Merge ~paelzer/ubuntu/+source/openvpn:merge-eoan-2.4.7-1 into ubuntu/+source/openvpn:debian/sid

Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 54fa0958a3a8e738afe07c7d2be70a2efc8b3722
Proposed branch: ~paelzer/ubuntu/+source/openvpn:merge-eoan-2.4.7-1
Merge into: ubuntu/+source/openvpn:debian/sid
Diff against target: 971 lines (+706/-4)
5 files modified
debian/changelog (+598/-0)
debian/control (+4/-3)
debian/openvpn@.service (+1/-1)
debian/patches/openvpn-fips-2.4.patch (+102/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+367349@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Usual tags to guide review:
 * [new tag] lp1828771/logical/2.4.4-2ubuntu1 -> lp1828771/logical/2.4.4-2ubuntu1
 * [new tag] lp1828771/new/debian -> lp1828771/new/debian
 * [new tag] lp1828771/old/debian -> lp1828771/old/debian
 * [new tag] lp1828771/old/ubuntu -> lp1828771/old/ubuntu
 * [new tag] lp1828771/reconstruct/2.4.6-1ubuntu3 -> lp1828771/reconstruct/2.4.6-1ubuntu3
 * [new tag] lp1828771/split/2.4.6-1ubuntu3 -> lp1828771/split/2.4.6-1ubuntu3

PPA:
https://launchpad.net/~paelzer/+archive/ubuntu/merge-eoan-2.4.7-1

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.8 KiB)

Tested and working following the basic (but at least some) test from:
https://git.launchpad.net/qa-regression-testing/tree/notes_testing/openvpn/README.vm

Ends up with:

root@eoan-openvpn-cl:/etc/openvpn# service openvpn@client start
root@eoan-openvpn-cl:/etc/openvpn#
Broadcast message from root@eoan-openvpn-cl (Mon 2019-05-13 14:56:43 UTC):

Password entry required for 'Enter Private Key Password:' (PID 9320).
Please enter password with the systemd-tty-ask-password-agent tool:

root@eoan-openvpn-cl:/etc/openvpn# systemd-tty-ask-password-agent
Enter Private Key Password: ******
root@eoan-openvpn-cl:/etc/openvpn# service openvpn@client status
● <email address hidden> - OpenVPN connection to client
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-05-13 14:56:43 UTC; 9s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 9309 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 541)
   Memory: 1.9M
   CGroup: /<email address hidden>
           └─9309 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf --writepid /run/openvp

May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Data Channel: using negotiated cipher 'AES-256-GCM'
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: ROUTE_GATEWAY 192.168.122.1/255.255.255.0 IFACE=ens3 HWADDR=52:54:00:ab:e9:6c
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: TUN/TAP device tun0 opened
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: TUN/TAP TX queue length set to 100
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip link set dev tun0 up mtu 1500
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Initialization Sequence Completed
root@eoan-openvpn-cl:/etc/openvpn# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
        inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
        inet6 fe80::41b:f9cf:8b6a:521d prefixlen 64 scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
        RX packets 1 bytes 48 (48.0 B)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 2 bytes 96 (96.0 B)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@eoan-openvpn-cl:/etc/openvpn# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.392 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.494 ms
^C
--- 10.8.0.1 ping ...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

The logical tag was the old one, but it was easy enough to recreate locally

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Odd where this tag got missing, the commands are all in my shell history but the tag is missing.
Well, as this was an easier one thanks for recreating and reviewing it!

