Ubuntu
openvpn package

Merge ~paelzer/ubuntu/+source/openvpn:merge-eoan-2.4.7-1 into ubuntu/+source/openvpn:debian/sid

  1. Git
  2. lp:~paelzer/ubuntu/+source/openvpn
  3. merge-eoan-2.4.7-1
  4. Merge into debian/sid
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 54fa0958a3a8e738afe07c7d2be70a2efc8b3722
Proposed branch: ~paelzer/ubuntu/+source/openvpn:merge-eoan-2.4.7-1
Merge into: ubuntu/+source/openvpn:debian/sid
Diff against target: 971 lines (+706/-4)
5 files modified
debian/changelog (+598/-0)
debian/control (+4/-3)
debian/openvpn@.service (+1/-1)
debian/patches/openvpn-fips-2.4.patch (+102/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+367349@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Usual tags to guide review:
 * [new tag] lp1828771/logical/2.4.4-2ubuntu1 -> lp1828771/logical/2.4.4-2ubuntu1
 * [new tag] lp1828771/new/debian -> lp1828771/new/debian
 * [new tag] lp1828771/old/debian -> lp1828771/old/debian
 * [new tag] lp1828771/old/ubuntu -> lp1828771/old/ubuntu
 * [new tag] lp1828771/reconstruct/2.4.6-1ubuntu3 -> lp1828771/reconstruct/2.4.6-1ubuntu3
 * [new tag] lp1828771/split/2.4.6-1ubuntu3 -> lp1828771/split/2.4.6-1ubuntu3

PPA:
https://launchpad.net/~paelzer/+archive/ubuntu/merge-eoan-2.4.7-1

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.8 KiB)

Tested and working following the basic (but at least some) test from:
https://git.launchpad.net/qa-regression-testing/tree/notes_testing/openvpn/README.vm

Ends up with:

root@eoan-openvpn-cl:/etc/openvpn# service openvpn@client start
root@eoan-openvpn-cl:/etc/openvpn#
Broadcast message from root@eoan-openvpn-cl (Mon 2019-05-13 14:56:43 UTC):

Password entry required for 'Enter Private Key Password:' (PID 9320).
Please enter password with the systemd-tty-ask-password-agent tool:

root@eoan-openvpn-cl:/etc/openvpn# systemd-tty-ask-password-agent
Enter Private Key Password: ******
root@eoan-openvpn-cl:/etc/openvpn# service openvpn@client status
● <email address hidden> - OpenVPN connection to client
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-05-13 14:56:43 UTC; 9s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 9309 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 541)
   Memory: 1.9M
   CGroup: /<email address hidden>
           └─9309 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf --writepid /run/openvp

May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Data Channel: using negotiated cipher 'AES-256-GCM'
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: ROUTE_GATEWAY 192.168.122.1/255.255.255.0 IFACE=ens3 HWADDR=52:54:00:ab:e9:6c
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: TUN/TAP device tun0 opened
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: TUN/TAP TX queue length set to 100
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip link set dev tun0 up mtu 1500
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
May 13 14:56:50 eoan-openvpn-cl ovpn-client[9309]: Initialization Sequence Completed
root@eoan-openvpn-cl:/etc/openvpn# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
        inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
        inet6 fe80::41b:f9cf:8b6a:521d prefixlen 64 scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
        RX packets 1 bytes 48 (48.0 B)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 2 bytes 96 (96.0 B)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@eoan-openvpn-cl:/etc/openvpn# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.392 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.494 ms
^C
--- 10.8.0.1 ping ...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

The logical tag was the old one, but it was easy enough to recreate locally

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Odd where this tag got missing, the commands are all in my shell history but the tag is missing.
Well, as this was an easier one thanks for recreating and reviewing it!

