048g/4B9741E3 2003-11-20 -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.19 (GNU/Linux) mQGiBD+9OaARBAC41lHwut4og8RL+QvChit93Yg8JloaZzqvKQHMKvcb14OY27QB 00oEtwxotBRkvJHy/cR4feK9Itje556FbzC7ODesYtjZh1V81B2ep4tfwRQSPqZT xy2jwzW5SwReBuIPxBOFts+OeeLQuKFU/VSItU9abA51cvKEvaV0CZx6ZwCg/h70 OgABmkCl8u+nHK2EHMSjZAUD/RP1jLNub1wlg2vJvfty+Nu7PoDJxSG7LzsSFC6W a5KiryIMvokp3cZQ7EnTG1Jc5y5tsZrRfTa7QLcooQrYivWSCSldkAowEh/tUGwb CurQZtDAmmuqLJAG+zDh6qFINHPnkVZBMuN+Lhkg0gqo+Mgsjn0ZzuGgQYb2b3wn pXckBACZE6EJSnICN/Cn5657of5znOwixZUdl4Pvsv7X5LuUJ0SeUtfSjNfUFu0b j/s0BXpQ/Y933rS+m0axbiElRNHzwtBb4W+TzwLvkwHw5WrIw5tcZXcZpos1NkhW lUDKLQ63WMqg5SBpilo3/wFU4+ngvPMcfbL1vgMYuuWfSPRt5LQbSmFtZXMgWW9u YW4gPGppbUB5b25hbi5uZXQ+iF4EExECAB4FAj+9OaACGwMGCwkIBwMCAxUCAwMW AgECHgECF4AACgkQHQtJlh+/UfMaFgCeOIDuybiePnFpYbm7faiqT34NvzYAoLjO ob+WiwJECbjpV62fmItBsYI9uQINBD+9OcAQCAC4wi4knBzA3bGbb2XSnZcIt+Tf 9JGXoG7+cpLT6wGZqzaAHNdgiZZf5Gdod9ud3CcLwrc1WXJljZXBhnpNNypen6O9 uGCb9OXKO7PuYV014D0pKv96rYtgPNE7MUO101lDt7bE8Zmw+HmOpyf6TnIg8GWw 3Vj8n0HfGvsx/WW2PZ1tXxUFAbsVIU/W5EJlCAhJbaZZCBj+P0QJFGuP41E7V0iO 2UMGRbzoQrwmGQopjVrzXcWAr5NvKKd8HL4ESkp8xdZrhCukNIBE9EEt6H+EvPut KdvpH2fIUTyEeZY4zDtm0ZS0zGZBET9SdcX/+sAuseiojPKd/D67oMG5FcF7AAMG CACfOcVjPcqYAhkGo6HNrpU7HMuaxy3Tuy5HI+4kU/POlLlm2AsfmHr4BtRCFMBt uNxybJwMMew1o1E4H4RvTEfPpVS0WW2lkOcpet429xf4oX1HL2nvlLmOAaMKgLhL ZxPPTCzmjyIVIeRF8BC+VQYh346v/LocO2obbD0chO0mApVgxVhO4E0vlu0Rdmsp d7+mCuani1wS9n0lgYVnHYdxRPL/AWj11KDgKm2LjoJt0WHHyEHGMjJTUB0JhM2a EfWkimDELeAb3pjdVEtmW6aF+q8sd6tn+mM0Z2I+6kwiMsdoWzjosuvXPzFsvkWq 0QY2wWyYYsNaXscfjKnjBUcpiEkEGBECAAkFAj+9OcACGwwACgkQHQtJlh+/UfOR TACgpg5MZJMgULtP31swTRmPGZ3driAAniP+Xg3U2KxAiS9Mxf0BOen8FgW5 =eZlZ -END PGP PUBLIC KEY BLOCK- -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2012-09-21 14:52:24 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2012-08-23 15:30:29.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2012-09-21 14:52:26.0 +0200 @@ -1,0 +2,8 @@ +Thu Sep 20 10:50:23 UTC 2012 - m...@suse.com + +- Fixed openvpn init script to not map reopen to reload so the + reopen code is without any effect (bnc#781106). +- Added requested OPENVPN_AUTOSTART variable allowing to provide + an optional list of config names started by default (bnc#692440). + +--- New: openvpn.sysconfig Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.ZtdFM0/_old 2012-09-21 14:52:30.0 +0200 +++ /var/tmp/diff_new_pack.ZtdFM0/_new 2012-09-21 14:52:30.0 +0200 @@ -33,6 +33,7 @@ Source3:openvpn.README.SUSE Source4:client-netconfig.up Source5:client-netconfig.down +Source6:openvpn.sysconfig Patch1: %{name}-2.1-plugin-man.dif Patch2: %{name}-2.1-plugin-build.dif Patch3: openvpn-2.1-systemd-passwd.patch @@ -194,12 +195,16 @@ done # we install docs via spec into _defaultdocdir/name/management-notes.txt rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} +# the /etc/sysconfig/openvpn template +install -d -m0755 %{buildroot}/var/adm/fillup-templates +install-m0600 $RPM_SOURCE_DIR/openvpn.sysconfig \ + %{buildroot}/var/adm/fillup-templates/sysconfig.openvpn %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %post -%{?fillup_and_insserv:%fillup_and_insserv -f} +%{?fillup_and_insserv:%fillup_and_insserv} %preun %{?stop_on_removal:%stop_on_removal openvpn} @@ -228,6 +233,7 @@ %dir %{_libdir}/%{name} %dir %{plugin_dir} %dir %{plugin_libdir} +/var/adm/fillup-templates/sysconfig.openvpn %files down-root-plugin %defattr(-,root,root) ++ openvpn.init ++ --- /var/tmp/diff_new_pack.ZtdFM0/_old 2012-09-21 14:52:30.0 +0200 +++ /var/tmp/diff_new_pack.ZtdFM0/_new 2012-09-21 14:52:30.0 +0200 @@ -24,9 +24,8 @@ # Description: Start OpenVPN tunnel ### END INIT INFO -# we don't use any... -# test -s /etc/sysconfig/openvpn \ -# . /etc/sysconfig/openvpn +test -s /etc/sysconfig/openvpn \ + . /etc/sysconfig/openvpn DAEMON=OpenVPN openvpn=/usr/sbin/openvpn @@ -73,6 +72,16 @@ action=$1 ; shift config=$1 ; shift +autostart_filter() +{ + test x$config != xreturn 0 + test x$OPENVPN_AUTOSTART = x return 0 + for n in ${OPENVPN_AUTOSTART} ; do + test x$n = x$1 return 0 + done + return 1 +} + case $action in start) /sbin/modprobe tun /dev/null @@ -81,6 +90,7 @@ for conf in $confdir/${config:-*}.conf ; do test -f $conf || continue name=$(basename ${conf%%.conf}) + autostart_filter $name || continue pidfile=$piddir/${name}.pid echo -n Starting $DAEMON [$name] @@ -164,14 +174,30 @@ restart) ## Stop the service and regardless of whether it was ## running or not, start it again. - $0 stop ${config:+$config} - sleep 3 - $0 start ${config:+$config} + # When nothing is running, start specified config or + # the defult (autostart) set. Otherwise we stop the + # specified one or all that are currently running. + # Then start specified one or all that were running + # before and have a config. Makes sense? :-) + name= + list=($config) + for pidfile in $piddir/${config:-*}.pid; do + test -f $pidfile || continue + name=$(basename ${pidfile%%.pid}) + $0 stop $name + rc_status + test x$name = x$config continue # in list + test -f $confdir/${name}.conf list+=($name) + done + + test x$name = x || sleep 3 # for what was this needed? + + $0 start ${list[@]} # Remember status and be quiet rc_status ;; -reopen|reload|force-reload) +reload|force-reload) for pidfile in $piddir/${config:-*}.pid; do test -f $pidfile || continue name=$(basename ${pidfile%%.pid}) @@ -219,6 +245,7 @@ for conf in $confdir/${config:-*}.conf ; do test -f $conf || continue
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2012-08-23 15:30:27 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2012-04-17 07:47:46.0 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2012-08-23 15:30:29.0 +0200 @@ -1,0 +2,6 @@ +Wed Aug 22 14:50:39 UTC 2012 - cfarr...@suse.com + +- license update: GPL-2.0-with-openssl-exception and LGPL-2.1 + openssl has an openssl exception (also, it is GPL-2.0 only) + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.shj7iP/_old 2012-08-23 15:30:30.0 +0200 +++ /var/tmp/diff_new_pack.shj7iP/_new 2012-08-23 15:30:30.0 +0200 @@ -25,7 +25,7 @@ Release:0 %define upstream_version %version Summary:Full-featured SSL VPN solution using a TUN/TAP Interface -License:GPL-2.0+ ; LGPL-2.1+ +License:GPL-2.0-with-openssl-exception and LGPL-2.1 Group: Productivity/Networking/Security Source: http://swupdate.openvpn.org/community/releases/openvpn-%{upstream_version}.tar.gz Source1: http://swupdate.openvpn.org/community/releases/openvpn-%{upstream_version}.tar.gz.asc -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2012-04-17 07:47:41 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2012-02-16 14:58:56.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2012-04-17 07:47:46.0 +0200 @@ -1,0 +2,6 @@ +Thu Mar 29 09:45:56 UTC 2012 - m...