Pushing tags for upload and dputting to Eoan

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index f676f8d..09e92aa 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,19 @@
6+openvpn (2.4.7-1ubuntu1) eoan; urgency=medium
7+
8+ * Merge with Debian unstable (LP: #1828771). Remaining changes:
9+ - d/control: Demote easy-rsa to Suggests (universe package).
10+ - debian/openvpn@.service: Add '--script-security 2' similar to what got
11+ added to debian/openvpn.init.d ages ago (LP 1454725)
12+ - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
13+ (LP 1807439)
14+ * Dropped changes:
15+ - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
16+ scripts breaking due to sudo/pam being unable to audit the action.
17+ Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
18+ [in Debian now]
19+
20+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200
21+
22 openvpn (2.4.7-1) unstable; urgency=medium
23
24 [ Bernhard Schmidt ]
25@@ -17,6 +33,30 @@ openvpn (2.4.7-1) unstable; urgency=medium
26
27 -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100
28
29+openvpn (2.4.6-1ubuntu3) disco; urgency=medium
30+
31+ * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
32+ (LP: #1807439)
33+
34+ -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600
35+
36+openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium
37+
38+ * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
39+ scripts breaking due to sudo/pam being unable to audit the action.
40+ Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208)
41+
42+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200
43+
44+openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium
45+
46+ * Merge with Debian unstable. Remaining changes:
47+ - d/control: Demote easy-rsa to Suggests (universe package).
48+ - debian/openvpn@.service: Add '--script-security 2' similar to what got
49+ added to debian/openvpn.init.d ages ago (LP 1454725)
50+
51+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200
52+
53 openvpn (2.4.6-1) unstable; urgency=medium
54
55 [ Jörg Frings-Fürst ]
56@@ -60,6 +100,15 @@ openvpn (2.4.5-1) unstable; urgency=medium
57
58 -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100
59
60+openvpn (2.4.4-2ubuntu1) bionic; urgency=low
61+
62+ * Sync with Debian. Remaining changes:
63+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
64+ added to debian/openvpn.init.d ages ago (LP: #1454725)
65+ - Demote easy-rsa to Suggests (universe package).
66+
67+ -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000
68+
69 openvpn (2.4.4-2) unstable; urgency=medium
70
71 * Build against OpenSSL 1.1.0 (Closes: #828477)
72@@ -67,6 +116,15 @@ openvpn (2.4.4-2) unstable; urgency=medium
73
74 -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100
75
76+openvpn (2.4.4-1ubuntu1) bionic; urgency=medium
77+
78+ * Sync with Debian. Remaining changes:
79+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
80+ added to debian/openvpn.init.d ages ago (LP: #1454725)
81+ - Demote easy-rsa to Suggests (universe package).
82+
83+ -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400
84+
85 openvpn (2.4.4-1) unstable; urgency=medium
86
87 [ Jörg Frings-Fürst ]
88@@ -188,6 +246,65 @@ openvpn (2.4.0-5) unstable; urgency=high
89
90 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200
91
92+openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium
93+
94+ * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
95+ - debian/patches/CVE-2017-7508.patch: remove assert in
96+ src/openvpn/mss.c.
97+ - CVE-2017-7508
98+ * SECURITY UPDATE: Remote-triggerable memory leaks
99+ - debian/patches/CVE-2017-7512.patch: fix leaks in
100+ src/openvpn/ssl_verify_openssl.c.
101+ - CVE-2017-7512
102+ * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
103+ for clients
104+ - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
105+ OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
106+ - CVE-2017-7520
107+ * SECURITY UPDATE: Potential double-free in --x509-alt-username and
108+ memory leaks
109+ - debian/patches/CVE-2017-7521.patch: fix double-free in
110+ src/openvpn/ssl_verify_openssl.c.
111+ - CVE-2017-7521
112+ * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
113+ - debian/patches/establish_http_proxy_passthru_dos.patch: fix
114+ null-pointer dereference in src/openvpn/proxy.c.
115+ - No CVE number
116+
117+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400
118+
119+openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium
120+
121+ * SECURITY UPDATE: pre-authentication denial-of-service vulnerability
122+ (both client and server) from a too-large control packet.
123+ - debian/patches/CVE-2017-7478.patch: Do not assert on too-large
124+ control packet
125+ - CVE-2017-7478
126+ * SECURITY UPDATE: authenticated remote DoS vulnerability due to
127+ packet ID rollover
128+ - debian/patches/CVE-2017-7479-prereq.patch: merge
129+ packet_id_alloc_outgoing() into packet_id_write()
130+ - debian/patches/CVE-2017-7478.patch: do not assert when packet ID
131+ rollover occurs
132+ - CVE-2017-7478
133+ * SECURITY UPDATE: auth tokens left in memory after de-auth
134+ - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token
135+ as soon as a TLS session is considered broken.
136+
137+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700
