Merge ~sergiodj/ubuntu/+source/openvpn:merge-2.5.5-1-jammy into ubuntu/+source/openvpn:debian/sid
- Git
- lp:~sergiodj/ubuntu/+source/openvpn
- merge-2.5.5-1-jammy
- Merge into debian/sid
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Merge reported by: | Sergio Durigan Junior | ||||||||
Merged at revision: | ad4f944a8e98f11c467fe28ac394af352a951a02 | ||||||||
Proposed branch: | ~sergiodj/ubuntu/+source/openvpn:merge-2.5.5-1-jammy | ||||||||
Merge into: | ubuntu/+source/openvpn:debian/sid | ||||||||
Diff against target: |
1237 lines (+910/-5) 6 files modified
debian/changelog (+743/-1) debian/control (+4/-3) debian/openvpn@.service (+1/-1) debian/patches/OpenSSL3.patch (+70/-0) debian/patches/openvpn-fips-2.4.patch (+90/-0) debian/patches/series (+2/-0) |
||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Utkarsh Gupta (community) | Approve | ||
Andreas Hasenack | Approve | ||
Review via email: mp+415977@code.launchpad.net |
Commit message
Description of the change
This is the merge of openvpn 2.5.5-1 from Debian unstable.
The merge has been relatively trivial; aside from having to refresh d/p/OpenSSL3.patch, nothing else was dropped/added. We will eventually drop the OpenSSL3 patch once we go to the 2.6 version, but for now it is still required.
I checked upstream's Changes.rst file to make sure that nothing surprising was added. Everything seems OK there: the items listed as "New features" are either related to Windows-specific changes or small things that won't directly affect a user.
A bunch of Debian's delta has been dropped with 2.5.5; mostly CVE patches that are part of upstream now.
There is a PPA with the proposed changes here:
https:/
autopkgtest is still passing:
autopkgtest [15:55:01]: @@@@@@@
server-
server-
Utkarsh Gupta (utkarsh) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
Concurrently with utkarsh ;)
range-diff ok, tags ok, delta ok
Build log still has many openssl3 deprecation warnings, so upstream still has some way to go.
+1
Utkarsh Gupta (utkarsh) wrote : | # |
Hello,
This looks good, except for one thing - the missing "Origin" field in one of the patches. I did drop an inline comment for that.
Since we're almost reaching feature-freeze, I'll approve in the hope that you'll add the field or at least give us a reason to not to. :D
Thank you! \o/
Sergio Durigan Junior (sergiodj) : | # |
Sergio Durigan Junior (sergiodj) wrote : | # |
Thanks for the reviews.
Uploaded:
$ dput openvpn_
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/
Checking signature on .dsc
gpg: /home/sergio/
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading openvpn_
Uploading openvpn_
Uploading openvpn_
Uploading openvpn_
Uploading openvpn_
Successfully uploaded packages.
Sergio Durigan Junior (sergiodj) wrote : | # |
This has migrated.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index cabf0c0..16576c4 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,15 @@ |
6 | +openvpn (2.5.5-1ubuntu1) jammy; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable (LP: #1946884). Remaining changes: |
9 | + - d/control: Demote easy-rsa to Suggests (universe package). |
10 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
11 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
12 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
13 | + - d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between |
14 | + the OpenSSL3 branch and the OpenVPN 2.5 branch (LP #1945980) |
15 | + |
16 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 23 Feb 2022 10:14:27 -0500 |
17 | + |
18 | openvpn (2.5.5-1) unstable; urgency=medium |
19 | |
20 | [ Jörg Frings-Fürst ] |
21 | @@ -13,6 +25,44 @@ openvpn (2.5.5-1) unstable; urgency=medium |
22 | |
23 | -- Bernhard Schmidt <berni@debian.org> Mon, 21 Feb 2022 12:05:55 +0100 |
24 | |
25 | +openvpn (2.5.1-3ubuntu5) jammy; urgency=medium |
26 | + |
27 | + * No-change rebuild to update maintainer scripts, see LP: 1959054 |
28 | + |
29 | + -- Dave Jones <dave.jones@canonical.com> Wed, 16 Feb 2022 17:16:30 +0000 |
30 | + |
31 | +openvpn (2.5.1-3ubuntu4) jammy; urgency=medium |
32 | + |
33 | + * d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between |
34 | + the OpenSSL3 branch and the OpenVPN 2.5 branch (LP: #1945980) |
35 | + |
36 | + -- Simon Chopin <simon.chopin@canonical.com> Thu, 18 Nov 2021 15:05:21 +0100 |
37 | + |
38 | +openvpn (2.5.1-3ubuntu3) jammy; urgency=medium |
39 | + |
40 | + * No-change rebuild against openssl3 |
41 | + |