@suse.com + +- Fixed SLES build readding Group tags to sub-packages in spec, + not require libselinux-devel on SLE-10 and datadir/doc cleanup. + +--- Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.GHSpz0/_old 2012-04-17 07:47:47.0 +0200 +++ /var/tmp/diff_new_pack.GHSpz0/_new 2012-04-17 07:47:47.0 +0200 @@ -16,7 +16,6 @@ # - Name: openvpn Url:http://openvpn.net/ %if 0%{?suse_version} @@ -42,10 +41,12 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake BuildRequires: iproute2 -BuildRequires: libselinux-devel BuildRequires: lzo-devel BuildRequires: openssl-devel BuildRequires: pam-devel +%if 0%{?suse_version} 1010 +BuildRequires: libselinux-devel +%endif %if 0%{?suse_version} 1030 BuildRequires: pkcs11-helper-devel Requires: pkcs11-helper @@ -80,6 +81,7 @@ %package down-root-plugin Summary:OpenVPN down-root plugin +Group: Productivity/Networking/Security Requires: %{name} = %{version} %description down-root-plugin @@ -102,6 +104,7 @@ %package auth-pam-plugin Summary:OpenVPN auth-pam plugin +Group: Productivity/Networking/Security Requires: %{name} = %{version} %description auth-pam-plugin @@ -190,8 +193,7 @@ $RPM_BUILD_ROOT%{plugin_libdir}/ done # we install docs via spec into _defaultdocdir/name/management-notes.txt -rm $RPM_BUILD_ROOT%{_datadir}/doc/%name/management-notes.txt -rmdir $RPM_BUILD_ROOT%{_datadir}/doc/%name +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2012-02-16 14:58:54 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2011-12-08 14:45:56.0 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2012-02-16 14:58:56.0 +0100 @@ -1,0 +2,8 @@ +Wed Feb 15 15:21:32 UTC 2012 - m...@suse.com + +- Updated to openvpn-2.2.2: + - Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2 + - Pkcs11 support built into the Windows version + - Fixed a bug in the Windows TAP-driver + +--- Old: openvpn-2.2.1.tar.gz openvpn-2.2.1.tar.gz.asc New: openvpn-2.2.2.tar.gz openvpn-2.2.2.tar.gz.asc Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.oBsYgT/_old 2012-02-16 14:58:58.0 +0100 +++ /var/tmp/diff_new_pack.oBsYgT/_new 2012-02-16 14:58:58.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %if 0%{?suse_version} PreReq: %insserv_prereq %fillup_prereq %endif -Version:2.2.1 +Version:2.2.2 Release:0 %define upstream_version %version Summary:Full-featured SSL VPN solution using a TUN/TAP Interface ++ openvpn-2.2.1.tar.gz - openvpn-2.2.2.tar.gz ++ 3371 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2011-12-06 18:34:57 Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) Package is openvpn, Maintainer is m...@suse.com Changes: Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.9IDSk0/_old 2011-12-06 18:56:26.0 +0100 +++ /var/tmp/diff_new_pack.9IDSk0/_new 2011-12-06 18:56:26.0 +0100 @@ -20,7 +20,7 @@ Name: openvpn Url:http://openvpn.net/ -License:GPLv2+ ; LGPLv2.1+ +License:GPL-2.0+ ; LGPL-2.1+ Group: Productivity/Networking/Security AutoReqProv:on %if 0%{?suse_version} @@ -78,7 +78,7 @@ James Yonan j...@yonan.net %package down-root-plugin -License:GPLv2+ ; LGPLv2.1+ +License:GPL-2.0+ ; LGPL-2.1+ Summary:OpenVPN down-root plugin Group: Productivity/Networking/Security AutoReqProv:on @@ -103,7 +103,7 @@ James Yonan j...@yonan.net %package auth-pam-plugin -License:GPLv2+ ; LGPLv2.1+ +License:GPL-2.0+ ; LGPL-2.1+ Summary:OpenVPN auth-pam plugin Group: Productivity/Networking/Security AutoReqProv:on -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit openvpn for openSUSE:Factory
Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at Tue Aug 30 16:11:26 CEST 2011. --- openvpn/openvpn.changes 2011-07-11 16:51:08.0 +0200 +++ openvpn/openvpn.changes 2011-08-29 20:33:56.0 +0200 @@ -1,0 +2,19 @@ +Mon Aug 29 18:05:30 UTC 2011 - m...@suse.com + +- Marked /var/run/openvpn as ghost (bnc#710270), man page and + other rpmlint warning fixes + +--- +Tue Aug 23 15:41:00 UTC 2011 - crrodrig...@opensuse.org + +- BuildRequires libselinux-devel +- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent + upstream as https://community.openvpn.net/openvpn/ticket/157 + +--- +Mon Aug 22 09:55:44 UTC 2011 - fcro...