Merge ~paelzer/ubuntu/+source/openvpn:merge-eoan-2.4.7-1 into ubuntu/+source/openvpn:debian/sid
- Git
- lp:~paelzer/ubuntu/+source/openvpn
- merge-eoan-2.4.7-1
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Merge reported by: | Christian Ehrhardt | ||||
Merged at revision: | 54fa0958a3a8e738afe07c7d2be70a2efc8b3722 | ||||
Proposed branch: | ~paelzer/ubuntu/+source/openvpn:merge-eoan-2.4.7-1 | ||||
Merge into: | ubuntu/+source/openvpn:debian/sid | ||||
Diff against target: |
971 lines (+706/-4) 5 files modified
debian/changelog (+598/-0) debian/control (+4/-3) debian/openvpn@.service (+1/-1) debian/patches/openvpn-fips-2.4.patch (+102/-0) debian/patches/series (+1/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server | Pending | ||
git-ubuntu developers | Pending | ||
Review via email: mp+367349@code.launchpad.net |
Commit message
Description of the change
Christian Ehrhardt (paelzer) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
Tested and working following the basic (but at least some) test from:
https:/
Ends up with:
root@eoan-
root@eoan-
Broadcast message from root@eoan-
Password entry required for 'Enter Private Key Password:' (PID 9320).
Please enter password with the systemd-
root@eoan-
Enter Private Key Password: ******
root@eoan-
● <email address hidden> - OpenVPN connection to client
Loaded: loaded (/lib/systemd/
Active: active (running) since Mon 2019-05-13 14:56:43 UTC; 9s ago
Docs: man:openvpn(8)
https:/
https:/
Main PID: 9309 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 541)
Memory: 1.9M
CGroup: /<email address hidden>
└─9309 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Data Channel: using negotiated cipher 'AES-256-GCM'
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: ROUTE_GATEWAY 192.168.
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: TUN/TAP device tun0 opened
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: TUN/TAP TX queue length set to 100
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip link set dev tun0 up mtu 1500
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Initialization Sequence Completed
root@eoan-
tun0: flags=4305<
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::41b:
unspec 00-00-00-
RX packets 1 bytes 48 (48.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 96 (96.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@eoan-
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.392 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.494 ms
^C
--- 10.8.0.1 ping ...
Andreas Hasenack (ahasenack) wrote : | # |
+1
The logical tag was the old one, but it was easy enough to recreate locally
Christian Ehrhardt (paelzer) wrote : | # |
Odd where this tag got missing, the commands are all in my shell history but the tag is missing.
Well, as this was an easier one thanks for recreating and reviewing it!
Pushing tags for upload and dputting to Eoan
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index f676f8d..09e92aa 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,19 @@ |
6 | +openvpn (2.4.7-1ubuntu1) eoan; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable (LP: #1828771). Remaining changes: |
9 | + - d/control: Demote easy-rsa to Suggests (universe package). |
10 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
11 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
12 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
13 | + (LP 1807439) |
14 | + * Dropped changes: |
15 | + - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
16 | + scripts breaking due to sudo/pam being unable to audit the action. |
17 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208) |
18 | + [in Debian now] |
19 | + |
20 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200 |
21 | + |
22 | openvpn (2.4.7-1) unstable; urgency=medium |
23 | |
24 | [ Bernhard Schmidt ] |
25 | @@ -17,6 +33,30 @@ openvpn (2.4.7-1) unstable; urgency=medium |
26 | |
27 | -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100 |
28 | |
29 | +openvpn (2.4.6-1ubuntu3) disco; urgency=medium |
30 | + |
31 | + * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
32 | + (LP: #1807439) |
33 | + |
34 | + -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600 |
35 | + |
36 | +openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium |
37 | + |
38 | + * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
39 | + scripts breaking due to sudo/pam being unable to audit the action. |
40 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208) |
41 | + |
42 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200 |
43 | + |
44 | +openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium |
45 | + |
46 | + * Merge with Debian unstable. Remaining changes: |
47 | + - d/control: Demote easy-rsa to Suggests (universe package). |
48 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
49 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
50 | + |
51 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200 |
52 | + |
53 | openvpn (2.4.6-1) unstable; urgency=medium |
54 | |
55 | [ Jörg Frings-Fürst ] |
56 | @@ -60,6 +100,15 @@ openvpn (2.4.5-1) unstable; urgency=medium |
57 | |
58 | -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100 |
59 | |
60 | +openvpn (2.4.4-2ubuntu1) bionic; urgency=low |
61 | + |
62 | + * Sync with Debian. Remaining changes: |
63 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
64 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
65 | + - Demote easy-rsa to Suggests (universe package). |
66 | + |
67 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000 |