42 | + -- Simon Chopin <simon.chopin@canonical.com> Wed, 01 Dec 2021 16:09:52 +0000 |
43 | + |
44 | +openvpn (2.5.1-3ubuntu2) impish; urgency=medium |
45 | + |
46 | + * No-change rebuild to build packages with zstd compression. |
47 | + |
48 | + -- Matthias Klose <doko@ubuntu.com> Thu, 07 Oct 2021 12:21:59 +0200 |
49 | + |
50 | +openvpn (2.5.1-3ubuntu1) impish; urgency=medium |
51 | + |
52 | + * Merge with Debian unstable. Remaining changes: |
53 | + - d/control: Demote easy-rsa to Suggests (universe package). |
54 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
55 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
56 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
57 | + * Dropped changes: |
58 | + - d/t/server-setup-*: adapt tests to output of v2.5.0 |
59 | + [Included in 2.5.1-3] |
60 | + |
61 | + -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Mon, 17 May 2021 14:38:17 +0530 |
62 | + |
63 | openvpn (2.5.1-3) unstable; urgency=medium |
64 | |
65 | * Fix autopkgtest (Closes: #983662) |
66 | @@ -22,6 +72,17 @@ openvpn (2.5.1-3) unstable; urgency=medium |
67 | |
68 | -- Bernhard Schmidt <berni@debian.org> Fri, 14 May 2021 09:40:04 +0200 |
69 | |
70 | +openvpn (2.5.1-2ubuntu1) impish; urgency=medium |
71 | + |
72 | + * Merge with Debian unstable. Remaining changes: |
73 | + - d/control: Demote easy-rsa to Suggests (universe package). |
74 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
75 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
76 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
77 | + - d/t/server-setup-*: adapt tests to output of v2.5.0 |
78 | + |
79 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 03 May 2021 17:56:39 -0300 |
80 | + |
81 | openvpn (2.5.1-2) unstable; urgency=high |
82 | |
83 | * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix |
84 | @@ -30,12 +91,47 @@ openvpn (2.5.1-2) unstable; urgency=high |
85 | |
86 | -- Bernhard Schmidt <berni@debian.org> Wed, 28 Apr 2021 14:41:58 +0200 |
87 | |
88 | +openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium |
89 | + |
90 | + * Merge with Debian unstable (LP: #1917438). Remaining changes: |
91 | + - d/control: Demote easy-rsa to Suggests (universe package). |
92 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
93 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
94 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
95 | + + d/t/server-setup-*: adapt tests to output of v2.5.0 |
96 | + |
97 | + -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Tue, 02 Mar 2021 16:35:37 +0530 |
98 | + |
99 | openvpn (2.5.1-1) unstable; urgency=medium |
100 | |
101 | * New upstream version 2.5.1 (bugfix release) |
102 | |
103 | -- Bernhard Schmidt <berni@debian.org> Wed, 24 Feb 2021 19:54:34 +0100 |
104 | |
105 | +openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium |
106 | + |
107 | + * Merge with Debian unstable. Remaining changes: |
108 | + - d/control: Demote easy-rsa to Suggests (universe package). |
109 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
110 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
111 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
112 | + [updated to match 2.5.0] |
113 | + * Dropped changes [in Debian since 2.5~beta3-1] |
114 | + - d/tests: add two DEP-8 test cases |
115 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
116 | + using a static key. |
117 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
118 | + CA built with easy-rsa. |
119 | + - d/openvpn*.service: Drop reload support from systemd unit files |
120 | + (LP #1868127). The current reload implementation (sending a SIGHUP |
121 | + signal to the process) fails, and the difference between reload and |
122 | + restart is not clear. Systemd does not require an implementation for |
123 | + reload. |
124 | + * Added Changes: |
125 | + - d/t/server-setup-*: adapt tests to output of v2.5.0 |
126 | + |
127 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 01 Dec 2020 16:15:12 +0100 |
128 | + |
129 | openvpn (2.5.0-1) unstable; urgency=medium |
130 | |
131 | * New upstream version 2.5.0 - final release |
132 | @@ -61,7 +157,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium |
133 | |
134 | [ Lucas Kanashiro ] |
135 | * Add two DEP-8 test cases for the server side |
136 | - * Drop reload support from systemd unit files (LP: #1868127) |
137 | + * Drop reload support from systemd unit files (LP 1868127) |
138 | |
139 | [ Bernhard Schmidt ] |