138+
139+openvpn (2.4.0-4ubuntu1) zesty; urgency=medium
140+
141+ * Merge with Debian unstable. Remaining Ubuntu changes:
142+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
143+ added to debian/openvpn.init.d ages ago (LP: #1454725)
144+ - Demote easy-rsa to Suggests (universe package).
145+ * Drop:
146+ - debian/control: Actually drop the initscripts dependency.
147+ (Closes: #804968). Already in Debian
148+
149+ -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600
150+
151 openvpn (2.4.0-4) unstable; urgency=medium
152
153 * Add NEWS entries on possible 2.4 migration issues.
154@@ -257,6 +374,24 @@ openvpn (2.3.11-2) unstable; urgency=medium
155
156 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200
157
158+openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium
159+
160+ * debian/control: Actually drop the initscripts dependency.
161+ (Closes: #804968)
162+
163+ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200
164+
165+openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium
166+
167+ * Merge with Debian unstable. Remaining Ubuntu changes:
168+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
169+ added to debian/openvpn.init.d ages ago (see LP: #260291).
170+ - Demote easy-rsa to Suggests (universe package).
171+ * Drop intrusive changes (showing per-VPN result messages) from
172+ debian/openvpn.init.d. This isn't being used under systemd.
173+
174+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200
175+
176 openvpn (2.3.11-1) unstable; urgency=medium
177
178 * New upstream release.
179@@ -268,6 +403,25 @@ openvpn (2.3.11-1) unstable; urgency=medium
180
181 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200
182
183+openvpn (2.3.10-1ubuntu2) xenial; urgency=medium
184+
185+ * debian/openvpn@.service: Add --script-security similar to what got added
186+ to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)
187+
188+ -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100
189+
190+openvpn (2.3.10-1ubuntu1) xenial; urgency=medium
191+
192+ * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes:
193+ - debian/openvpn.init.d:
194+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
195+ + Show per-VPN result messages.
196+ + Add "--script-security 2" by default for backwards compatabliity.
197+ (LP #260291)
198+ - Demote easy-rsa to Suggests
199+
200+ -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100
201+
202 openvpn (2.3.10-1) unstable; urgency=medium
203
204 * New upstream release. (Closes: #804368)
205@@ -286,6 +440,21 @@ openvpn (2.3.10-1) unstable; urgency=medium
206
207 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100
208
209+openvpn (2.3.8-1ubuntu1) xenial; urgency=medium
210+
211+ * Merge with Debian unstable. Remaining Ubuntu changes:
212+ - debian/openvpn.init.d:
213+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
214+ + Show per-VPN result messages.
215+ + Add "--script-security 2" by default for backwards compatabliity.
216+ - Demote easy-rsa to Suggests
217+ - Run openvpn@.service before systemd-user-sessions.service to avoid
218+ gettys and lightdm starting on top of possible password prompts. This
219+ provides the equivalent of the init.d script's X-Start-Before:.
220+ (Closes: #803032)
221+
222+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100
223+
224 openvpn (2.3.8-1) unstable; urgency=medium
225
226 * New upstream release. Drop patch from 2.3.7-2.
227@@ -299,6 +468,21 @@ openvpn (2.3.8-1) unstable; urgency=medium
228
229 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100
230
231+openvpn (2.3.7-2ubuntu1) xenial; urgency=medium
232+
233+ * Merge with Debian unstable. Remaining Ubuntu changes:
234+ - debian/openvpn.init.d:
235+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
236+ + Show per-VPN result messages.
237+ + Add "--script-security 2" by default for backwards compatabliity.
238+ - Demote easy-rsa to Suggests
239+ - Run openvpn@.service before systemd-user-sessions.service to avoid
240+ gettys and lightdm starting on top of possible password prompts. This
241+ provides the equivalent of the init.d script's X-Start-Before:.
242+ (Closes: #803032)
243+
244+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100
245+
246 openvpn (2.3.7-2) unstable; urgency=medium
247
248 * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
249@@ -309,6 +493,20 @@ openvpn (2.3.7-2) unstable; urgency=medium
250
251 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000
252
253+openvpn (2.3.7-1ubuntu1) wily; urgency=medium
254+
255+ * Merge with Debian unstable. Remaining Ubuntu changes:
256+ - debian/openvpn.init.d:
257+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
258+ + Show per-VPN result messages.
259+ + Add "--script-security 2" by default for backwards compatabliity.
260+ - Demote easy-rsa to Suggests
261+ - Run openvpn@.service before systemd-user-sessions.service to avoid
262+ gettys and lightdm starting on top of possible password prompts. This
263+ provides the equivalent of the init.d script's X-Start-Before:.
264+
265+ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200
266+
267 openvpn (2.3.7-1) unstable; urgency=medium
268
269 * New upstream version
270@@ -330,6 +528,20 @@ openvpn (2.3.5-1) unstable; urgency=medium
271
272 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100