68 | + |
69 | openvpn (2.4.4-2) unstable; urgency=medium |
70 | |
71 | * Build against OpenSSL 1.1.0 (Closes: #828477) |
72 | @@ -67,6 +116,15 @@ openvpn (2.4.4-2) unstable; urgency=medium |
73 | |
74 | -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100 |
75 | |
76 | +openvpn (2.4.4-1ubuntu1) bionic; urgency=medium |
77 | + |
78 | + * Sync with Debian. Remaining changes: |
79 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
80 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
81 | + - Demote easy-rsa to Suggests (universe package). |
82 | + |
83 | + -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400 |
84 | + |
85 | openvpn (2.4.4-1) unstable; urgency=medium |
86 | |
87 | [ Jörg Frings-Fürst ] |
88 | @@ -188,6 +246,65 @@ openvpn (2.4.0-5) unstable; urgency=high |
89 | |
90 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200 |
91 | |
92 | +openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium |
93 | + |
94 | + * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet |
95 | + - debian/patches/CVE-2017-7508.patch: remove assert in |
96 | + src/openvpn/mss.c. |
97 | + - CVE-2017-7508 |
98 | + * SECURITY UPDATE: Remote-triggerable memory leaks |
99 | + - debian/patches/CVE-2017-7512.patch: fix leaks in |
100 | + src/openvpn/ssl_verify_openssl.c. |
101 | + - CVE-2017-7512 |
102 | + * SECURITY UPDATE: Pre-authentication remote crash/information disclosure |
103 | + for clients |
104 | + - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer |
105 | + OOB reads and a crash for invalid input data in src/openvpn/ntlm.c. |
106 | + - CVE-2017-7520 |
107 | + * SECURITY UPDATE: Potential double-free in --x509-alt-username and |
108 | + memory leaks |
109 | + - debian/patches/CVE-2017-7521.patch: fix double-free in |
110 | + src/openvpn/ssl_verify_openssl.c. |
111 | + - CVE-2017-7521 |
112 | + * SECURITY UPDATE: DoS in establish_http_proxy_passthru() |
113 | + - debian/patches/establish_http_proxy_passthru_dos.patch: fix |
114 | + null-pointer dereference in src/openvpn/proxy.c. |
115 | + - No CVE number |
116 | + |
117 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400 |
118 | + |
119 | +openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium |
120 | + |
121 | + * SECURITY UPDATE: pre-authentication denial-of-service vulnerability |
122 | + (both client and server) from a too-large control packet. |
123 | + - debian/patches/CVE-2017-7478.patch: Do not assert on too-large |
124 | + control packet |
125 | + - CVE-2017-7478 |
126 | + * SECURITY UPDATE: authenticated remote DoS vulnerability due to |
127 | + packet ID rollover |
128 | + - debian/patches/CVE-2017-7479-prereq.patch: merge |
129 | + packet_id_alloc_outgoing() into packet_id_write() |
130 | + - debian/patches/CVE-2017-7478.patch: do not assert when packet ID |
131 | + rollover occurs |
132 | + - CVE-2017-7478 |
133 | + * SECURITY UPDATE: auth tokens left in memory after de-auth |
134 | + - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token |
135 | + as soon as a TLS session is considered broken. |
136 | + |
137 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700 |
138 | + |
139 | +openvpn (2.4.0-4ubuntu1) zesty; urgency=medium |
140 | + |
141 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
142 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
143 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
144 | + - Demote easy-rsa to Suggests (universe package). |
145 | + * Drop: |
146 | + - debian/control: Actually drop the initscripts dependency. |
147 | + (Closes: #804968). Already in Debian |
148 | + |
149 | + -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600 |
150 | + |
151 | openvpn (2.4.0-4) unstable; urgency=medium |
152 | |
153 | * Add NEWS entries on possible 2.4 migration issues. |
154 | @@ -257,6 +374,24 @@ openvpn (2.3.11-2) unstable; urgency=medium |
155 | |
156 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200 |
157 | |
158 | +openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium |
159 | + |
160 | + * debian/control: Actually drop the initscripts dependency. |
161 | + (Closes: #804968) |
162 | + |
163 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200 |
164 | + |
165 | +openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium |
166 | + |
167 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
168 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
169 | + added to debian/openvpn.init.d ages ago (see LP: #260291). |
170 | + - Demote easy-rsa to Suggests (universe package). |
171 | + * Drop intrusive changes (showing per-VPN result messages) from |
172 | + debian/openvpn.init.d. This isn't being used under systemd. |
173 | + |
174 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200 |
175 | + |
176 | openvpn (2.3.11-1) unstable; urgency=medium |
177 | |
178 | * New upstream release. |
179 | @@ -268,6 +403,25 @@ openvpn (2.3.11-1) unstable; urgency=medium |
180 | |
181 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200 |
182 | |
183 | +openvpn (2.3.10-1ubuntu2) xenial; urgency=medium |
184 | + |
185 | + * debian/openvpn@.service: Add --script-security similar to what got added |
186 | + to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725) |
187 | + |
188 | + -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100 |
189 | + |
190 | +openvpn (2.3.10-1ubuntu1) xenial; urgency=medium |
191 | + |
192 | + * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes: |
193 | + - debian/openvpn.init.d: |
194 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
