Commit graph

19 commits

Author SHA1 Message Date
adam
cb8b821d6a openvpn: updated to 2.4.7
OpenVPN 2.4.7
- Fix subnet topology on NetBSD (2.4).
- add support for %lu in argv_printf and prevent ASSERT
- buffer_list: add functions documentation
- ifconfig-ipv6(-push): allow using hostnames
- Properly free tuntap struct on android when emulating persist-tun
- Add OpenSSL compat definition for RSA_meth_set_sign
- Add support for tls-ciphersuites for TLS 1.3
- Add better support for showing TLS 1.3 ciphersuites in --show-tls
- Use right function to set TLS1.3 restrictions in show-tls
- Add message explaining early TLS client hello failure
- Fallback to password authentication when auth-token fails
- systemd: extend CapabilityBoundingSet for auth_pam
- plugin: Export base64 encode and decode functions
- Add %d, %u and %lu tests to test_argv unit tests.
- Fix combination of --dev tap and --topology subnet across multiple platforms.
- Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
- preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
- Minor reliability layer documentation fixes
- Resolves small IV_GUI_VER typo in the documentation.
- Clarify and expand management interface documentation
- Refactor NCP-negotiable options handling
- init.c: refine functions names and description
- interactive.c: fix usage of potentially uninitialized variable
- options.c: fix broken unary minus usage
- Remove extra token after #endif
- Fix error message when using RHEL init script
- man: correct a --redirection-gateway option flag
- Replace M_DEBUG with D_LOW as the former is too verbose
- Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
- Bump version of openvpn plugin argument structs to 5
- Move get system directory to a separate function
- Enable dhcp on tap adapter using interactive service
- Pass the hash without the DigestInfo header to NCryptSignHash()
- White-list pull-filter and script-security in interactive service
- Add Interactive Service developer documentation
- Detect TAP interfaces with root-enumerated hardware ID
- man: add security considerations to --compress section
- mbedtls: print warning if random personalisation fails
- Fix memory leak after sighup
- travis: add OpenSSL 1.1 Windows build
- Fix --disable-crypto build
- Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
- buffer_list_aggregate_separator(): simplify code
2019-02-21 16:22:54 +00:00
adam
184f7f5d98 openvpn: 2.4.6
OpenVPN 2.4.6
management: Warn if TCP port is used without password

Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
Fix potential double-free() in Interactive Service (CVE-2018-9336)
preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst)

manpage: improve description of --status and --status-version

Make return code external tls key match docs

Delete the IPv6 route to the "connected" network on tun close
Management: warn about password only when the option is in use
Avoid overflow in wakeup time computation

Add missing #ifdef SSL_OP_NO_TLSv1_1/2

Check for more data in control channel
2018-04-27 06:40:28 +00:00
adam
ac648d0408 openvpn: updated to 2.4.5
OpenVPN 2.4.5:
reload HTTP proxy credentials when moving to the next connection profile
Allow learning iroutes with network made up of all 0s (only if netbits < 8)
mbedtls: fix typ0 in comment
manpage: fix simple typ0
Treat dhcp-option DNS6 and DNS identical
show the right string for key-direction
Fix typo in error message: "optione" -> "option"
lz4: Fix confused version check
lz4: Fix broken builds when pkg-config is not present but system library is
Remove references to keychain-mcd in Changes.rst
lz4: Rebase compat-lz4 against upstream v1.7.5
systemd: Add and ship README.systemd
Update copyright to include 2018 plus company name change
man: Add .TQ groff support macro
man: Reword --management to prefer unix sockets over TCP
OpenSSL: check EVP_PKEY key types before returning the pkey
Remove warning on pushed tun-ipv6 option.
Fix removal of on-link prefix on windows with netsh
travis-ci: add brew cache, remove ccache
travis-ci: modify openssl build script to support openssl-1.1.0
autoconf: Fix engine checks for openssl 1.1
Cast time_t to long long in order to print it.
Fix build with LibreSSL
Check whether in pull_mode before warning about previous connection blocks
Avoid illegal memory access when malformed data is read from the pipe
Fix missing check for return value of malloc'd buffer
Return NULL if GetAdaptersInfo fails
Use RSA_meth_free instead of free
Bring cryptoapi.c upto speed with openssl 1.1
Add SSL_CTX_get_max_proto_version() not in openssl 1.0
TLS v1.2 support for cryptoapicert -- RSA only
Refactor get_interface_metric to return metric and auto flag separately
Ensure strings read from registry are null-terminated
Make most registry values optional
Use lowest metric interface when multiple interfaces match a route
Adapt to RegGetValue brokenness in Windows 7
Fix format spec errors in Windows builds
Local functions are not supported in MSVC. Bummer.
Mixing wide and regular strings in concatenations is not allowed in MSVC.
RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
Simplify iphlpapi.dll API calls
Fix local #include to use quoted form
Document ">PASSWORD:Auth-Token" real-time message
Fix typo in "verb" command examples
Uniform swprintf() across MinGW and MSVC compilers
MSVC meta files added to .gitignore list
openvpnserv: Add support for multi-instances
Document missing OpenVPN states
make struct key * argument of init_key_ctx const
buffer_list_aggregate_separator(): add unit tests
Add --tls-cert-profile option.
Use P_DATA_V2 for server->client packets too
Fix memory leak in buffer unit tests
buffer_list_aggregate_separator(): update list size after aggregating
buffer_list_aggregate_separator(): don't exceed max_len
buffer_list_aggregate_separator(): prevent 0-byte malloc
Fix types around buffer_list_push(_data)
ssl_openssl: fix compiler warning by removing getbio() wrapper
travis: use clang's -fsanitize=address to catch more bugs
Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Add support for TLS 1.3 in --tls-version-{min, max}
Plug memory leak if push is interrupted
Fix format errors when cross-compiling for Windows
Log pre-handshake packet drops using D_MULTI_DROPPED
Enable stricter compiler warnings by default
Get rid of ax_check_compile_flag.m4
mbedtls: don't use API deprecated in mbed 2.7
Warn if tls-version-max < tls-version-min
Don't throw fatal errors from create_temp_file()
Fix '--bind ipv6only'
2018-03-13 18:12:50 +00:00
wiz
5130379d0e openvpn: update to 2.4.4
Version 2.4.4
=============
This is primarily a maintenance release, with further improved OpenSSL 1.1
integration, several minor bug fixes and other minor improvements.