273
274+openvpn (2.3.4-5ubuntu1) wily; urgency=medium
275+
276+ * Merge with Debian unstable. Remaining Ubuntu changes:
277+ - debian/openvpn.init.d:
278+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
279+ + Show per-VPN result messages.
280+ + Add "--script-security 2" by default for backwards compatabliity.
281+ - Demote easy-rsa to Suggests
282+ - Run openvpn@.service before systemd-user-sessions.service to avoid
283+ gettys and lightdm starting on top of possible password prompts. This
284+ provides the equivalent of the init.d script's X-Start-Before:.
285+
286+ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200
287+
288 openvpn (2.3.4-5) unstable; urgency=high
289
290 * Apply upstream patch that fixes possible DoS by authenticated
291@@ -388,6 +600,52 @@ openvpn (2.3.3-1) experimental; urgency=medium
292
293 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100
294
295+openvpn (2.3.2-9ubuntu4) vivid; urgency=medium
296+
297+ * Run openvpn@.service before systemd-user-sessions.service to avoid gettys
298+ and lightdm starting on top of possible password prompts. This provides
299+ the equivalent of the init.d script's X-Start-Before:.
300+
301+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500
302+
303+openvpn (2.3.2-9ubuntu3) vivid; urgency=medium
304+
305+ * Add better_systemd_detection.patch to avoid calling systemd-ask-password
306+ under upstart. Backported from upstream. (Closes: #747265)
307+ * Add systemd unit and generator from current Debian package. This avoids
308+ using the init.d script, which unnecessarily blocks lightdm startup on the
309+ network becoming online even if there are no auto-start connections
310+ (LP: #1443489).
311+
312+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500
313+
314+openvpn (2.3.2-9ubuntu2) vivid; urgency=medium
315+
316+ * SECURITY UPDATE: server denial of service via too-short control channel
317+ packets
318+ - debian/patches/CVE-2014-8104.patch: drop too-short control channel
319+ packets instead of asserting out in src/openvpn/ssl.c.
320+ - CVE-2014-8104
321+ * debian/patches/update_certs.patch: update test certs to fix FTBFS.
322+
323+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500
324+
325+openvpn (2.3.2-9ubuntu1) utopic; urgency=medium
326+
327+ * Merge from Debian unstable. Remaining changes:
328+ - debian/openvpn.init.d:
329+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
330+ + Show per-VPN result messages.
331+ + Add "--script-security 2" by default for backwards compatabliity.
332+ - Demote easy-rsa to Suggests
333+ - Patch libtool.m4 and configure to support ppc64el.
334+ - Refresh delta with debian/openvpn.init.d:
335+ + Make stop action reliable by killing if needed
336+ (LP: #1274254, LP: #1200519)
337+ + Use new path for status file (LP: #1261088)
338+
339+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400
340+
341 openvpn (2.3.2-9) unstable; urgency=medium
342
343 * Create /run/openvpn in init script even if no VPN is
344@@ -403,6 +661,33 @@ openvpn (2.3.2-8) unstable; urgency=medium
345
346 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100
347
348+openvpn (2.3.2-7ubuntu3) trusty; urgency=medium
349+
350+ [ Simon Deziel ]
351+ * Refresh delta with debian/openvpn.init.d:
352+ - Make stop action reliable by killing if needed
353+ (LP: #1274254, LP: #1200519)
354+ - Use new path for status file (LP: #1261088)
355+
356+ -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500
357+
358+openvpn (2.3.2-7ubuntu2) trusty; urgency=medium
359+
360+ * Patch libtool.m4 and configure to support ppc64el.
361+
362+ -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100
363+
364+openvpn (2.3.2-7ubuntu1) trusty; urgency=low
365+
366+ * Merge from Debian unstable. Remaining changes:
367+ - debian/openvpn.init.d:
368+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
369+ + Show per-VPN result messages.
370+ + Add "--script-security 2" by default for backwards compatabliity.
371+ - Demote easy-rsa to Suggests
372+
373+ -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500
374+
375 openvpn (2.3.2-7) unstable; urgency=low
376
377 * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.
378@@ -419,6 +704,17 @@ openvpn (2.3.2-6) unstable; urgency=low
379
380 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100
381
382+openvpn (2.3.2-5ubuntu1) trusty; urgency=low
383+
384+ * Merge from Debian unstable. Remaining changes:
385+ - debian/openvpn.init.d:
386+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
387+ + Show per-VPN result messages.
388+ + Add "--script-security 2" by default for backwards compatabliity.
389+ - Demote easy-rsa to Suggests
390+
391+ -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400
392+
393 openvpn (2.3.2-5) unstable; urgency=low
394
395 * Patch init script to fix race conditions on restarts.
396@@ -428,6 +724,16 @@ openvpn (2.3.2-5) unstable; urgency=low
397
398 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200
399
400+openvpn (2.3.2-4ubuntu1) saucy; urgency=low
401+
402+ * Merge from Debian unstable. Remaining changes:
403+ - debian/openvpn.init.d:
404+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
405+ + Show per-VPN result messages.
406+ + Add "--script-security 2" by default for backwards compatabliity.
407+