140 | * Revert "d/gbp.conf for experimental 2.5 branch" |
141 | @@ -91,6 +187,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium |
142 | |
143 | -- Bernhard Schmidt <berni@debian.org> Sat, 15 Aug 2020 21:32:49 +0200 |
144 | |
145 | +openvpn (2.4.9-3ubuntu1) groovy; urgency=medium |
146 | + |
147 | + * Merge with Debian unstable. Remaining changes: |
148 | + - d/control: Demote easy-rsa to Suggests (universe package). |
149 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
150 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
151 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
152 | + - d/tests: add two DEP-8 test cases |
153 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
154 | + using a static key. |
155 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
156 | + CA built with easy-rsa. |
157 | + - d/openvpn*.service: Drop reload support from systemd unit files |
158 | + (LP #1868127). The current reload implementation (sending a SIGHUP |
159 | + signal to the process) fails, and the difference between reload and |
160 | + restart is not clear. Systemd does not require an implementation for |
161 | + reload. |
162 | + |
163 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 18 Aug 2020 08:42:11 -0300 |
164 | + |
165 | openvpn (2.4.9-3) unstable; urgency=medium |
166 | |
167 | [ Jörg Frings-Fürst ] |
168 | @@ -109,6 +225,28 @@ openvpn (2.4.9-3) unstable; urgency=medium |
169 | |
170 | -- Jörg Frings-Fürst <debian@jff.email> Sat, 02 May 2020 18:14:36 +0200 |
171 | |
172 | +openvpn (2.4.9-2ubuntu2) groovy; urgency=medium |
173 | + |
174 | + * Drop reload support from systemd unit files (LP: #1868127) |
175 | + |
176 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 26 May 2020 19:04:33 -0300 |
177 | + |
178 | +openvpn (2.4.9-2ubuntu1) groovy; urgency=medium |
179 | + |
180 | + * Merge with Debian unstable. Remaining changes: |
181 | + - d/control: Demote easy-rsa to Suggests (universe package). |
182 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
183 | + got added to debian/openvpn.init.d ages ago (LP 1454725) |
184 | + - Allow MD5 for PRF in FIPS mode openssl. |
185 | + * Added changes: |
186 | + - d/tests: add two DEP-8 test cases |
187 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
188 | + using a static key. |
189 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
190 | + CA built with easy-rsa. |
191 | + |
192 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 29 Apr 2020 15:35:56 -0300 |
193 | + |
194 | openvpn (2.4.9-2) unstable; urgency=medium |
195 | |
196 | * Cherry-Pick upstream patch to fix ssl_do_config error with |
197 | @@ -144,6 +282,28 @@ openvpn (2.4.9-1) unstable; urgency=medium |
198 | |
199 | -- Bernhard Schmidt <berni@debian.org> Sun, 19 Apr 2020 15:52:57 +0200 |
200 | |
201 | +openvpn (2.4.7-1ubuntu2) eoan; urgency=medium |
202 | + |
203 | + * No-change upload with strops.h and sys/strops.h removed in glibc. |
204 | + |
205 | + -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:05:25 +0000 |
206 | + |
207 | +openvpn (2.4.7-1ubuntu1) eoan; urgency=medium |
208 | + |
209 | + * Merge with Debian unstable (LP: #1828771). Remaining changes: |
210 | + - d/control: Demote easy-rsa to Suggests (universe package). |
211 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
212 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
213 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
214 | + (LP 1807439) |
215 | + * Dropped changes: |
216 | + - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
217 | + scripts breaking due to sudo/pam being unable to audit the action. |
218 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208) |
219 | + [in Debian now] |
220 | + |
221 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200 |
222 | + |
223 | openvpn (2.4.7-1) unstable; urgency=medium |
224 | |
225 | [ Bernhard Schmidt ] |
226 | @@ -163,6 +323,30 @@ openvpn (2.4.7-1) unstable; urgency=medium |
227 | |
228 | -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100 |
229 | |
230 | +openvpn (2.4.6-1ubuntu3) disco; urgency=medium |
231 | + |
232 | + * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
233 | + (LP: #1807439) |
234 | + |
235 | + -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600 |
236 | + |
237 | +openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium |
238 | + |
239 | + * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
240 | + scripts breaking due to sudo/pam being unable to audit the action. |