Pushing tags for upload and dputting to Eoan

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index f676f8d..09e92aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
1openvpn (2.4.7-1ubuntu1) eoan; urgency=medium
2
3 * Merge with Debian unstable (LP: #1828771). Remaining changes:
4 - d/control: Demote easy-rsa to Suggests (universe package).
5 - debian/openvpn@.service: Add '--script-security 2' similar to what got
6 added to debian/openvpn.init.d ages ago (LP 1454725)
7 - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
8 (LP 1807439)
9 * Dropped changes:
10 - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
11 scripts breaking due to sudo/pam being unable to audit the action.
12 Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
13 [in Debian now]
14
15 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200
16
1openvpn (2.4.7-1) unstable; urgency=medium17openvpn (2.4.7-1) unstable; urgency=medium
218
3 [ Bernhard Schmidt ]19 [ Bernhard Schmidt ]
@@ -17,6 +33,30 @@ openvpn (2.4.7-1) unstable; urgency=medium
1733
18 -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +010034 -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100
1935
36openvpn (2.4.6-1ubuntu3) disco; urgency=medium
37
38 * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
39 (LP: #1807439)
40
41 -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600
42
43openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium
44
45 * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
46 scripts breaking due to sudo/pam being unable to audit the action.
47 Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208)
48
49 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200
50
51openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium
52
53 * Merge with Debian unstable. Remaining changes:
54 - d/control: Demote easy-rsa to Suggests (universe package).
55 - debian/openvpn@.service: Add '--script-security 2' similar to what got
56 added to debian/openvpn.init.d ages ago (LP 1454725)
57
58 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200
59
20openvpn (2.4.6-1) unstable; urgency=medium60openvpn (2.4.6-1) unstable; urgency=medium
2161
22 [ Jörg Frings-Fürst ]62 [ Jörg Frings-Fürst ]
@@ -60,6 +100,15 @@ openvpn (2.4.5-1) unstable; urgency=medium
60100
61 -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100101 -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100
62102
103openvpn (2.4.4-2ubuntu1) bionic; urgency=low
104
105 * Sync with Debian. Remaining changes:
106 - debian/openvpn@.service: Add "--script-security 2" similar to what got
107 added to debian/openvpn.init.d ages ago (LP: #1454725)
108 - Demote easy-rsa to Suggests (universe package).
109
110 -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000
111
63openvpn (2.4.4-2) unstable; urgency=medium112openvpn (2.4.4-2) unstable; urgency=medium
64113
65 * Build against OpenSSL 1.1.0 (Closes: #828477)114 * Build against OpenSSL 1.1.0 (Closes: #828477)
@@ -67,6 +116,15 @@ openvpn (2.4.4-2) unstable; urgency=medium
67116
68 -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100117 -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100
69118
119openvpn (2.4.4-1ubuntu1) bionic; urgency=medium
120
121 * Sync with Debian. Remaining changes:
122 - debian/openvpn@.service: Add "--script-security 2" similar to what got
123 added to debian/openvpn.init.d ages ago (LP: #1454725)
124 - Demote easy-rsa to Suggests (universe package).
125
126 -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400
127
70openvpn (2.4.4-1) unstable; urgency=medium128openvpn (2.4.4-1) unstable; urgency=medium
71129
72 [ Jörg Frings-Fürst ]130 [ Jörg Frings-Fürst ]
@@ -188,6 +246,65 @@ openvpn (2.4.0-5) unstable; urgency=high
188246
189 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200247 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200
190248
249openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium
250
251 * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
252 - debian/patches/CVE-2017-7508.patch: remove assert in
253 src/openvpn/mss.c.
254 - CVE-2017-7508
255 * SECURITY UPDATE: Remote-triggerable memory leaks
256 - debian/patches/CVE-2017-7512.patch: fix leaks in
257 src/openvpn/ssl_verify_openssl.c.
258 - CVE-2017-7512
259 * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
260 for clients
261 - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
262 OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
263 - CVE-2017-7520
264 * SECURITY UPDATE: Potential double-free in --x509-alt-username and
265 memory leaks
266 - debian/patches/CVE-2017-7521.patch: fix double-free in
267 src/openvpn/ssl_verify_openssl.c.
268 - CVE-2017-7521
269 * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
270 - debian/patches/establish_http_proxy_passthru_dos.patch: fix
271 null-pointer dereference in src/openvpn/proxy.c.
272 - No CVE number
273
274 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400
275
276openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium
277
278 * SECURITY UPDATE: pre-authentication denial-of-service vulnerability
279 (both client and server) from a too-large control packet.
280 - debian/patches/CVE-2017-7478.patch: Do not assert on too-large
281 control packet
282 - CVE-2017-7478
283 * SECURITY UPDATE: authenticated remote DoS vulnerability due to
284 packet ID rollover
285 - debian/patches/CVE-2017-7479-prereq.patch: merge
286 packet_id_alloc_outgoing() into packet_id_write()
287 - debian/patches/CVE-2017-7478.patch: do not assert when packet ID
288 rollover occurs
289 - CVE-2017-7478
290 * SECURITY UPDATE: auth tokens left in memory after de-auth
291 - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token
292 as soon as a TLS session is considered broken.
293
294 -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700
295
296openvpn (2.4.0-4ubuntu1) zesty; urgency=medium
297
298 * Merge with Debian unstable. Remaining Ubuntu changes:
299 - debian/openvpn@.service: Add "--script-security 2" similar to what got
300 added to debian/openvpn.init.d ages ago (LP: #1454725)
301 - Demote easy-rsa to Suggests (universe package).
302 * Drop:
303 - debian/control: Actually drop the initscripts dependency.
304 (Closes: #804968). Already in Debian
305
306 -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600
307
191openvpn (2.4.0-4) unstable; urgency=medium308openvpn (2.4.0-4) unstable; urgency=medium
192309
193 * Add NEWS entries on possible 2.4 migration issues.310 * Add NEWS entries on possible 2.4 migration issues.
@@ -257,6 +374,24 @@ openvpn (2.3.11-2) unstable; urgency=medium
257374
258 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200375 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200
259376
377openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium
378
379 * debian/control: Actually drop the initscripts dependency.
380 (Closes: #804968)
381
382 -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200
383
384openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium
385
386 * Merge with Debian unstable. Remaining Ubuntu changes:
387 - debian/openvpn@.service: Add "--script-security 2" similar to what got
388 added to debian/openvpn.init.d ages ago (see LP: #260291).
389 - Demote easy-rsa to Suggests (universe package).
390 * Drop intrusive changes (showing per-VPN result messages) from
391 debian/openvpn.init.d. This isn't being used under systemd.
392
393 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200
394
260openvpn (2.3.11-1) unstable; urgency=medium395openvpn (2.3.11-1) unstable; urgency=medium
261396
262 * New upstream release.397 * New upstream release.
@@ -268,6 +403,25 @@ openvpn (2.3.11-1) unstable; urgency=medium
268403
269 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200404 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200
270405
406openvpn (2.3.10-1ubuntu2) xenial; urgency=medium
407
408 * debian/openvpn@.service: Add --script-security similar to what got added
409 to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)
410
411 -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100
412
413openvpn (2.3.10-1ubuntu1) xenial; urgency=medium
414
415 * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes:
416 - debian/openvpn.init.d:
417 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
418 + Show per-VPN result messages.
419 + Add "--script-security 2" by default for backwards compatabliity.
420 (LP #260291)
421 - Demote easy-rsa to Suggests
422
423 -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100
424
271openvpn (2.3.10-1) unstable; urgency=medium425openvpn (2.3.10-1) unstable; urgency=medium
272426
273 * New upstream release. (Closes: #804368)427 * New upstream release. (Closes: #804368)
@@ -286,6 +440,21 @@ openvpn (2.3.10-1) unstable; urgency=medium
286440
287 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100441 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100
288442
443openvpn (2.3.8-1ubuntu1) xenial; urgency=medium
444
445 * Merge with Debian unstable. Remaining Ubuntu changes:
446 - debian/openvpn.init.d:
447 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
448 + Show per-VPN result messages.
449 + Add "--script-security 2" by default for backwards compatabliity.
450 - Demote easy-rsa to Suggests
451 - Run openvpn@.service before systemd-user-sessions.service to avoid
452 gettys and lightdm starting on top of possible password prompts. This
453 provides the equivalent of the init.d script's X-Start-Before:.
454 (Closes: #803032)
455
456 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100
457
289openvpn (2.3.8-1) unstable; urgency=medium458openvpn (2.3.8-1) unstable; urgency=medium
290459
291 * New upstream release. Drop patch from 2.3.7-2.460 * New upstream release. Drop patch from 2.3.7-2.
@@ -299,6 +468,21 @@ openvpn (2.3.8-1) unstable; urgency=medium
299468
300 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100469 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100
301470
471openvpn (2.3.7-2ubuntu1) xenial; urgency=medium
472
473 * Merge with Debian unstable. Remaining Ubuntu changes:
474 - debian/openvpn.init.d:
475 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
476 + Show per-VPN result messages.
477 + Add "--script-security 2" by default for backwards compatabliity.
478 - Demote easy-rsa to Suggests
479 - Run openvpn@.service before systemd-user-sessions.service to avoid
480 gettys and lightdm starting on top of possible password prompts. This
481 provides the equivalent of the init.d script's X-Start-Before:.
482 (Closes: #803032)
483
484 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100
485
302openvpn (2.3.7-2) unstable; urgency=medium486openvpn (2.3.7-2) unstable; urgency=medium
303487
304 * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.488 * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
@@ -309,6 +493,20 @@ openvpn (2.3.7-2) unstable; urgency=medium
309493
310 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000494 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000
311495
496openvpn (2.3.7-1ubuntu1) wily; urgency=medium
497
498 * Merge with Debian unstable. Remaining Ubuntu changes:
499 - debian/openvpn.init.d:
500 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
501 + Show per-VPN result messages.
502 + Add "--script-security 2" by default for backwards compatabliity.
503 - Demote easy-rsa to Suggests
504 - Run openvpn@.service before systemd-user-sessions.service to avoid
505 gettys and lightdm starting on top of possible password prompts. This
506 provides the equivalent of the init.d script's X-Start-Before:.
507
508 -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200
509
312openvpn (2.3.7-1) unstable; urgency=medium510openvpn (2.3.7-1) unstable; urgency=medium
313511
314 * New upstream version512 * New upstream version
@@ -330,6 +528,20 @@ openvpn (2.3.5-1) unstable; urgency=medium
330528