195 | + + Show per-VPN result messages. |
196 | + + Add "--script-security 2" by default for backwards compatabliity. |
197 | + (LP #260291) |
198 | + - Demote easy-rsa to Suggests |
199 | + |
200 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100 |
201 | + |
202 | openvpn (2.3.10-1) unstable; urgency=medium |
203 | |
204 | * New upstream release. (Closes: #804368) |
205 | @@ -286,6 +440,21 @@ openvpn (2.3.10-1) unstable; urgency=medium |
206 | |
207 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100 |
208 | |
209 | +openvpn (2.3.8-1ubuntu1) xenial; urgency=medium |
210 | + |
211 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
212 | + - debian/openvpn.init.d: |
213 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
214 | + + Show per-VPN result messages. |
215 | + + Add "--script-security 2" by default for backwards compatabliity. |
216 | + - Demote easy-rsa to Suggests |
217 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
218 | + gettys and lightdm starting on top of possible password prompts. This |
219 | + provides the equivalent of the init.d script's X-Start-Before:. |
220 | + (Closes: #803032) |
221 | + |
222 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100 |
223 | + |
224 | openvpn (2.3.8-1) unstable; urgency=medium |
225 | |
226 | * New upstream release. Drop patch from 2.3.7-2. |
227 | @@ -299,6 +468,21 @@ openvpn (2.3.8-1) unstable; urgency=medium |
228 | |
229 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100 |
230 | |
231 | +openvpn (2.3.7-2ubuntu1) xenial; urgency=medium |
232 | + |
233 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
234 | + - debian/openvpn.init.d: |
235 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
236 | + + Show per-VPN result messages. |
237 | + + Add "--script-security 2" by default for backwards compatabliity. |
238 | + - Demote easy-rsa to Suggests |
239 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
240 | + gettys and lightdm starting on top of possible password prompts. This |
241 | + provides the equivalent of the init.d script's X-Start-Before:. |
242 | + (Closes: #803032) |
243 | + |
244 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100 |
245 | + |
246 | openvpn (2.3.7-2) unstable; urgency=medium |
247 | |
248 | * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev. |
249 | @@ -309,6 +493,20 @@ openvpn (2.3.7-2) unstable; urgency=medium |
250 | |
251 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000 |
252 | |
253 | +openvpn (2.3.7-1ubuntu1) wily; urgency=medium |
254 | + |
255 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
256 | + - debian/openvpn.init.d: |
257 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
258 | + + Show per-VPN result messages. |
259 | + + Add "--script-security 2" by default for backwards compatabliity. |
260 | + - Demote easy-rsa to Suggests |
261 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
262 | + gettys and lightdm starting on top of possible password prompts. This |
263 | + provides the equivalent of the init.d script's X-Start-Before:. |
264 | + |
265 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200 |
266 | + |
267 | openvpn (2.3.7-1) unstable; urgency=medium |
268 | |
269 | * New upstream version |
270 | @@ -330,6 +528,20 @@ openvpn (2.3.5-1) unstable; urgency=medium |
271 | |
272 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100 |
273 | |
274 | +openvpn (2.3.4-5ubuntu1) wily; urgency=medium |
275 | + |
276 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
277 | + - debian/openvpn.init.d: |
278 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
279 | + + Show per-VPN result messages. |
280 | + + Add "--script-security 2" by default for backwards compatabliity. |
281 | + - Demote easy-rsa to Suggests |
282 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
283 | + gettys and lightdm starting on top of possible password prompts. This |
284 | + provides the equivalent of the init.d script's X-Start-Before:. |
285 | + |
286 | + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200 |
287 | + |
288 | openvpn (2.3.4-5) unstable; urgency=high |
289 | |
290 | * Apply upstream patch that fixes possible DoS by authenticated |
291 | @@ -388,6 +600,52 @@ openvpn (2.3.3-1) experimental; urgency=medium |
292 | |
293 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100 |
294 | |
295 | +openvpn (2.3.2-9ubuntu4) vivid; urgency=medium |
296 | + |
297 | + * Run openvpn@.service before systemd-user-sessions.service to avoid gettys |
298 | + and lightdm starting on top of possible password prompts. This provides |
299 | + the equivalent of the init.d script's X-Start-Before:. |
300 | + |
301 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500 |
302 | + |
303 | +openvpn (2.3.2-9ubuntu3) vivid; urgency=medium |
304 | + |
305 | + * Add better_systemd_detection.patch to avoid calling systemd-ask-password |
306 | + under upstart. Backported from upstream. (Closes: #747265) |
307 | + * Add systemd unit and generator from current Debian package. This avoids |
308 | + using the init.d script, which unnecessarily blocks lightdm startup on the |
309 | + network becoming online even if there are no auto-start connections |
310 | + (LP: #1443489). |
311 | + |
312 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500 |
313 | + |
314 | +openvpn (2.3.2-9ubuntu2) vivid; urgency=medium |
315 | + |
316 | + * SECURITY UPDATE: server denial of service via too-short control channel |
317 | + packets |
318 | + - debian/patches/CVE-2014-8104.patch: drop too-short control channel |