Bug fixes
---------
- Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is
  rejected by the remote side

- Ignore ``--keysize`` when NCP have resulted in a changed cipher.

- Configurations using ``--auth-nocache`` and the management interface to provide
  user credentials (like NetworkManager on Linux) on client side with servers
  implementing authentication tokens (for example, using ``--auth-gen-token``)
  will now behave correctly and not query the user for an, to them, unknown
  authentication token on renegotiations of the tunnel.

- Fix bug causing invalid or corrupt SOCKS port number when changing the
  proxy via the management interface.

- The man page should now have proper escaping of hyphens/minus characters
  and have seen some minor corrections.

User-visible Changes
--------------------
- Linux servers with systemd which uses the ``openvpn-server@.service`` unit
  file for server configurations will now utilize the automatic restart feature
  in systemd.  If the OpenVPN server process dies unexpectedly, systemd will
  ensure the OpenVPN configuration will be restarted without any user interaction.

Deprecated features
-------------------
- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6

Security
--------
- CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``.
  Before this fix, it could allow an attacker to send a malformed packet to
  trigger a stack overflow.  This is considered to be a low risk issue, as
  ``--key-method 2`` has been the default since OpenVPN 2.0 (released on
  2005-04-17).  This option is already deprecated in v2.4 and will be
  completely removed in v2.5.
2017-10-02 15:54:23 +00:00
joerg
d50acbcb60 Use DIST_SUBDIR properly. 2017-07-01 22:12:53 +00:00
adam
ffce05b357 Distfile has been changed upstream 2017-06-26 07:21:21 +00:00
adam
79bc03c5e0 Updated openvpn to 2.4.3 2017-06-23 06:46:06 +00:00
adam
3f16217f43 OpenVPN 2.4.2
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy.

Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
2017-05-24 20:35:12 +00:00
adam
3c37db9646 Version 2.3.16:
* fix redirect-gateway behaviour when an IPv4 default route does not exist
* Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
* Check for errors in the return value of GetModuleFileNameW()
* Fix gateway detection with OpenBSD routing domains
2017-05-22 06:25:19 +00:00
spz
c73750ff1b update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044

relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>

2017.05.11 -- Version 2.3.15
David Sommerseth (5):
      dev-tools: Added script for updating copyright years in files
      Update copyrights
      docs: Further improve --reneg-bytes and SWEET32 information
      git: Merge .gitignore files into a single file
      Make --cipher/--auth none more explicit on the risks

Gert Doering (1):
      Document --proto udp6, tcp6, etc.