331 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100529 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100
332530
531openvpn (2.3.4-5ubuntu1) wily; urgency=medium
532
533 * Merge with Debian unstable. Remaining Ubuntu changes:
534 - debian/openvpn.init.d:
535 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
536 + Show per-VPN result messages.
537 + Add "--script-security 2" by default for backwards compatabliity.
538 - Demote easy-rsa to Suggests
539 - Run openvpn@.service before systemd-user-sessions.service to avoid
540 gettys and lightdm starting on top of possible password prompts. This
541 provides the equivalent of the init.d script's X-Start-Before:.
542
543 -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200
544
333openvpn (2.3.4-5) unstable; urgency=high545openvpn (2.3.4-5) unstable; urgency=high
334546
335 * Apply upstream patch that fixes possible DoS by authenticated547 * Apply upstream patch that fixes possible DoS by authenticated
@@ -388,6 +600,52 @@ openvpn (2.3.3-1) experimental; urgency=medium
388600
389 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100601 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100
390602
603openvpn (2.3.2-9ubuntu4) vivid; urgency=medium
604
605 * Run openvpn@.service before systemd-user-sessions.service to avoid gettys
606 and lightdm starting on top of possible password prompts. This provides
607 the equivalent of the init.d script's X-Start-Before:.
608
609 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500
610
611openvpn (2.3.2-9ubuntu3) vivid; urgency=medium
612
613 * Add better_systemd_detection.patch to avoid calling systemd-ask-password
614 under upstart. Backported from upstream. (Closes: #747265)
615 * Add systemd unit and generator from current Debian package. This avoids
616 using the init.d script, which unnecessarily blocks lightdm startup on the
617 network becoming online even if there are no auto-start connections
618 (LP: #1443489).
619
620 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500
621
622openvpn (2.3.2-9ubuntu2) vivid; urgency=medium
623
624 * SECURITY UPDATE: server denial of service via too-short control channel
625 packets
626 - debian/patches/CVE-2014-8104.patch: drop too-short control channel
627 packets instead of asserting out in src/openvpn/ssl.c.
628 - CVE-2014-8104
629 * debian/patches/update_certs.patch: update test certs to fix FTBFS.
630
631 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500
632
633openvpn (2.3.2-9ubuntu1) utopic; urgency=medium
634
635 * Merge from Debian unstable. Remaining changes:
636 - debian/openvpn.init.d:
637 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
638 + Show per-VPN result messages.
639 + Add "--script-security 2" by default for backwards compatabliity.
640 - Demote easy-rsa to Suggests
641 - Patch libtool.m4 and configure to support ppc64el.
642 - Refresh delta with debian/openvpn.init.d:
643 + Make stop action reliable by killing if needed
644 (LP: #1274254, LP: #1200519)
645 + Use new path for status file (LP: #1261088)
646
647 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400
648
391openvpn (2.3.2-9) unstable; urgency=medium649openvpn (2.3.2-9) unstable; urgency=medium
392650
393 * Create /run/openvpn in init script even if no VPN is651 * Create /run/openvpn in init script even if no VPN is
@@ -403,6 +661,33 @@ openvpn (2.3.2-8) unstable; urgency=medium
403661
404 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100662 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100
405663
664openvpn (2.3.2-7ubuntu3) trusty; urgency=medium
665
666 [ Simon Deziel ]
667 * Refresh delta with debian/openvpn.init.d:
668 - Make stop action reliable by killing if needed
669 (LP: #1274254, LP: #1200519)
670 - Use new path for status file (LP: #1261088)
671
672 -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500
673
674openvpn (2.3.2-7ubuntu2) trusty; urgency=medium
675
676 * Patch libtool.m4 and configure to support ppc64el.
677
678 -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100
679
680openvpn (2.3.2-7ubuntu1) trusty; urgency=low
681
682 * Merge from Debian unstable. Remaining changes:
683 - debian/openvpn.init.d:
684 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
685 + Show per-VPN result messages.
686 + Add "--script-security 2" by default for backwards compatabliity.
687 - Demote easy-rsa to Suggests
688
689 -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500
690
406openvpn (2.3.2-7) unstable; urgency=low691openvpn (2.3.2-7) unstable; urgency=low
407692
408 * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.693 * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.
@@ -419,6 +704,17 @@ openvpn (2.3.2-6) unstable; urgency=low
419704
420 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100705 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100
421706
707openvpn (2.3.2-5ubuntu1) trusty; urgency=low
708
709 * Merge from Debian unstable. Remaining changes:
710 - debian/openvpn.init.d:
711 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
712 + Show per-VPN result messages.
713 + Add "--script-security 2" by default for backwards compatabliity.
714 - Demote easy-rsa to Suggests
715
716 -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400
717
422openvpn (2.3.2-5) unstable; urgency=low718openvpn (2.3.2-5) unstable; urgency=low
423719
424 * Patch init script to fix race conditions on restarts.720 * Patch init script to fix race conditions on restarts.
@@ -428,6 +724,16 @@ openvpn (2.3.2-5) unstable; urgency=low
428724
429 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200725 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200
430726
727openvpn (2.3.2-4ubuntu1) saucy; urgency=low
728
729 * Merge from Debian unstable. Remaining changes:
730 - debian/openvpn.init.d:
731 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
732 + Show per-VPN result messages.
733 + Add "--script-security 2" by default for backwards compatabliity.
734
735 -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400