319 | + packets instead of asserting out in src/openvpn/ssl.c. |
320 | + - CVE-2014-8104 |
321 | + * debian/patches/update_certs.patch: update test certs to fix FTBFS. |
322 | + |
323 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500 |
324 | + |
325 | +openvpn (2.3.2-9ubuntu1) utopic; urgency=medium |
326 | + |
327 | + * Merge from Debian unstable. Remaining changes: |
328 | + - debian/openvpn.init.d: |
329 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
330 | + + Show per-VPN result messages. |
331 | + + Add "--script-security 2" by default for backwards compatabliity. |
332 | + - Demote easy-rsa to Suggests |
333 | + - Patch libtool.m4 and configure to support ppc64el. |
334 | + - Refresh delta with debian/openvpn.init.d: |
335 | + + Make stop action reliable by killing if needed |
336 | + (LP: #1274254, LP: #1200519) |
337 | + + Use new path for status file (LP: #1261088) |
338 | + |
339 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400 |
340 | + |
341 | openvpn (2.3.2-9) unstable; urgency=medium |
342 | |
343 | * Create /run/openvpn in init script even if no VPN is |
344 | @@ -403,6 +661,33 @@ openvpn (2.3.2-8) unstable; urgency=medium |
345 | |
346 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100 |
347 | |
348 | +openvpn (2.3.2-7ubuntu3) trusty; urgency=medium |
349 | + |
350 | + [ Simon Deziel ] |
351 | + * Refresh delta with debian/openvpn.init.d: |
352 | + - Make stop action reliable by killing if needed |
353 | + (LP: #1274254, LP: #1200519) |
354 | + - Use new path for status file (LP: #1261088) |
355 | + |
356 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500 |
357 | + |
358 | +openvpn (2.3.2-7ubuntu2) trusty; urgency=medium |
359 | + |
360 | + * Patch libtool.m4 and configure to support ppc64el. |
361 | + |
362 | + -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100 |
363 | + |
364 | +openvpn (2.3.2-7ubuntu1) trusty; urgency=low |
365 | + |
366 | + * Merge from Debian unstable. Remaining changes: |
367 | + - debian/openvpn.init.d: |
368 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
369 | + + Show per-VPN result messages. |
370 | + + Add "--script-security 2" by default for backwards compatabliity. |
371 | + - Demote easy-rsa to Suggests |
372 | + |
373 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500 |
374 | + |
375 | openvpn (2.3.2-7) unstable; urgency=low |
376 | |
377 | * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/. |
378 | @@ -419,6 +704,17 @@ openvpn (2.3.2-6) unstable; urgency=low |
379 | |
380 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100 |
381 | |
382 | +openvpn (2.3.2-5ubuntu1) trusty; urgency=low |
383 | + |
384 | + * Merge from Debian unstable. Remaining changes: |
385 | + - debian/openvpn.init.d: |
386 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
387 | + + Show per-VPN result messages. |
388 | + + Add "--script-security 2" by default for backwards compatabliity. |
389 | + - Demote easy-rsa to Suggests |
390 | + |
391 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400 |
392 | + |
393 | openvpn (2.3.2-5) unstable; urgency=low |
394 | |
395 | * Patch init script to fix race conditions on restarts. |
396 | @@ -428,6 +724,16 @@ openvpn (2.3.2-5) unstable; urgency=low |
397 | |
398 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200 |
399 | |
400 | +openvpn (2.3.2-4ubuntu1) saucy; urgency=low |
401 | + |
402 | + * Merge from Debian unstable. Remaining changes: |
403 | + - debian/openvpn.init.d: |
404 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
405 | + + Show per-VPN result messages. |
406 | + + Add "--script-security 2" by default for backwards compatabliity. |
407 | + |
408 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400 |
409 | + |
410 | openvpn (2.3.2-4) unstable; urgency=low |
411 | |
412 | * Fix depends on iproute to iproute2. |
413 | @@ -460,6 +766,23 @@ openvpn (2.3.2-1) unstable; urgency=low |
414 | |
415 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200 |
416 | |
417 | +openvpn (2.3.1-2ubuntu2) saucy; urgency=low |
418 | + |
419 | + * Move easy-rsa from Recommends to Suggests as it's not in main and isn't |
420 | + actually required to operate an openvpn server. |
421 | + |
422 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400 |
423 | + |
424 | +openvpn (2.3.1-2ubuntu1) saucy; urgency=low |
425 | + |
426 | + * Merge from Debian unstable. Remaining changes: |
427 | + - debian/openvpn.init.d: |
428 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
429 | + + Show per-VPN result messages. |
430 | + + Add "--script-security 2" by default for backwards compatabliity. |
431 | + |
432 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400 |
433 | + |
434 | openvpn (2.3.1-2) unstable; urgency=low |
435 | |
436 | * Add net-tools to Build-Depends. (Closes: #709108) |
437 | @@ -487,6 +810,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low |
438 | |
439 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100 |
440 | |
441 | +openvpn (2.2.1-8ubuntu3) raring; urgency=low |
442 | + |
443 | + [ Marc Gariépy ] |
444 | + * Add --script-security to the init.d script (was generated but not passed |
445 | + to openvpn). (LP: #1124398) |
446 | + |
447 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500 |
448 | + |
449 | +openvpn (2.2.1-8ubuntu2) quantal; urgency=low |
450 | + |
451 | + * Rebuild for new armel compiler default of ARMv5t. |
452 | + |
453 | + -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100 |
454 | + |
455 | +openvpn (2.2.1-8ubuntu1) precise; urgency=low |
456 | + |
457 | + * Merge at Simon Deziel's request to build with PIE. |