Julien Muchembled (1):
      Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

Steffan Karger (6):
      Add missing includes in error.h
      cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
      Document that OpenVPN 2.3 does not check the CRL signature
      Introduce and use secure_memzero() to erase secrets
      Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
      Don't assert out on receiving too-large control packets (CVE-2017-7478)


2016.12.06 -- Version 2.3.14
Christian Hesse (1):
      update year in copyright message

David Sommerseth (1):
      Document the --auth-token option

Gert Doering (2):
      Repair topology subnet on FreeBSD 11
      Repair topology subnet on OpenBSD

Lev Stipakov (1):
      Drop recursively routed packets

Selva Nair (4):
      Support --block-outside-dns on multiple tunnels
      When parsing '--setenv opt xx ..' make sure a third parameter is present
      Map restart signals from event loop to SIGTERM during exit-notification wait
      Correctly state the default dhcp server address in man page

Steffan Karger (1):
      Clean up format_hex_ex()


2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
      Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
      Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer

David Sommerseth (4):
      t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
      t_client.sh: Add support for Kerberos/ksu
      t_client.sh: Improve detection if the OpenVPN process did start during tests
      t_client.sh: Add prepare/cleanup possibilties for each test case

Gert Doering (5):
      Do not abort t_client run if OpenVPN instance does not start.
      Fix t_client runs on OpenSolaris
      make t_client robust against sudoers misconfiguration
      add POSTINIT_CMD_suf to t_client.sh and sample config
      Fix --multihome for IPv6 on 64bit BSD systems.

Ilya Shipitsin (1):
      skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto

Lev Stipakov (2):
      Exclude peer-id from pulled options digest
      Fix compilation in pedantic mode

Samuli Seppänen (1):
      Automatically cache expected IPs for t_client.sh on the first run

Steffan Karger (6):
      Fix unittests for out-of-source builds
      Make gnu89 support explicit
      cleanup: remove code duplication in msg_test()
      Update cipher-related man page text
      Limit --reneg-bytes to 64MB when using small block ciphers
      Add a revoked cert to the sample keys


2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
      Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
      Move ASSERT so external-key with OpenSSL works again

David Sommerseth (3):
      Only build and run cmocka unit tests if its submodule is initialized
      Another fix related to unit test framework
      Remove NOP function and callers

Dorian Harmans (1):
      Add CHACHA20-POLY1305 ciphersuite IANA name translations.

Ivo Manca (1):
      Plug memory leak in mbedTLS backend

Jeffrey Cutter (1):
      Update contrib/pull-resolv-conf/client.up for no DOMAIN

Jens Neuhalfen (2):
      Add unit testing support via cmocka
      Add a test for auth-pam searchandreplace

Josh Cepek (1):
      Push an IPv6 CIDR mask used by the server, not the pool's size

Leon Klingele (1):
      Add link to bug tracker

Samuli Seppänen (2):
      Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
      Clarify the fact that build instructions in README are for release tarballs

Selva Nair (4):
      Make error non-fatal while deleting address using netsh
      Make block-outside-dns work with persist-tun
      Ignore SIGUSR1/SIGHUP during exit notification
      Promptly close the netcmd_semaphore handle after use

Steffan Karger (4):
      Fix polarssl / mbedtls builds
      Don't limit max incoming message size based on c2->frame
      Fix '--cipher none --cipher' crash
      Discourage using 64-bit block ciphers
2017-05-19 18:11:04 +00:00
jperkin
8a5368e1d7 Update openvpn distfile. Bump PKGREVISION. 2016-07-08 08:50:55 +00:00
jperkin
17661ff9a5 Bump PKGREVISION for security/openssl ABI bump. 2016-03-05 11:27:40 +00:00
agc
203292f73e Add SHA512 digests for distfiles for net category
Problems found with existing digests:
	Package haproxy distfile haproxy-1.5.14.tar.gz
	159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded]
	da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]

Problems found locating distfiles:
	Package bsddip: missing distfile bsddip-1.02.tar.Z
	Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
	Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
	Package djbdns: missing distfile djbdns-cachestats.patch
	Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
	Package gated: missing distfile gated-3-5-11.tar.gz
	Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
	Package poink: missing distfile poink-1.6.tar.gz
	Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz
	Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
	Package waste: missing distfile waste-source.tar.gz

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
2015-11-04 00:34:51 +00:00
wiedi
3332eed7b6 bulk build wants openssl 2015-01-18 16:01:37 +00:00
wiz
eaebd9916f Update checksums for openvpn update. 2014-12-03 10:09:33 +00:00
adam
a2405e22af Changes 2.3.4:
The most important change in this release is that TLS version negotiation is no longer used unless it's explicitly turned on in the configuration files, thus reverting back to the 2.3.2 behaviour as interoperability issues were encountered in 2.3.3. Other notable changes include addition of SSL library version reporting, fixing of SOCKSv5 authentication logic and making serial env exporting consistent between OpenSSL and PolarSSL. This release also contains a number of other bug fixes and small enhancements.
2014-07-20 17:43:29 +00:00
joerg
70b12af932 Keep in sync with the openvpn main package. Bump revision. 2013-08-30 22:38:47 +00:00
joerg
167beab360 Don't call libtool --mode=finish without argument. Fix a sign cast to
avoid a clang warning made fatal by -Werror.
2013-03-26 23:32:49 +00:00
manu
3f169ae736 Add openvpn-nagios, an OpenVPN certificate monitoring plugin to be used
in nagios
2013-02-10 05:57:41 +00:00