@novell.com + +- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to + support systemd password query (bnc#675406) + +--- calling whatdependson for head-i586 New: 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch openvpn-2.1-systemd-passwd.patch openvpn-2.2.1-man-dot.diff Other differences: -- ++ openvpn.spec ++ --- /var/tmp/diff_new_pack.yq4BYo/_old 2011-08-30 16:07:55.0 +0200 +++ /var/tmp/diff_new_pack.yq4BYo/_new 2011-08-30 16:07:55.0 +0200 @@ -27,7 +27,7 @@ PreReq: %insserv_prereq %fillup_prereq %endif Version:2.2.1 -Release:1 +Release:16 %define upstream_version %version Summary:Full-featured SSL VPN solution using a TUN/TAP Interface Source: http://openvpn.net/release/openvpn-%{upstream_version}.tar.gz @@ -38,9 +38,13 @@ Source5:client-netconfig.down Patch1: %{name}-2.1-plugin-man.dif Patch2: %{name}-2.1-plugin-build.dif +Patch3: openvpn-2.1-systemd-passwd.patch +Patch4: 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch +Patch5: openvpn-2.2.1-man-dot.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: lzo-devel openssl-devel BuildRequires: iproute2 pam-devel +BuildRequires: libselinux-devel %if 0%{?suse_version} 1030 BuildRequires: pkcs11-helper-devel Requires: pkcs11-helper @@ -129,6 +133,9 @@ %setup -q -n %{name}-%{upstream_version} %patch1 -p0 %patch2 -p0 +%patch3 -p1 +%patch4 -p1 +%patch5 -p0 sed -e s|@PLUGIN_DIR@|%{plugin_dir}|g \ -e s|@PLUGIN_LIBDIR@|%{plugin_libdir}|g \ -e s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g \ @@ -187,7 +194,7 @@ install -m 755 plugin/$pi/openvpn-$pi.so \ $RPM_BUILD_ROOT%{plugin_libdir}/ done -# we install docs via spec into %{_defaultdocdir}/name/management-notes.txt +# we install docs via spec into _defaultdocdir/name/management-notes.txt rm $RPM_BUILD_ROOT%{_datadir}/doc/%name/management-notes.txt rmdir $RPM_BUILD_ROOT%{_datadir}/doc/%name @@ -205,7 +212,7 @@ %files %defattr(-,root,root) -%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS PORTS README +%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog PORTS README %doc README.* %doc contrib %doc sample-config-files @@ -218,7 +225,7 @@ %config %{_sysconfdir}/init.d/openvpn %{_sbindir}/openvpn %{_sbindir}/rcopenvpn -%dir %{_localstatedir}/run/openvpn +%attr(0755,root,root) %dir %ghost %{_localstatedir}/run/openvpn %dir %{_datadir}/openvpn %{_datadir}/openvpn/easy-rsa %dir %{_libdir}/%{name} ++ 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch ++ From db33132094f4748ccc63aadbfa4b7446bb95b350 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= crrodrig...@opensuse.org Date: Sat, 20 Aug 2011 18:12:28 -0400 Subject: [PATCH] Use SSL_MODE_RELEASE_BUFFERS if available MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Cristian Rodríguez crrodrig...@opensuse.org --- ssl.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/ssl.c b/ssl.c index ea7b204..459e66c 100644 --- a/ssl.c +++ b/ssl.c @@ -2073,6 +2073,9 @@ init_ssl (const struct options *options) } /* Set SSL options */ +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode (ctx, SSL_MODE_RELEASE_BUFFERS); +#endif SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_options (ctx, SSL_OP_SINGLE_DH_USE); -- 1.7.4.1 ++ openvpn-2.1-systemd-passwd.patch ++ Index: openvpn-2.2.1/misc.c === --- openvpn-2.2.1.orig/misc.c +++ openvpn-2.2.1/misc.c @@ -1333,26 +1333,49 @@ get_console_input (const char *prompt, c ASSERT (input); ASSERT (capacity 0); input[0] = '\0'; + bool is_systemd_running; + struct stat a, b; + + /* We simply test whether the systemd cgroup hierarchy is + * mounted */ + + is_systemd_running =