736
431openvpn (2.3.2-4) unstable; urgency=low737openvpn (2.3.2-4) unstable; urgency=low
432738
433 * Fix depends on iproute to iproute2.739 * Fix depends on iproute to iproute2.
@@ -460,6 +766,23 @@ openvpn (2.3.2-1) unstable; urgency=low
460766
461 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200767 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200
462768
769openvpn (2.3.1-2ubuntu2) saucy; urgency=low
770
771 * Move easy-rsa from Recommends to Suggests as it's not in main and isn't
772 actually required to operate an openvpn server.
773
774 -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400
775
776openvpn (2.3.1-2ubuntu1) saucy; urgency=low
777
778 * Merge from Debian unstable. Remaining changes:
779 - debian/openvpn.init.d:
780 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
781 + Show per-VPN result messages.
782 + Add "--script-security 2" by default for backwards compatabliity.
783
784 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400
785
463openvpn (2.3.1-2) unstable; urgency=low786openvpn (2.3.1-2) unstable; urgency=low
464787
465 * Add net-tools to Build-Depends. (Closes: #709108)788 * Add net-tools to Build-Depends. (Closes: #709108)
@@ -487,6 +810,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low
487810
488 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100811 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100
489812
813openvpn (2.2.1-8ubuntu3) raring; urgency=low
814
815 [ Marc Gariépy ]
816 * Add --script-security to the init.d script (was generated but not passed
817 to openvpn). (LP: #1124398)
818
819 -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500
820
821openvpn (2.2.1-8ubuntu2) quantal; urgency=low
822
823 * Rebuild for new armel compiler default of ARMv5t.
824
825 -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100
826
827openvpn (2.2.1-8ubuntu1) precise; urgency=low
828
829 * Merge at Simon Deziel's request to build with PIE.
830 * Merge from Debian unstable. Remaining changes:
831 + debian/openvpn.init.d:
832 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
833 - Show per-VPN result messages.
834 - Add "--script-security 2" by default for backwards compatabliity.
835 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
836
837 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400
838
490openvpn (2.2.1-8) unstable; urgency=low839openvpn (2.2.1-8) unstable; urgency=low
491840
492 * Enable "PIE" and "BINDOW" hardening flags.841 * Enable "PIE" and "BINDOW" hardening flags.
@@ -511,6 +860,17 @@ openvpn (2.2.1-6) unstable; urgency=low
511860
512 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100861 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100
513862
863openvpn (2.2.1-5ubuntu1) precise; urgency=low
864
865 * Merge from Debian unstable. Remaining changes: (LP: #907828)
866 + debian/openvpn.init.d:
867 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
868 - Show per-VPN result messages.
869 - Add "--script-security 2" by default for backwards compatabliity.
870 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
871
872 -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500
873
514openvpn (2.2.1-5) unstable; urgency=low874openvpn (2.2.1-5) unstable; urgency=low
515875
516 * Avoid sending ICMP redirects when using tun devices and "subnet"876 * Avoid sending ICMP redirects when using tun devices and "subnet"
@@ -533,6 +893,20 @@ openvpn (2.2.1-4) unstable; urgency=low
533893
534 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100894 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100
535895
896openvpn (2.2.1-3ubuntu1) precise; urgency=low
897
898 * Merge from Debian testing. Remaining changes:
899 + debian/openvpn.init.d:
900 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
901 - Show per-VPN result messages.
902 - Add "--script-security 2" by default for backwards compatabliity.
903 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
904 + debian/update-resolv-conf: Support multiple domains.
905 + fix bug where '--script-security 2' would be passed for all
906 daemons after the first. (LP: #794916)
907
908 -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000
909
536openvpn (2.2.1-3) unstable; urgency=low910openvpn (2.2.1-3) unstable; urgency=low
537911
538 * The iproute fiasco release.912 * The iproute fiasco release.
@@ -561,6 +935,20 @@ openvpn (2.2.1-1) unstable; urgency=low
561935
562 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100936 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100
563937
938openvpn (2.2.0-2ubuntu1) oneiric; urgency=low
939
940 * Merge from debian unstable. Remaining changes:
941 + debian/openvpn.init.d:
942 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
943 - Show per-VPN result messages.
944 - Add "--script-security 2" by default for backwards compatabliity.
945 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
946 + debian/update-resolv-conf: Support multiple domains.
947 + fix bug where '--script-security 2' would be passed for all
948 daemons after the first. (LP: #794916
949
950 -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100
951
564openvpn (2.2.0-2) unstable; urgency=low952openvpn (2.2.0-2) unstable; urgency=low
565953
566 * Upload to unstable954 * Upload to unstable
@@ -595,6 +983,45 @@ openvpn (2.1.3-5) experimental; urgency=low
595983
596 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100984 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100
597985
986openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low
987
988 [Alexander Zielke]
989 * fix bug where '--script-security 2' would be passed for all
990 daemons after the first. (LP: #794916)
991
992 -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400
993
994openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low
995
996 * Merge from debian unstable. Remaining changes:
997 + debian/openvpn.init.d:
998 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