408+ -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400
409+
410 openvpn (2.3.2-4) unstable; urgency=low
411
412 * Fix depends on iproute to iproute2.
413@@ -460,6 +766,23 @@ openvpn (2.3.2-1) unstable; urgency=low
414
415 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200
416
417+openvpn (2.3.1-2ubuntu2) saucy; urgency=low
418+
419+ * Move easy-rsa from Recommends to Suggests as it's not in main and isn't
420+ actually required to operate an openvpn server.
421+
422+ -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400
423+
424+openvpn (2.3.1-2ubuntu1) saucy; urgency=low
425+
426+ * Merge from Debian unstable. Remaining changes:
427+ - debian/openvpn.init.d:
428+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
429+ + Show per-VPN result messages.
430+ + Add "--script-security 2" by default for backwards compatabliity.
431+
432+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400
433+
434 openvpn (2.3.1-2) unstable; urgency=low
435
436 * Add net-tools to Build-Depends. (Closes: #709108)
437@@ -487,6 +810,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low
438
439 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100
440
441+openvpn (2.2.1-8ubuntu3) raring; urgency=low
442+
443+ [ Marc Gariépy ]
444+ * Add --script-security to the init.d script (was generated but not passed
445+ to openvpn). (LP: #1124398)
446+
447+ -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500
448+
449+openvpn (2.2.1-8ubuntu2) quantal; urgency=low
450+
451+ * Rebuild for new armel compiler default of ARMv5t.
452+
453+ -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100
454+
455+openvpn (2.2.1-8ubuntu1) precise; urgency=low
456+
457+ * Merge at Simon Deziel's request to build with PIE.
458+ * Merge from Debian unstable. Remaining changes:
459+ + debian/openvpn.init.d:
460+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
461+ - Show per-VPN result messages.
462+ - Add "--script-security 2" by default for backwards compatabliity.
463+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
464+
465+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400
466+
467 openvpn (2.2.1-8) unstable; urgency=low
468
469 * Enable "PIE" and "BINDOW" hardening flags.
470@@ -511,6 +860,17 @@ openvpn (2.2.1-6) unstable; urgency=low
471
472 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100
473
474+openvpn (2.2.1-5ubuntu1) precise; urgency=low
475+
476+ * Merge from Debian unstable. Remaining changes: (LP: #907828)
477+ + debian/openvpn.init.d:
478+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
479+ - Show per-VPN result messages.
480+ - Add "--script-security 2" by default for backwards compatabliity.
481+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
482+
483+ -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500
484+
485 openvpn (2.2.1-5) unstable; urgency=low
486
487 * Avoid sending ICMP redirects when using tun devices and "subnet"
488@@ -533,6 +893,20 @@ openvpn (2.2.1-4) unstable; urgency=low
489
490 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100
491
492+openvpn (2.2.1-3ubuntu1) precise; urgency=low
493+
494+ * Merge from Debian testing. Remaining changes:
495+ + debian/openvpn.init.d:
496+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
497+ - Show per-VPN result messages.
498+ - Add "--script-security 2" by default for backwards compatabliity.
499+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
500+ + debian/update-resolv-conf: Support multiple domains.
501+ + fix bug where '--script-security 2' would be passed for all
502+ daemons after the first. (LP: #794916)
503+
504+ -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000
505+
506 openvpn (2.2.1-3) unstable; urgency=low
507
508 * The iproute fiasco release.
509@@ -561,6 +935,20 @@ openvpn (2.2.1-1) unstable; urgency=low
510
511 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100
512
513+openvpn (2.2.0-2ubuntu1) oneiric; urgency=low
514+
515+ * Merge from debian unstable. Remaining changes:
516+ + debian/openvpn.init.d:
517+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
518+ - Show per-VPN result messages.
519+ - Add "--script-security 2" by default for backwards compatabliity.
520+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
521+ + debian/update-resolv-conf: Support multiple domains.
522+ + fix bug where '--script-security 2' would be passed for all
523+ daemons after the first. (LP: #794916
524+
525+ -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100
526+
527 openvpn (2.2.0-2) unstable; urgency=low
528
529 * Upload to unstable
530@@ -595,6 +983,45 @@ openvpn (2.1.3-5) experimental; urgency=low
531
532 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100
533
534+openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low
535+
536+ [Alexander Zielke]
537+ * fix bug where '--script-security 2' would be passed for all
538+ daemons after the first. (LP: #794916)
539+
540+ -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400
541+
542+openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low
543+
544+ * Merge from debian unstable. Remaining changes:
545+ + debian/openvpn.init.d:
546+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
547+ - Show per-VPN result messages.
548+ - Add "--script-security 2" by default for backwards compatabliity.