241 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208) |
242 | + |
243 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200 |
244 | + |
245 | +openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium |
246 | + |
247 | + * Merge with Debian unstable. Remaining changes: |
248 | + - d/control: Demote easy-rsa to Suggests (universe package). |
249 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
250 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
251 | + |
252 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200 |
253 | + |
254 | openvpn (2.4.6-1) unstable; urgency=medium |
255 | |
256 | [ Jörg Frings-Fürst ] |
257 | @@ -206,6 +390,15 @@ openvpn (2.4.5-1) unstable; urgency=medium |
258 | |
259 | -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100 |
260 | |
261 | +openvpn (2.4.4-2ubuntu1) bionic; urgency=low |
262 | + |
263 | + * Sync with Debian. Remaining changes: |
264 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
265 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
266 | + - Demote easy-rsa to Suggests (universe package). |
267 | + |
268 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000 |
269 | + |
270 | openvpn (2.4.4-2) unstable; urgency=medium |
271 | |
272 | * Build against OpenSSL 1.1.0 (Closes: #828477) |
273 | @@ -213,6 +406,15 @@ openvpn (2.4.4-2) unstable; urgency=medium |
274 | |
275 | -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100 |
276 | |
277 | +openvpn (2.4.4-1ubuntu1) bionic; urgency=medium |
278 | + |
279 | + * Sync with Debian. Remaining changes: |
280 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
281 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
282 | + - Demote easy-rsa to Suggests (universe package). |
283 | + |
284 | + -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400 |
285 | + |
286 | openvpn (2.4.4-1) unstable; urgency=medium |
287 | |
288 | [ Jörg Frings-Fürst ] |
289 | @@ -334,6 +536,65 @@ openvpn (2.4.0-5) unstable; urgency=high |
290 | |
291 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200 |
292 | |
293 | +openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium |
294 | + |
295 | + * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet |
296 | + - debian/patches/CVE-2017-7508.patch: remove assert in |
297 | + src/openvpn/mss.c. |
298 | + - CVE-2017-7508 |
299 | + * SECURITY UPDATE: Remote-triggerable memory leaks |
300 | + - debian/patches/CVE-2017-7512.patch: fix leaks in |
301 | + src/openvpn/ssl_verify_openssl.c. |
302 | + - CVE-2017-7512 |
303 | + * SECURITY UPDATE: Pre-authentication remote crash/information disclosure |
304 | + for clients |
305 | + - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer |
306 | + OOB reads and a crash for invalid input data in src/openvpn/ntlm.c. |
307 | + - CVE-2017-7520 |
308 | + * SECURITY UPDATE: Potential double-free in --x509-alt-username and |
309 | + memory leaks |
310 | + - debian/patches/CVE-2017-7521.patch: fix double-free in |
311 | + src/openvpn/ssl_verify_openssl.c. |
312 | + - CVE-2017-7521 |
313 | + * SECURITY UPDATE: DoS in establish_http_proxy_passthru() |
314 | + - debian/patches/establish_http_proxy_passthru_dos.patch: fix |
315 | + null-pointer dereference in src/openvpn/proxy.c. |
316 | + - No CVE number |
317 | + |
318 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400 |
319 | + |
320 | +openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium |
321 | + |
322 | + * SECURITY UPDATE: pre-authentication denial-of-service vulnerability |
323 | + (both client and server) from a too-large control packet. |
324 | + - debian/patches/CVE-2017-7478.patch: Do not assert on too-large |
325 | + control packet |
326 | + - CVE-2017-7478 |
327 | + * SECURITY UPDATE: authenticated remote DoS vulnerability due to |
328 | + packet ID rollover |
329 | + - debian/patches/CVE-2017-7479-prereq.patch: merge |
330 | + packet_id_alloc_outgoing() into packet_id_write() |
331 | + - debian/patches/CVE-2017-7478.patch: do not assert when packet ID |
332 | + rollover occurs |
333 | + - CVE-2017-7478 |
334 | + * SECURITY UPDATE: auth tokens left in memory after de-auth |
335 | + - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token |
336 | + as soon as a TLS session is considered broken. |
337 | + |
338 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700 |
339 | + |
340 | +openvpn (2.4.0-4ubuntu1) zesty; urgency=medium |
341 | + |
342 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