999 - Show per-VPN result messages.
1000 - Add "--script-security 2" by default for backwards compatabliity.
1001 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1002 + debian/update-resolv-conf: Support multiple domains.
1003
1004 -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100
1005
1006openvpn (2.1.3-4.1) unstable; urgency=low
1007
1008 * Non-maintainer upload.
1009 * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503)
1010
1011 -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200
1012
1013openvpn (2.1.3-4ubuntu1) oneiric; urgency=low
1014
1015 * Merge from debian unstable. Remaining changes:
1016 + debian/openvpn.init.d:
1017 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1018 - Show per-VPN result messages.
1019 - Add "--script-security 2" by default for backwards compatabliity.
1020 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1021 + debian/update-resolv-conf: Support multiple domains.
1022
1023 -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000
1024
598openvpn (2.1.3-4) unstable; urgency=low1025openvpn (2.1.3-4) unstable; urgency=low
5991026
600 * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.1027 * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.
@@ -617,6 +1044,31 @@ openvpn (2.1.3-3) unstable; urgency=low
6171044
618 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +01001045 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100
6191046
1047openvpn (2.1.3-2ubuntu3) natty; urgency=low
1048
1049 * update-resolv-conf: Correctly handle multiple dns search domains,
1050 using the same logic as nameservers. Patch courtesy of Jeremy
1051 Zawodny. (LP: #662847)
1052
1053 -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000
1054
1055openvpn (2.1.3-2ubuntu2) natty; urgency=low
1056
1057 * update-resolv-conf: Support mulitple domains (LP: #714358)
1058
1059 -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500
1060
1061openvpn (2.1.3-2ubuntu1) natty; urgency=low
1062
1063 * Merge from debian unstable. Remaining changes:
1064 + debian/openvpn.init.d:
1065 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1066 - Show per-VPN result messages.
1067 - Add "--script-security 2" by default for backwards compatabliity.
1068 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1069
1070 -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100
1071
620openvpn (2.1.3-2) unstable; urgency=low1072openvpn (2.1.3-2) unstable; urgency=low
6211073
622 * Applied upstream patch to solve random routes added when using1074 * Applied upstream patch to solve random routes added when using
@@ -624,6 +1076,24 @@ openvpn (2.1.3-2) unstable; urgency=low
6241076
625 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +02001077 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200
6261078
1079openvpn (2.1.3-1ubuntu2) natty; urgency=low
1080
1081 * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
1082 corner cases where ! host && addr (LP: #627973)
1083
1084 -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200
1085
1086openvpn (2.1.3-1ubuntu1) natty; urgency=low
1087
1088 * Merge from debian unstable. Remaining changes:
1089 + debian/openvpn.init.d:
1090 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1091 - Show per-VPN result messages.
1092 - Add "--script-security 2" by default for backwards compatablitiy
1093 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1094
1095 -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100
1096
627openvpn (2.1.3-1) unstable; urgency=low1097openvpn (2.1.3-1) unstable; urgency=low
6281098
629 * New upstream release (Closes: #595684)1099 * New upstream release (Closes: #595684)
@@ -635,6 +1105,17 @@ openvpn (2.1.3-1) unstable; urgency=low
6351105
636 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +02001106 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200
6371107
1108openvpn (2.1.0-3ubuntu1) maverick; urgency=low
1109
1110 * Merge from debian unstable. Remaining changes:
1111 + debian/openvpn.init.d:
1112 - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
1113 - Show per-VPN result messages
1114 - Add "--script-security 2" by default for backwards compatablitiy
1115 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1116
1117 -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400
1118
638openvpn (2.1.0-3) unstable; urgency=low1119openvpn (2.1.0-3) unstable; urgency=low
6391120
640 * The 'happy birthday to me' release1121 * The 'happy birthday to me' release
@@ -644,6 +1125,24 @@ openvpn (2.1.0-3) unstable; urgency=low
6441125
645 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +02001126 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200
6461127
1128openvpn (2.1.0-2ubuntu2) maverick; urgency=low
1129
1130 * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
1131 on PUSH_REQUEST when server does not push any option (LP: #579737)
1132
1133 -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200
1134
1135openvpn (2.1.0-2ubuntu1) maverick; urgency=low
1136
1137 * Merge from debian unstable. Remaining changes:
1138 + debian/openvpn.init.d:
1139 - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
1140 - Show per-VPN result messages
1141 - Add "--script-security 2" by default for backwards compatablitiy
1142 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1143
1144 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100
1145
647openvpn (2.1.0-2) unstable; urgency=low1146openvpn (2.1.0-2) unstable; urgency=low
6481147
649 * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)1148 * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)
@@ -656,6 +1155,17 @@ openvpn (2.1.0-2) unstable; urgency=low
6561155
657 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +02001156 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200
6581157
1158openvpn (2.1.0-1ubuntu1) lucid; urgency=low
1159
1160 * Merge from debian testing (LP: #509078), remaining changes:
1161 + debian/openvpn.init.d:
1162 - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
1163 - Show per-VPN result messages
1164 - Add "--script-security 2" by default for backwards compatibility
1165 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1166
1167 -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100
1168
659openvpn (2.1.0-1) unstable; urgency=low1169openvpn (2.1.0-1) unstable; urgency=low
6601170
661 * New upstream release1171 * New upstream release
@@ -693,6 +1203,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low
6931203
694 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +01001204 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100
6951205
1206openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low
1207
1208 * Merge from debian testing, remaining changes:
1209 + debian/openvpn.init.d:
1210 - Do not use start-stop-daemon and use < /dev/null to avoid blocking
1211 boot.
1212 - show per-VPN result messages
1213 - add "--script-security 2" by default for backwards compatibility
1214 - Add lab-base >= 3.2-14 to allow status_of_proc()
1215 + Dropped debian/patches/redirect-gateway.patch: Already applied
1216 upstream.
1217
1218 -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000
1219
696openvpn (2.1~rc20-2) unstable; urgency=low1220openvpn (2.1~rc20-2) unstable; urgency=low
6971221
698 * init.d script: Added X-Interactive header. (Closes: #549424)1222 * init.d script: Added X-Interactive header. (Closes: #549424)
@@ -717,6 +1241,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low
7171241
718 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +02001242 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200
7191243
1244openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low
1245
1246 * debian/patches/redirect-gateway.patch: Fix regression introduced in
1247 2.1rc17 that makes redirect-gateway (without options) to be ignored.
1248 Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695
1249
1250 -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200
1251
1252openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low
1253
1254 * Merge from debian unstable (LP: #404099), remaining changes:
1255 - debian/openvpn.init.d:
1256 - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
1257 - show per-VPN result messages
1258 - add "--script-security 2" by default for backwards compatibility
1259 - Added lsb-base>=3.2-14 depend to allow status_of_proc()
1260
1261 -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530
1262
720openvpn (2.1~rc19-1) unstable; urgency=low1263openvpn (2.1~rc19-1) unstable; urgency=low
7211264
722 * New upstream version1265 * New upstream version
@@ -726,6 +1269,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low
7261269
727 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +02001270 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200
7281271
1272openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low
1273
1274 * Merge from debian unstable (LP: #372358), remaining changes:
1275 - debian/openvpn.init.d:
1276 - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
1277 - show per-VPN result messages
1278 - add "--script-security 2" by default for backwards compatibility
1279 - Added lsb-base>=3.2-14 depend to allow status_of_proc()
1280
1281 -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500
1282
729openvpn (2.1~rc15-1) unstable; urgency=low1283openvpn (2.1~rc15-1) unstable; urgency=low
7301284
731 * New upstream version (Closes: #515575)1285 * New upstream version (Closes: #515575)
@@ -745,6 +1299,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low
7451299
746 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +02001300 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200
7471301
1302openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low
1303
1304 * debian/openvpn.init.d:
1305 - Fix unexpected operator on startup (LP: #340120)
1306
1307 -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400
1308
1309openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low
1310
1311 * debian/openvpn.init.d:
1312 - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent
1313 openvpn prompts from blocking the boot (LP: #280428)
1314 - Fix VPNs always reported started [ OK ]
1315
1316 -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200
1317
1318openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low
1319
1320 * Merge with Debian (LP: #279655), remaining diffs:
1321 - debian/openvpn.init.d: Added 'status' action to init script, show
1322 per-VPN result messages and add "--script-security 2" by default for
1323 backwards compatibility
1324 - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
1325 * Fixes regression when calling commands with arguments (LP: #277447)
1326
1327 -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200
1328
748openvpn (2.1~rc11-1) unstable; urgency=low1329openvpn (2.1~rc11-1) unstable; urgency=low
7491330
750 * New upstream version1331 * New upstream version
@@ -765,6 +1346,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low
7651346
766 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +02001347 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200
7671348
1349openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low
1350
1351 * debian/openvpn.init.d:
1352 - Added 'status' action to init script (LP: #251641)
1353 - Restored per-VPN result messages by using log_action_begin_msg and
1354 one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966)
1355 * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
1356
1357 -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200
1358
1359openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low
1360
1361 * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
1362 (LP: #260291)
1363
1364 -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400
1365
768openvpn (2.1~rc9-3) unstable; urgency=low1366openvpn (2.1~rc9-3) unstable; urgency=low
7691367