549+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
550+ + debian/update-resolv-conf: Support multiple domains.
551+
552+ -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100
553+
554+openvpn (2.1.3-4.1) unstable; urgency=low
555+
556+ * Non-maintainer upload.
557+ * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503)
558+
559+ -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200
560+
561+openvpn (2.1.3-4ubuntu1) oneiric; urgency=low
562+
563+ * Merge from debian unstable. Remaining changes:
564+ + debian/openvpn.init.d:
565+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
566+ - Show per-VPN result messages.
567+ - Add "--script-security 2" by default for backwards compatabliity.
568+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
569+ + debian/update-resolv-conf: Support multiple domains.
570+
571+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000
572+
573 openvpn (2.1.3-4) unstable; urgency=low
574
575 * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.
576@@ -617,6 +1044,31 @@ openvpn (2.1.3-3) unstable; urgency=low
577
578 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100
579
580+openvpn (2.1.3-2ubuntu3) natty; urgency=low
581+
582+ * update-resolv-conf: Correctly handle multiple dns search domains,
583+ using the same logic as nameservers. Patch courtesy of Jeremy
584+ Zawodny. (LP: #662847)
585+
586+ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000
587+
588+openvpn (2.1.3-2ubuntu2) natty; urgency=low
589+
590+ * update-resolv-conf: Support mulitple domains (LP: #714358)
591+
592+ -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500
593+
594+openvpn (2.1.3-2ubuntu1) natty; urgency=low
595+
596+ * Merge from debian unstable. Remaining changes:
597+ + debian/openvpn.init.d:
598+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
599+ - Show per-VPN result messages.
600+ - Add "--script-security 2" by default for backwards compatabliity.
601+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
602+
603+ -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100
604+
605 openvpn (2.1.3-2) unstable; urgency=low
606
607 * Applied upstream patch to solve random routes added when using
608@@ -624,6 +1076,24 @@ openvpn (2.1.3-2) unstable; urgency=low
609
610 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200
611
612+openvpn (2.1.3-1ubuntu2) natty; urgency=low
613+
614+ * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
615+ corner cases where ! host && addr (LP: #627973)
616+
617+ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200
618+
619+openvpn (2.1.3-1ubuntu1) natty; urgency=low
620+
621+ * Merge from debian unstable. Remaining changes:
622+ + debian/openvpn.init.d:
623+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
624+ - Show per-VPN result messages.
625+ - Add "--script-security 2" by default for backwards compatablitiy
626+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
627+
628+ -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100
629+
630 openvpn (2.1.3-1) unstable; urgency=low
631
632 * New upstream release (Closes: #595684)
633@@ -635,6 +1105,17 @@ openvpn (2.1.3-1) unstable; urgency=low
634
635 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200
636
637+openvpn (2.1.0-3ubuntu1) maverick; urgency=low
638+
639+ * Merge from debian unstable. Remaining changes:
640+ + debian/openvpn.init.d:
641+ - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
642+ - Show per-VPN result messages
643+ - Add "--script-security 2" by default for backwards compatablitiy
644+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
645+
646+ -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400
647+
648 openvpn (2.1.0-3) unstable; urgency=low
649
650 * The 'happy birthday to me' release
651@@ -644,6 +1125,24 @@ openvpn (2.1.0-3) unstable; urgency=low
652
653 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200
654
655+openvpn (2.1.0-2ubuntu2) maverick; urgency=low
656+
657+ * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
658+ on PUSH_REQUEST when server does not push any option (LP: #579737)
659+
660+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200
661+
662+openvpn (2.1.0-2ubuntu1) maverick; urgency=low
663+
664+ * Merge from debian unstable. Remaining changes:
665+ + debian/openvpn.init.d:
666+ - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
667+ - Show per-VPN result messages
668+ - Add "--script-security 2" by default for backwards compatablitiy
669+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
670+
671+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100
672+
673 openvpn (2.1.0-2) unstable; urgency=low
674
675 * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)
676@@ -656,6 +1155,17 @@ openvpn (2.1.0-2) unstable; urgency=low
677
678 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200
679
680+openvpn (2.1.0-1ubuntu1) lucid; urgency=low
681+
682+ * Merge from debian testing (LP: #509078), remaining changes:
683+ + debian/openvpn.init.d:
684+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
685+ - Show per-VPN result messages
686+ - Add "--script-security 2" by default for backwards compatibility
687+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
688+
689+ -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100
690+
691 openvpn (2.1.0-1) unstable; urgency=low