343 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
344 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
345 | + - Demote easy-rsa to Suggests (universe package). |
346 | + * Drop: |
347 | + - debian/control: Actually drop the initscripts dependency. |
348 | + (Closes: #804968). Already in Debian |
349 | + |
350 | + -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600 |
351 | + |
352 | openvpn (2.4.0-4) unstable; urgency=medium |
353 | |
354 | * Add NEWS entries on possible 2.4 migration issues. |
355 | @@ -403,6 +664,24 @@ openvpn (2.3.11-2) unstable; urgency=medium |
356 | |
357 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200 |
358 | |
359 | +openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium |
360 | + |
361 | + * debian/control: Actually drop the initscripts dependency. |
362 | + (Closes: #804968) |
363 | + |
364 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200 |
365 | + |
366 | +openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium |
367 | + |
368 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
369 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
370 | + added to debian/openvpn.init.d ages ago (see LP: #260291). |
371 | + - Demote easy-rsa to Suggests (universe package). |
372 | + * Drop intrusive changes (showing per-VPN result messages) from |
373 | + debian/openvpn.init.d. This isn't being used under systemd. |
374 | + |
375 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200 |
376 | + |
377 | openvpn (2.3.11-1) unstable; urgency=medium |
378 | |
379 | * New upstream release. |
380 | @@ -414,6 +693,25 @@ openvpn (2.3.11-1) unstable; urgency=medium |
381 | |
382 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200 |
383 | |
384 | +openvpn (2.3.10-1ubuntu2) xenial; urgency=medium |
385 | + |
386 | + * debian/openvpn@.service: Add --script-security similar to what got added |
387 | + to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725) |
388 | + |
389 | + -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100 |
390 | + |
391 | +openvpn (2.3.10-1ubuntu1) xenial; urgency=medium |
392 | + |
393 | + * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes: |
394 | + - debian/openvpn.init.d: |
395 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
396 | + + Show per-VPN result messages. |
397 | + + Add "--script-security 2" by default for backwards compatabliity. |
398 | + (LP #260291) |
399 | + - Demote easy-rsa to Suggests |
400 | + |
401 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100 |
402 | + |
403 | openvpn (2.3.10-1) unstable; urgency=medium |
404 | |
405 | * New upstream release. (Closes: #804368) |
406 | @@ -432,6 +730,21 @@ openvpn (2.3.10-1) unstable; urgency=medium |
407 | |
408 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100 |
409 | |
410 | +openvpn (2.3.8-1ubuntu1) xenial; urgency=medium |
411 | + |
412 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
413 | + - debian/openvpn.init.d: |
414 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
415 | + + Show per-VPN result messages. |
416 | + + Add "--script-security 2" by default for backwards compatabliity. |
417 | + - Demote easy-rsa to Suggests |
418 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
419 | + gettys and lightdm starting on top of possible password prompts. This |
420 | + provides the equivalent of the init.d script's X-Start-Before:. |
421 | + (Closes: #803032) |
422 | + |
423 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100 |
424 | + |
425 | openvpn (2.3.8-1) unstable; urgency=medium |
426 | |
427 | * New upstream release. Drop patch from 2.3.7-2. |
428 | @@ -445,6 +758,21 @@ openvpn (2.3.8-1) unstable; urgency=medium |
429 | |
430 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100 |
431 | |
432 | +openvpn (2.3.7-2ubuntu1) xenial; urgency=medium |
433 | + |
434 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
435 | + - debian/openvpn.init.d: |
436 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
437 | + + Show per-VPN result messages. |
438 | + + Add "--script-security 2" by default for backwards compatabliity. |
439 | + - Demote easy-rsa to Suggests |
440 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
441 | + gettys and lightdm starting on top of possible password prompts. This |
442 | + provides the equivalent of the init.d script's X-Start-Before:. |
443 | + (Closes: #803032) |
444 | + |
445 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100 |
446 | + |
447 | openvpn (2.3.7-2) unstable; urgency=medium |