458 | + * Merge from Debian unstable. Remaining changes: |
459 | + + debian/openvpn.init.d: |
460 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
461 | + - Show per-VPN result messages. |
462 | + - Add "--script-security 2" by default for backwards compatabliity. |
463 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
464 | + |
465 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400 |
466 | + |
467 | openvpn (2.2.1-8) unstable; urgency=low |
468 | |
469 | * Enable "PIE" and "BINDOW" hardening flags. |
470 | @@ -511,6 +860,17 @@ openvpn (2.2.1-6) unstable; urgency=low |
471 | |
472 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100 |
473 | |
474 | +openvpn (2.2.1-5ubuntu1) precise; urgency=low |
475 | + |
476 | + * Merge from Debian unstable. Remaining changes: (LP: #907828) |
477 | + + debian/openvpn.init.d: |
478 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
479 | + - Show per-VPN result messages. |
480 | + - Add "--script-security 2" by default for backwards compatabliity. |
481 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
482 | + |
483 | + -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500 |
484 | + |
485 | openvpn (2.2.1-5) unstable; urgency=low |
486 | |
487 | * Avoid sending ICMP redirects when using tun devices and "subnet" |
488 | @@ -533,6 +893,20 @@ openvpn (2.2.1-4) unstable; urgency=low |
489 | |
490 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100 |
491 | |
492 | +openvpn (2.2.1-3ubuntu1) precise; urgency=low |
493 | + |
494 | + * Merge from Debian testing. Remaining changes: |
495 | + + debian/openvpn.init.d: |
496 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
497 | + - Show per-VPN result messages. |
498 | + - Add "--script-security 2" by default for backwards compatabliity. |
499 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
500 | + + debian/update-resolv-conf: Support multiple domains. |
501 | + + fix bug where '--script-security 2' would be passed for all |
502 | + daemons after the first. (LP: #794916) |
503 | + |
504 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000 |
505 | + |
506 | openvpn (2.2.1-3) unstable; urgency=low |
507 | |
508 | * The iproute fiasco release. |
509 | @@ -561,6 +935,20 @@ openvpn (2.2.1-1) unstable; urgency=low |
510 | |
511 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100 |
512 | |
513 | +openvpn (2.2.0-2ubuntu1) oneiric; urgency=low |
514 | + |
515 | + * Merge from debian unstable. Remaining changes: |
516 | + + debian/openvpn.init.d: |
517 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
518 | + - Show per-VPN result messages. |
519 | + - Add "--script-security 2" by default for backwards compatabliity. |
520 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
521 | + + debian/update-resolv-conf: Support multiple domains. |
522 | + + fix bug where '--script-security 2' would be passed for all |
523 | + daemons after the first. (LP: #794916 |
524 | + |
525 | + -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100 |
526 | + |
527 | openvpn (2.2.0-2) unstable; urgency=low |
528 | |
529 | * Upload to unstable |
530 | @@ -595,6 +983,45 @@ openvpn (2.1.3-5) experimental; urgency=low |
531 | |
532 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100 |
533 | |
534 | +openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low |
535 | + |
536 | + [Alexander Zielke] |
537 | + * fix bug where '--script-security 2' would be passed for all |
538 | + daemons after the first. (LP: #794916) |
539 | + |
540 | + -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400 |
541 | + |
542 | +openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low |
543 | + |
544 | + * Merge from debian unstable. Remaining changes: |
545 | + + debian/openvpn.init.d: |
546 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
547 | + - Show per-VPN result messages. |
548 | + - Add "--script-security 2" by default for backwards compatabliity. |
549 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
550 | + + debian/update-resolv-conf: Support multiple domains. |
551 | + |
552 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100 |
553 | + |
554 | +openvpn (2.1.3-4.1) unstable; urgency=low |
555 | + |
556 | + * Non-maintainer upload. |
557 | + * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503) |
558 | + |
559 | + -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200 |
560 | + |
561 | +openvpn (2.1.3-4ubuntu1) oneiric; urgency=low |
562 | + |
563 | + * Merge from debian unstable. Remaining changes: |
564 | + + debian/openvpn.init.d: |
565 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
566 | + - Show per-VPN result messages. |
567 | + - Add "--script-security 2" by default for backwards compatabliity. |
568 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
569 | + + debian/update-resolv-conf: Support multiple domains. |
570 | + |
571 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000 |
572 | + |
573 | openvpn (2.1.3-4) unstable; urgency=low |
574 | |
575 | * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd. |
576 | @@ -617,6 +1044,31 @@ openvpn (2.1.3-3) unstable; urgency=low |
577 | |
578 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100 |
579 | |
580 | +openvpn (2.1.3-2ubuntu3) natty; urgency=low |
581 | + |
582 | + * update-resolv-conf: Correctly handle multiple dns search domains, |
583 | + using the same logic as nameservers. Patch courtesy of Jeremy |
584 | + Zawodny. (LP: #662847) |
585 | + |
586 | + -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000 |
587 | + |