770 * debian/rules: run ./configure with path to 'route', for1368 * debian/rules: run ./configure with path to 'route', for
diff --git a/debian/control b/debian/control
index f546f4f..0f93792 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: openvpn1Source: openvpn
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: Bernhard Schmidt <berni@debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
5Uploaders: Jörg Frings-Fürst <debian@jff.email>6Uploaders: Jörg Frings-Fürst <debian@jff.email>
6Build-Depends:7Build-Depends:
7 debhelper (>= 11),8 debhelper (>= 11),
@@ -33,8 +34,8 @@ Depends:
33Suggests:34Suggests:
34 openssl,35 openssl,
35 resolvconf,36 resolvconf,
36 openvpn-systemd-resolved37 openvpn-systemd-resolved,
37Recommends: easy-rsa38 easy-rsa
38Description: virtual private network daemon39Description: virtual private network daemon
39 OpenVPN is an application to securely tunnel IP networks over a40 OpenVPN is an application to securely tunnel IP networks over a
40 single UDP or TCP port. It can be used to access remote sites, make41 single UDP or TCP port. It can be used to access remote sites, make
diff --git a/debian/openvpn@.service b/debian/openvpn@.service
index da7adc7..eb4be12 100644
--- a/debian/openvpn@.service
+++ b/debian/openvpn@.service
@@ -13,7 +13,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
13Type=notify13Type=notify
14PrivateTmp=true14PrivateTmp=true
15WorkingDirectory=/etc/openvpn15WorkingDirectory=/etc/openvpn
16ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid16ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
17PIDFile=/run/openvpn/%i.pid17PIDFile=/run/openvpn/%i.pid
18KillMode=process18KillMode=process
19ExecReload=/bin/kill -HUP $MAINPID19ExecReload=/bin/kill -HUP $MAINPID
diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch
20new file mode 10064420new file mode 100644
index 0000000..4d2221d
--- /dev/null
+++ b/debian/patches/openvpn-fips-2.4.patch
@@ -0,0 +1,102 @@
1Description: Use openssl FIPS flag to indicate MD5 use for PRF.
2 MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs
3 to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl
4 for PRF to indicate the exception.
5Bug: https://community.openvpn.net/openvpn/ticket/725
6Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439
7Author: Stephan Mueller <stephan.mueller@atsec.com>
8
9diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
10index 03e880e..25e8fc4 100644
11--- a/src/openvpn/crypto.c
12+++ b/src/openvpn/crypto.c
13@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
14 if (kt->digest && kt->hmac_length > 0)
15 {
16 ctx->hmac = hmac_ctx_new();
17- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
18+ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
19
20 msg(D_HANDSHAKE,
21 "%s: Using %d bit message hash '%s' for HMAC authentication",
22diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
23index b7f519b..8662600 100644
24--- a/src/openvpn/crypto_backend.h
25+++ b/src/openvpn/crypto_backend.h
26@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
27 * @param key The key to use for the HMAC
28 * @param key_len The key length to use
29 * @param kt Static message digest parameters
30+ * @param prf_use Intended use for PRF in TLS protocol
31 *
32 */
33 void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
34- const md_kt_t *kt);
35+ const md_kt_t *kt, bool prf_use);
36
37 /*
38 * Free the given HMAC context.
39diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
40index 0cb7f81..d7f931d 100644
41--- a/src/openvpn/crypto_mbedtls.c
42+++ b/src/openvpn/crypto_mbedtls.c
43@@ -857,7 +857,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx)
44
45 void
46 hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
47- const mbedtls_md_info_t *kt)
48+ const mbedtls_md_info_t *kt, bool prf_use)
49 {
50 ASSERT(NULL != kt && NULL != ctx);
51
52diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
53index 9e8d3f3..d5302ae 100644
54--- a/src/openvpn/crypto_openssl.c
55+++ b/src/openvpn/crypto_openssl.c
56@@ -926,11 +926,17 @@ hmac_ctx_free(HMAC_CTX *ctx)
57
58 void
59 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
60- const EVP_MD *kt)
61+ const EVP_MD *kt, bool prf_use)
62 {
63 ASSERT(NULL != kt && NULL != ctx);
64
65 HMAC_CTX_reset(ctx);
66+
67+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
68+ * to be used anywhere else */
69+ if(kt == EVP_md5() && prf_use)
70+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
71+
72 HMAC_Init_ex(ctx, key, key_len, kt, NULL);
73
74 /* make sure we used a big enough key */
75diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
76index 077fa3e..83585e2 100644
77--- a/src/openvpn/ntlm.c
78+++ b/src/openvpn/ntlm.c
79@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len,
80 const md_kt_t *md5_kt = md_kt_get("MD5");
81 hmac_ctx_t *hmac_ctx = hmac_ctx_new();
82
83- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
84+ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
85 hmac_ctx_update(hmac_ctx, data, data_len);
86 hmac_ctx_final(hmac_ctx, result);
87 hmac_ctx_cleanup(hmac_ctx);
88diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
89index c0e1dd6..f929237 100644
90--- a/src/openvpn/ssl.c
91+++ b/src/openvpn/ssl.c
92@@ -1637,8 +1637,8 @@ tls1_P_hash(const md_kt_t *md_kt,
93 chunk = md_kt_size(md_kt);
94 A1_len = md_kt_size(md_kt);
95
96- hmac_ctx_init(ctx, sec, sec_len, md_kt);
97- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
98+ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
99+ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
100
101 hmac_ctx_update(ctx,seed,seed_len);
102 hmac_ctx_final(ctx, A1);
diff --git a/debian/patches/series b/debian/patches/series
index 8b19c3d..b488507 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ match-manpage-and-command-help.patch
7spelling_errors.patch7spelling_errors.patch
8systemd.patch8systemd.patch
9fix-pkcs11-helper-hang.patch9fix-pkcs11-helper-hang.patch
10openvpn-fips-2.4.patch

Subscribers

People subscribed via source and target branches