448 | |
449 | * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev. |
450 | @@ -455,6 +783,20 @@ openvpn (2.3.7-2) unstable; urgency=medium |
451 | |
452 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000 |
453 | |
454 | +openvpn (2.3.7-1ubuntu1) wily; urgency=medium |
455 | + |
456 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
457 | + - debian/openvpn.init.d: |
458 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
459 | + + Show per-VPN result messages. |
460 | + + Add "--script-security 2" by default for backwards compatabliity. |
461 | + - Demote easy-rsa to Suggests |
462 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
463 | + gettys and lightdm starting on top of possible password prompts. This |
464 | + provides the equivalent of the init.d script's X-Start-Before:. |
465 | + |
466 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200 |
467 | + |
468 | openvpn (2.3.7-1) unstable; urgency=medium |
469 | |
470 | * New upstream version |
471 | @@ -476,6 +818,20 @@ openvpn (2.3.5-1) unstable; urgency=medium |
472 | |
473 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100 |
474 | |
475 | +openvpn (2.3.4-5ubuntu1) wily; urgency=medium |
476 | + |
477 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
478 | + - debian/openvpn.init.d: |
479 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
480 | + + Show per-VPN result messages. |
481 | + + Add "--script-security 2" by default for backwards compatabliity. |
482 | + - Demote easy-rsa to Suggests |
483 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
484 | + gettys and lightdm starting on top of possible password prompts. This |
485 | + provides the equivalent of the init.d script's X-Start-Before:. |
486 | + |
487 | + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200 |
488 | + |
489 | openvpn (2.3.4-5) unstable; urgency=high |
490 | |
491 | * Apply upstream patch that fixes possible DoS by authenticated |
492 | @@ -534,6 +890,52 @@ openvpn (2.3.3-1) experimental; urgency=medium |
493 | |
494 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100 |
495 | |
496 | +openvpn (2.3.2-9ubuntu4) vivid; urgency=medium |
497 | + |
498 | + * Run openvpn@.service before systemd-user-sessions.service to avoid gettys |
499 | + and lightdm starting on top of possible password prompts. This provides |
500 | + the equivalent of the init.d script's X-Start-Before:. |
501 | + |
502 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500 |
503 | + |
504 | +openvpn (2.3.2-9ubuntu3) vivid; urgency=medium |
505 | + |
506 | + * Add better_systemd_detection.patch to avoid calling systemd-ask-password |
507 | + under upstart. Backported from upstream. (Closes: #747265) |
508 | + * Add systemd unit and generator from current Debian package. This avoids |
509 | + using the init.d script, which unnecessarily blocks lightdm startup on the |
510 | + network becoming online even if there are no auto-start connections |
511 | + (LP: #1443489). |
512 | + |
513 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500 |
514 | + |
515 | +openvpn (2.3.2-9ubuntu2) vivid; urgency=medium |
516 | + |
517 | + * SECURITY UPDATE: server denial of service via too-short control channel |
518 | + packets |
519 | + - debian/patches/CVE-2014-8104.patch: drop too-short control channel |
520 | + packets instead of asserting out in src/openvpn/ssl.c. |
521 | + - CVE-2014-8104 |
522 | + * debian/patches/update_certs.patch: update test certs to fix FTBFS. |
523 | + |
524 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500 |
525 | + |
526 | +openvpn (2.3.2-9ubuntu1) utopic; urgency=medium |
527 | + |
528 | + * Merge from Debian unstable. Remaining changes: |
529 | + - debian/openvpn.init.d: |
530 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
531 | + + Show per-VPN result messages. |
532 | + + Add "--script-security 2" by default for backwards compatabliity. |
533 | + - Demote easy-rsa to Suggests |
534 | + - Patch libtool.m4 and configure to support ppc64el. |
535 | + - Refresh delta with debian/openvpn.init.d: |
536 | + + Make stop action reliable by killing if needed |
537 | + (LP: #1274254, LP: #1200519) |
538 | + + Use new path for status file (LP: #1261088) |
539 | + |
540 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400 |
541 | + |
542 | openvpn (2.3.2-9) unstable; urgency=medium |
543 | |
544 | * Create /run/openvpn in init script even if no VPN is |
545 | @@ -549,6 +951,33 @@ openvpn (2.3.2-8) unstable; urgency=medium |