588 | +openvpn (2.1.3-2ubuntu2) natty; urgency=low |
589 | + |
590 | + * update-resolv-conf: Support mulitple domains (LP: #714358) |
591 | + |
592 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500 |
593 | + |
594 | +openvpn (2.1.3-2ubuntu1) natty; urgency=low |
595 | + |
596 | + * Merge from debian unstable. Remaining changes: |
597 | + + debian/openvpn.init.d: |
598 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
599 | + - Show per-VPN result messages. |
600 | + - Add "--script-security 2" by default for backwards compatabliity. |
601 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
602 | + |
603 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100 |
604 | + |
605 | openvpn (2.1.3-2) unstable; urgency=low |
606 | |
607 | * Applied upstream patch to solve random routes added when using |
608 | @@ -624,6 +1076,24 @@ openvpn (2.1.3-2) unstable; urgency=low |
609 | |
610 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200 |
611 | |
612 | +openvpn (2.1.3-1ubuntu2) natty; urgency=low |
613 | + |
614 | + * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in |
615 | + corner cases where ! host && addr (LP: #627973) |
616 | + |
617 | + -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200 |
618 | + |
619 | +openvpn (2.1.3-1ubuntu1) natty; urgency=low |
620 | + |
621 | + * Merge from debian unstable. Remaining changes: |
622 | + + debian/openvpn.init.d: |
623 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
624 | + - Show per-VPN result messages. |
625 | + - Add "--script-security 2" by default for backwards compatablitiy |
626 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
627 | + |
628 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100 |
629 | + |
630 | openvpn (2.1.3-1) unstable; urgency=low |
631 | |
632 | * New upstream release (Closes: #595684) |
633 | @@ -635,6 +1105,17 @@ openvpn (2.1.3-1) unstable; urgency=low |
634 | |
635 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200 |
636 | |
637 | +openvpn (2.1.0-3ubuntu1) maverick; urgency=low |
638 | + |
639 | + * Merge from debian unstable. Remaining changes: |
640 | + + debian/openvpn.init.d: |
641 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
642 | + - Show per-VPN result messages |
643 | + - Add "--script-security 2" by default for backwards compatablitiy |
644 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
645 | + |
646 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400 |
647 | + |
648 | openvpn (2.1.0-3) unstable; urgency=low |
649 | |
650 | * The 'happy birthday to me' release |
651 | @@ -644,6 +1125,24 @@ openvpn (2.1.0-3) unstable; urgency=low |
652 | |
653 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200 |
654 | |
655 | +openvpn (2.1.0-2ubuntu2) maverick; urgency=low |
656 | + |
657 | + * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging |
658 | + on PUSH_REQUEST when server does not push any option (LP: #579737) |
659 | + |
660 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200 |
661 | + |
662 | +openvpn (2.1.0-2ubuntu1) maverick; urgency=low |
663 | + |
664 | + * Merge from debian unstable. Remaining changes: |
665 | + + debian/openvpn.init.d: |
666 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
667 | + - Show per-VPN result messages |
668 | + - Add "--script-security 2" by default for backwards compatablitiy |
669 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
670 | + |
671 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100 |
672 | + |
673 | openvpn (2.1.0-2) unstable; urgency=low |
674 | |
675 | * Patched ssl.[ch] to fix integer overflow. (Closes: #576827) |
676 | @@ -656,6 +1155,17 @@ openvpn (2.1.0-2) unstable; urgency=low |
677 | |
678 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200 |
679 | |
680 | +openvpn (2.1.0-1ubuntu1) lucid; urgency=low |
681 | + |
682 | + * Merge from debian testing (LP: #509078), remaining changes: |
683 | + + debian/openvpn.init.d: |
684 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
685 | + - Show per-VPN result messages |
686 | + - Add "--script-security 2" by default for backwards compatibility |
687 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
688 | + |
689 | + -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100 |
690 | + |
691 | openvpn (2.1.0-1) unstable; urgency=low |
692 | |
693 | * New upstream release |
694 | @@ -693,6 +1203,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low |
695 | |
696 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100 |
697 | |
698 | +openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low |
699 | + |
700 | + * Merge from debian testing, remaining changes: |
701 | + + debian/openvpn.init.d: |
702 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking |
703 | + boot. |
704 | + - show per-VPN result messages |
705 | + - add "--script-security 2" by default for backwards compatibility |
706 | + - Add lab-base >= 3.2-14 to allow status_of_proc() |
707 | + + Dropped debian/patches/redirect-gateway.patch: Already applied |
708 | + upstream. |
709 | + |
710 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000 |
711 | + |
712 | openvpn (2.1~rc20-2) unstable; urgency=low |
713 | |
714 | * init.d script: Added X-Interactive header. (Closes: #549424) |
715 | @@ -717,6 +1241,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low |
716 | |
717 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200 |
718 | |
719 | +openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low |
720 | + |
721 | + * debian/patches/redirect-gateway.patch: Fix regression introduced in |