692
693 * New upstream release
694@@ -693,6 +1203,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low
695
696 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100
697
698+openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low
699+
700+ * Merge from debian testing, remaining changes:
701+ + debian/openvpn.init.d:
702+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking
703+ boot.
704+ - show per-VPN result messages
705+ - add "--script-security 2" by default for backwards compatibility
706+ - Add lab-base >= 3.2-14 to allow status_of_proc()
707+ + Dropped debian/patches/redirect-gateway.patch: Already applied
708+ upstream.
709+
710+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000
711+
712 openvpn (2.1~rc20-2) unstable; urgency=low
713
714 * init.d script: Added X-Interactive header. (Closes: #549424)
715@@ -717,6 +1241,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low
716
717 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200
718
719+openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low
720+
721+ * debian/patches/redirect-gateway.patch: Fix regression introduced in
722+ 2.1rc17 that makes redirect-gateway (without options) to be ignored.
723+ Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695
724+
725+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200
726+
727+openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low
728+
729+ * Merge from debian unstable (LP: #404099), remaining changes:
730+ - debian/openvpn.init.d:
731+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
732+ - show per-VPN result messages
733+ - add "--script-security 2" by default for backwards compatibility
734+ - Added lsb-base>=3.2-14 depend to allow status_of_proc()
735+
736+ -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530
737+
738 openvpn (2.1~rc19-1) unstable; urgency=low
739
740 * New upstream version
741@@ -726,6 +1269,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low
742
743 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200
744
745+openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low
746+
747+ * Merge from debian unstable (LP: #372358), remaining changes:
748+ - debian/openvpn.init.d:
749+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
750+ - show per-VPN result messages
751+ - add "--script-security 2" by default for backwards compatibility
752+ - Added lsb-base>=3.2-14 depend to allow status_of_proc()
753+
754+ -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500
755+
756 openvpn (2.1~rc15-1) unstable; urgency=low
757
758 * New upstream version (Closes: #515575)
759@@ -745,6 +1299,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low
760
761 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200
762
763+openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low
764+
765+ * debian/openvpn.init.d:
766+ - Fix unexpected operator on startup (LP: #340120)
767+
768+ -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400
769+
770+openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low
771+
772+ * debian/openvpn.init.d:
773+ - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent
774+ openvpn prompts from blocking the boot (LP: #280428)
775+ - Fix VPNs always reported started [ OK ]
776+
777+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200
778+
779+openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low
780+
781+ * Merge with Debian (LP: #279655), remaining diffs:
782+ - debian/openvpn.init.d: Added 'status' action to init script, show
783+ per-VPN result messages and add "--script-security 2" by default for
784+ backwards compatibility
785+ - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
786+ * Fixes regression when calling commands with arguments (LP: #277447)
787+
788+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200
789+
790 openvpn (2.1~rc11-1) unstable; urgency=low
791
792 * New upstream version
793@@ -765,6 +1346,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low
794
795 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200
796
797+openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low
798+
799+ * debian/openvpn.init.d:
800+ - Added 'status' action to init script (LP: #251641)
801+ - Restored per-VPN result messages by using log_action_begin_msg and
802+ one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966)
803+ * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
804+
805+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200
806+
807+openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low
808+
809+ * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
810+ (LP: #260291)
811+
812+ -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400
813+
814 openvpn (2.1~rc9-3) unstable; urgency=low
815
816 * debian/rules: run ./configure with path to 'route', for
817diff --git a/debian/control b/debian/control
818index f546f4f..0f93792 100644
819--- a/debian/control
820+++ b/debian/control
821@@ -1,7 +1,8 @@
822 Source: openvpn
823 Section: net
824 Priority: optional
825-Maintainer: Bernhard Schmidt <berni@debian.org>
826+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
827+XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
828 Uploaders: Jörg Frings-Fürst <debian@jff.email>
829 Build-Depends:
830 debhelper (>= 11),
831@@ -33,8 +34,8 @@ Depends:
832 Suggests:
833 openssl,
834 resolvconf,
835- openvpn-systemd-resolved
836-Recommends: easy-rsa
837+ openvpn-systemd-resolved,
838+ easy-rsa
839 Description: virtual private network daemon
840 OpenVPN is an application to securely tunnel IP networks over a
841 single UDP or TCP port. It can be used to access remote sites, make
842diff --git a/debian/openvpn@.service b/debian/openvpn@.service
843index da7adc7..eb4be12 100644
844--- a/debian/openvpn@.service
845+++ b/debian/openvpn@.service
846@@ -13,7 +13,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
847 Type=notify
848 PrivateTmp=true
849 WorkingDirectory=/etc/openvpn
850-ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
851+ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
852 PIDFile=/run/openvpn/%i.pid
853 KillMode=process
854 ExecReload=/bin/kill -HUP $MAINPID
855diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch
856new file mode 100644
857index 0000000..4d2221d
858--- /dev/null
859+++ b/debian/patches/openvpn-fips-2.4.patch
860@@ -0,0 +1,102 @@
861+Description: Use openssl FIPS flag to indicate MD5 use for PRF.
862+ MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs
863+ to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl
864+ for PRF to indicate the exception.
865+Bug: https://community.openvpn.net/openvpn/ticket/725
866+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439
867+Author: Stephan Mueller <stephan.mueller@atsec.com>
868+
869+diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
870+index 03e880e..25e8fc4 100644
871+--- a/src/openvpn/crypto.c
872++++ b/src/openvpn/crypto.c
873+@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
874+ if (kt->digest && kt->hmac_length > 0)
875+ {
876+ ctx->hmac = hmac_ctx_new();
877+- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
878++ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
879+
880+ msg(D_HANDSHAKE,
881+ "%s: Using %d bit message hash '%s' for HMAC authentication",
882+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
883+index b7f519b..8662600 100644
884+--- a/src/openvpn/crypto_backend.h
885++++ b/src/openvpn/crypto_backend.h
886+@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
887+ * @param key The key to use for the HMAC
888+ * @param key_len The key length to use
889+ * @param kt Static message digest parameters
890++ * @param prf_use Intended use for PRF in TLS protocol
891+ *
892+ */
893+ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
894+- const md_kt_t *kt);
895++ const md_kt_t *kt, bool prf_use);
896+
897+ /*
898+ * Free the given HMAC context.
899+diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
900+index 0cb7f81..d7f931d 100644
901+--- a/src/openvpn/crypto_mbedtls.c
902++++ b/src/openvpn/crypto_mbedtls.c
903+@@ -857,7 +857,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx)
904+
905+ void
906+ hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
907+- const mbedtls_md_info_t *kt)
908++ const mbedtls_md_info_t *kt, bool prf_use)
909+ {
910+ ASSERT(NULL != kt && NULL != ctx);
911+
912+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
913+index 9e8d3f3..d5302ae 100644
914+--- a/src/openvpn/crypto_openssl.c
915++++ b/src/openvpn/crypto_openssl.c
916+@@ -926,11 +926,17 @@ hmac_ctx_free(HMAC_CTX *ctx)
917+
918+ void
919+ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
920+- const EVP_MD *kt)
921++ const EVP_MD *kt, bool prf_use)
922+ {
923+ ASSERT(NULL != kt && NULL != ctx);
924+
925+ HMAC_CTX_reset(ctx);
926++
927++ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
928++ * to be used anywhere else */
929++ if(kt == EVP_md5() && prf_use)
930++ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
931++
932+ HMAC_Init_ex(ctx, key, key_len, kt, NULL);
933+
934+ /* make sure we used a big enough key */
935+diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
936+index 077fa3e..83585e2 100644
937+--- a/src/openvpn/ntlm.c
938++++ b/src/openvpn/ntlm.c
939+@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len,
940+ const md_kt_t *md5_kt = md_kt_get("MD5");
941+ hmac_ctx_t *hmac_ctx = hmac_ctx_new();
942+
943+- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
944++ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
945+ hmac_ctx_update(hmac_ctx, data, data_len);
946+ hmac_ctx_final(hmac_ctx, result);
947+ hmac_ctx_cleanup(hmac_ctx);
948+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
949+index c0e1dd6..f929237 100644
950+--- a/src/openvpn/ssl.c
951++++ b/src/openvpn/ssl.c
952+@@ -1637,8 +1637,8 @@ tls1_P_hash(const md_kt_t *md_kt,
953+ chunk = md_kt_size(md_kt);
954+ A1_len = md_kt_size(md_kt);
955+
956+- hmac_ctx_init(ctx, sec, sec_len, md_kt);
957+- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
958++ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
959++ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
960+
961+ hmac_ctx_update(ctx,seed,seed_len);
962+ hmac_ctx_final(ctx, A1);
963diff --git a/debian/patches/series b/debian/patches/series
964index 8b19c3d..b488507 100644
965--- a/debian/patches/series
966+++ b/debian/patches/series
967@@ -7,3 +7,4 @@ match-manpage-and-command-help.patch
968 spelling_errors.patch
969 systemd.patch
970 fix-pkcs11-helper-hang.patch
971+openvpn-fips-2.4.patch

Subscribers

People subscribed via source and target branches