546 | |
547 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100 |
548 | |
549 | +openvpn (2.3.2-7ubuntu3) trusty; urgency=medium |
550 | + |
551 | + [ Simon Deziel ] |
552 | + * Refresh delta with debian/openvpn.init.d: |
553 | + - Make stop action reliable by killing if needed |
554 | + (LP: #1274254, LP: #1200519) |
555 | + - Use new path for status file (LP: #1261088) |
556 | + |
557 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500 |
558 | + |
559 | +openvpn (2.3.2-7ubuntu2) trusty; urgency=medium |
560 | + |
561 | + * Patch libtool.m4 and configure to support ppc64el. |
562 | + |
563 | + -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100 |
564 | + |
565 | +openvpn (2.3.2-7ubuntu1) trusty; urgency=low |
566 | + |
567 | + * Merge from Debian unstable. Remaining changes: |
568 | + - debian/openvpn.init.d: |
569 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
570 | + + Show per-VPN result messages. |
571 | + + Add "--script-security 2" by default for backwards compatabliity. |
572 | + - Demote easy-rsa to Suggests |
573 | + |
574 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500 |
575 | + |
576 | openvpn (2.3.2-7) unstable; urgency=low |
577 | |
578 | * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/. |
579 | @@ -565,6 +994,17 @@ openvpn (2.3.2-6) unstable; urgency=low |
580 | |
581 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100 |
582 | |
583 | +openvpn (2.3.2-5ubuntu1) trusty; urgency=low |
584 | + |
585 | + * Merge from Debian unstable. Remaining changes: |
586 | + - debian/openvpn.init.d: |
587 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
588 | + + Show per-VPN result messages. |
589 | + + Add "--script-security 2" by default for backwards compatabliity. |
590 | + - Demote easy-rsa to Suggests |
591 | + |
592 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400 |
593 | + |
594 | openvpn (2.3.2-5) unstable; urgency=low |
595 | |
596 | * Patch init script to fix race conditions on restarts. |
597 | @@ -574,6 +1014,16 @@ openvpn (2.3.2-5) unstable; urgency=low |
598 | |
599 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200 |
600 | |
601 | +openvpn (2.3.2-4ubuntu1) saucy; urgency=low |
602 | + |
603 | + * Merge from Debian unstable. Remaining changes: |
604 | + - debian/openvpn.init.d: |
605 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
606 | + + Show per-VPN result messages. |
607 | + + Add "--script-security 2" by default for backwards compatabliity. |
608 | + |
609 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400 |
610 | + |
611 | openvpn (2.3.2-4) unstable; urgency=low |
612 | |
613 | * Fix depends on iproute to iproute2. |
614 | @@ -606,6 +1056,23 @@ openvpn (2.3.2-1) unstable; urgency=low |
615 | |
616 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200 |
617 | |
618 | +openvpn (2.3.1-2ubuntu2) saucy; urgency=low |
619 | + |
620 | + * Move easy-rsa from Recommends to Suggests as it's not in main and isn't |
621 | + actually required to operate an openvpn server. |
622 | + |
623 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400 |
624 | + |
625 | +openvpn (2.3.1-2ubuntu1) saucy; urgency=low |
626 | + |
627 | + * Merge from Debian unstable. Remaining changes: |
628 | + - debian/openvpn.init.d: |
629 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
630 | + + Show per-VPN result messages. |
631 | + + Add "--script-security 2" by default for backwards compatabliity. |
632 | + |
633 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400 |
634 | + |
635 | openvpn (2.3.1-2) unstable; urgency=low |
636 | |
637 | * Add net-tools to Build-Depends. (Closes: #709108) |
638 | @@ -633,6 +1100,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low |
639 | |
640 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100 |
641 | |
642 | +openvpn (2.2.1-8ubuntu3) raring; urgency=low |
643 | + |
644 | + [ Marc Gariépy ] |
645 | + * Add --script-security to the init.d script (was generated but not passed |
646 | + to openvpn). (LP: #1124398) |
647 | + |
648 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500 |
649 | + |
650 | +openvpn (2.2.1-8ubuntu2) quantal; urgency=low |
651 | + |
652 | + * Rebuild for new armel compiler default of ARMv5t. |
653 | + |
654 | + -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100 |
655 | + |
656 | +openvpn (2.2.1-8ubuntu1) precise; urgency=low |
657 | + |
658 | + * Merge at Simon Deziel's request to build with PIE. |
659 | + * Merge from Debian unstable. Remaining changes: |