722 | + 2.1rc17 that makes redirect-gateway (without options) to be ignored. |
723 | + Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695 |
724 | + |
725 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200 |
726 | + |
727 | +openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low |
728 | + |
729 | + * Merge from debian unstable (LP: #404099), remaining changes: |
730 | + - debian/openvpn.init.d: |
731 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
732 | + - show per-VPN result messages |
733 | + - add "--script-security 2" by default for backwards compatibility |
734 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
735 | + |
736 | + -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530 |
737 | + |
738 | openvpn (2.1~rc19-1) unstable; urgency=low |
739 | |
740 | * New upstream version |
741 | @@ -726,6 +1269,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low |
742 | |
743 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200 |
744 | |
745 | +openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low |
746 | + |
747 | + * Merge from debian unstable (LP: #372358), remaining changes: |
748 | + - debian/openvpn.init.d: |
749 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
750 | + - show per-VPN result messages |
751 | + - add "--script-security 2" by default for backwards compatibility |
752 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
753 | + |
754 | + -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500 |
755 | + |
756 | openvpn (2.1~rc15-1) unstable; urgency=low |
757 | |
758 | * New upstream version (Closes: #515575) |
759 | @@ -745,6 +1299,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low |
760 | |
761 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200 |
762 | |
763 | +openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low |
764 | + |
765 | + * debian/openvpn.init.d: |
766 | + - Fix unexpected operator on startup (LP: #340120) |
767 | + |
768 | + -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400 |
769 | + |
770 | +openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low |
771 | + |
772 | + * debian/openvpn.init.d: |
773 | + - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent |
774 | + openvpn prompts from blocking the boot (LP: #280428) |
775 | + - Fix VPNs always reported started [ OK ] |
776 | + |
777 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200 |
778 | + |
779 | +openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low |
780 | + |
781 | + * Merge with Debian (LP: #279655), remaining diffs: |
782 | + - debian/openvpn.init.d: Added 'status' action to init script, show |
783 | + per-VPN result messages and add "--script-security 2" by default for |
784 | + backwards compatibility |
785 | + - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
786 | + * Fixes regression when calling commands with arguments (LP: #277447) |
787 | + |
788 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200 |
789 | + |
790 | openvpn (2.1~rc11-1) unstable; urgency=low |
791 | |
792 | * New upstream version |
793 | @@ -765,6 +1346,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low |
794 | |
795 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200 |
796 | |
797 | +openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low |
798 | + |
799 | + * debian/openvpn.init.d: |
800 | + - Added 'status' action to init script (LP: #251641) |
801 | + - Restored per-VPN result messages by using log_action_begin_msg and |
802 | + one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966) |
803 | + * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
804 | + |
805 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200 |
806 | + |
807 | +openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low |
808 | + |
809 | + * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility |
810 | + (LP: #260291) |
811 | + |
812 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400 |
813 | + |
814 | openvpn (2.1~rc9-3) unstable; urgency=low |
815 | |
816 | * debian/rules: run ./configure with path to 'route', for |
817 | diff --git a/debian/control b/debian/control |
818 | index f546f4f..0f93792 100644 |
819 | --- a/debian/control |
820 | +++ b/debian/control |
821 | @@ -1,7 +1,8 @@ |
822 | Source: openvpn |
823 | Section: net |
824 | Priority: optional |
825 | -Maintainer: Bernhard Schmidt <berni@debian.org> |
826 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
827 | +XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org> |
828 | Uploaders: Jörg Frings-Fürst <debian@jff.email> |
829 | Build-Depends: |
830 | debhelper (>= 11), |
831 | @@ -33,8 +34,8 @@ Depends: |
832 | Suggests: |
833 | openssl, |
834 | resolvconf, |
835 | - openvpn-systemd-resolved |
836 | -Recommends: easy-rsa |
837 | + openvpn-systemd-resolved, |
838 | + easy-rsa |
839 | Description: virtual private network daemon |
840 | OpenVPN is an application to securely tunnel IP networks over a |
841 | single UDP or TCP port. It can be used to access remote sites, make |
842 | diff --git a/debian/openvpn@.service b/debian/openvpn@.service |
843 | index da7adc7..eb4be12 100644 |
844 | --- a/debian/openvpn@.service |
845 | +++ b/debian/openvpn@.service |
846 | @@ -13,7 +13,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO |
847 | Type=notify |
848 | PrivateTmp=true |
849 | WorkingDirectory=/etc/openvpn |
850 | -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
851 | +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
852 | PIDFile=/run/openvpn/%i.pid |
853 | KillMode=process |
854 | ExecReload=/bin/kill -HUP $MAINPID |
855 | diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch |
856 | new file mode 100644 |
857 | index 0000000..4d2221d |
858 | --- /dev/null |
859 | +++ b/debian/patches/openvpn-fips-2.4.patch |
860 | @@ -0,0 +1,102 @@ |
861 | +Description: Use openssl FIPS flag to indicate MD5 use for PRF. |
862 | + MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs |
863 | + to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl |
864 | + for PRF to indicate the exception. |
865 | +Bug: https://community.openvpn.net/openvpn/ticket/725 |
866 | +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439 |
867 | +Author: Stephan Mueller <stephan.mueller@atsec.com> |
868 | + |
869 | +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c |
870 | +index 03e880e..25e8fc4 100644 |
871 | +--- a/src/openvpn/crypto.c |
872 | ++++ b/src/openvpn/crypto.c |
873 | +@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, |
874 | + if (kt->digest && kt->hmac_length > 0) |
875 | + { |
876 | + ctx->hmac = hmac_ctx_new(); |
877 | +- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); |
878 | ++ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); |
879 | + |
880 | + msg(D_HANDSHAKE, |
881 | + "%s: Using %d bit message hash '%s' for HMAC authentication", |
882 | +diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h |
883 | +index b7f519b..8662600 100644 |
884 | +--- a/src/openvpn/crypto_backend.h |
885 | ++++ b/src/openvpn/crypto_backend.h |
886 | +@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); |
887 | + * @param key The key to use for the HMAC |
888 | + * @param key_len The key length to use |
889 | + * @param kt Static message digest parameters |
890 | ++ * @param prf_use Intended use for PRF in TLS protocol |
891 | + * |
892 | + */ |
893 | + void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, |
894 | +- const md_kt_t *kt); |
895 | ++ const md_kt_t *kt, bool prf_use); |
896 | + |
897 | + /* |
898 | + * Free the given HMAC context. |
899 | +diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c |
900 | +index 0cb7f81..d7f931d 100644 |
901 | +--- a/src/openvpn/crypto_mbedtls.c |
902 | ++++ b/src/openvpn/crypto_mbedtls.c |
903 | +@@ -857,7 +857,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx) |
904 | + |
905 | + void |
906 | + hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, |
907 | +- const mbedtls_md_info_t *kt) |
908 | ++ const mbedtls_md_info_t *kt, bool prf_use) |
909 | + { |
910 | + ASSERT(NULL != kt && NULL != ctx); |
911 | + |
912 | +diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c |
913 | +index 9e8d3f3..d5302ae 100644 |
914 | +--- a/src/openvpn/crypto_openssl.c |
915 | ++++ b/src/openvpn/crypto_openssl.c |
916 | +@@ -926,11 +926,17 @@ hmac_ctx_free(HMAC_CTX *ctx) |
917 | + |
918 | + void |
919 | + hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, |
920 | +- const EVP_MD *kt) |
921 | ++ const EVP_MD *kt, bool prf_use) |
922 | + { |
923 | + ASSERT(NULL != kt && NULL != ctx); |
924 | + |
925 | + HMAC_CTX_reset(ctx); |
926 | ++ |
927 | ++ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not |
928 | ++ * to be used anywhere else */ |
929 | ++ if(kt == EVP_md5() && prf_use) |
930 | ++ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
931 | ++ |
932 | + HMAC_Init_ex(ctx, key, key_len, kt, NULL); |
933 | + |
934 | + /* make sure we used a big enough key */ |
935 | +diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c |
936 | +index 077fa3e..83585e2 100644 |
937 | +--- a/src/openvpn/ntlm.c |
938 | ++++ b/src/openvpn/ntlm.c |
939 | +@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len, |
940 | + const md_kt_t *md5_kt = md_kt_get("MD5"); |
941 | + hmac_ctx_t *hmac_ctx = hmac_ctx_new(); |
942 | + |
943 | +- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); |
944 | ++ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0); |
945 | + hmac_ctx_update(hmac_ctx, data, data_len); |
946 | + hmac_ctx_final(hmac_ctx, result); |
947 | + hmac_ctx_cleanup(hmac_ctx); |
948 | +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c |
949 | +index c0e1dd6..f929237 100644 |
950 | +--- a/src/openvpn/ssl.c |
951 | ++++ b/src/openvpn/ssl.c |
952 | +@@ -1637,8 +1637,8 @@ tls1_P_hash(const md_kt_t *md_kt, |
953 | + chunk = md_kt_size(md_kt); |
954 | + A1_len = md_kt_size(md_kt); |
955 | + |
956 | +- hmac_ctx_init(ctx, sec, sec_len, md_kt); |
957 | +- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); |
958 | ++ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1); |
959 | ++ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1); |
960 | + |
961 | + hmac_ctx_update(ctx,seed,seed_len); |
962 | + hmac_ctx_final(ctx, A1); |
963 | diff --git a/debian/patches/series b/debian/patches/series |
964 | index 8b19c3d..b488507 100644 |
965 | --- a/debian/patches/series |
966 | +++ b/debian/patches/series |
967 | @@ -7,3 +7,4 @@ match-manpage-and-command-help.patch |
968 | spelling_errors.patch |
969 | systemd.patch |
970 | fix-pkcs11-helper-hang.patch |
971 | +openvpn-fips-2.4.patch |
Usual tags to guide review: logical/ 2.4.4-2ubuntu1 -> lp1828771/ logical/ 2.4.4-2ubuntu1 new/debian -> lp1828771/ new/debian old/debian -> lp1828771/ old/debian old/ubuntu -> lp1828771/ old/ubuntu reconstruct/ 2.4.6-1ubuntu3 -> lp1828771/ reconstruct/ 2.4.6-1ubuntu3 split/2. 4.6-1ubuntu3 -> lp1828771/ split/2. 4.6-1ubuntu3
* [new tag] lp1828771/
* [new tag] lp1828771/
* [new tag] lp1828771/
* [new tag] lp1828771/
* [new tag] lp1828771/
* [new tag] lp1828771/
PPA: /launchpad. net/~paelzer/ +archive/ ubuntu/ merge-eoan- 2.4.7-1
https:/