660 | + + debian/openvpn.init.d: |
661 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
662 | + - Show per-VPN result messages. |
663 | + - Add "--script-security 2" by default for backwards compatabliity. |
664 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
665 | + |
666 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400 |
667 | + |
668 | openvpn (2.2.1-8) unstable; urgency=low |
669 | |
670 | * Enable "PIE" and "BINDOW" hardening flags. |
671 | @@ -657,6 +1150,17 @@ openvpn (2.2.1-6) unstable; urgency=low |
672 | |
673 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100 |
674 | |
675 | +openvpn (2.2.1-5ubuntu1) precise; urgency=low |
676 | + |
677 | + * Merge from Debian unstable. Remaining changes: (LP: #907828) |
678 | + + debian/openvpn.init.d: |
679 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
680 | + - Show per-VPN result messages. |
681 | + - Add "--script-security 2" by default for backwards compatabliity. |
682 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
683 | + |
684 | + -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500 |
685 | + |
686 | openvpn (2.2.1-5) unstable; urgency=low |
687 | |
688 | * Avoid sending ICMP redirects when using tun devices and "subnet" |
689 | @@ -679,6 +1183,20 @@ openvpn (2.2.1-4) unstable; urgency=low |
690 | |
691 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100 |
692 | |
693 | +openvpn (2.2.1-3ubuntu1) precise; urgency=low |
694 | + |
695 | + * Merge from Debian testing. Remaining changes: |
696 | + + debian/openvpn.init.d: |
697 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
698 | + - Show per-VPN result messages. |
699 | + - Add "--script-security 2" by default for backwards compatabliity. |
700 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
701 | + + debian/update-resolv-conf: Support multiple domains. |
702 | + + fix bug where '--script-security 2' would be passed for all |
703 | + daemons after the first. (LP: #794916) |
704 | + |
705 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000 |
706 | + |
707 | openvpn (2.2.1-3) unstable; urgency=low |
708 | |
709 | * The iproute fiasco release. |
710 | @@ -707,6 +1225,20 @@ openvpn (2.2.1-1) unstable; urgency=low |
711 | |
712 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100 |
713 | |
714 | +openvpn (2.2.0-2ubuntu1) oneiric; urgency=low |
715 | + |
716 | + * Merge from debian unstable. Remaining changes: |
717 | + + debian/openvpn.init.d: |
718 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
719 | + - Show per-VPN result messages. |
720 | + - Add "--script-security 2" by default for backwards compatabliity. |
721 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
722 | + + debian/update-resolv-conf: Support multiple domains. |
723 | + + fix bug where '--script-security 2' would be passed for all |
724 | + daemons after the first. (LP: #794916 |
725 | + |
726 | + -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100 |
727 | + |
728 | openvpn (2.2.0-2) unstable; urgency=low |
729 | |
730 | * Upload to unstable |
731 | @@ -741,6 +1273,45 @@ openvpn (2.1.3-5) experimental; urgency=low |
732 | |
733 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100 |
734 | |
735 | +openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low |
736 | + |
737 | + [Alexander Zielke] |
738 | + * fix bug where '--script-security 2' would be passed for all |
739 | + daemons after the first. (LP: #794916) |
740 | + |
741 | + -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400 |
742 | + |
743 | +openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low |
744 | + |
745 | + * Merge from debian unstable. Remaining changes: |
746 | + + debian/openvpn.init.d: |
747 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
748 | + - Show per-VPN result messages. |
749 | + - Add "--script-security 2" by default for backwards compatabliity. |
750 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
751 | + + debian/update-resolv-conf: Support multiple domains. |
752 | + |
753 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100 |
754 | + |
755 | +openvpn (2.1.3-4.1) unstable; urgency=low |
756 | + |
757 | + * Non-maintainer upload. |
758 | + * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503) |
759 | + |
760 | + -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200 |
761 | + |
762 | +openvpn (2.1.3-4ubuntu1) oneiric; urgency=low |
763 | + |
764 | + * Merge from debian unstable. Remaining changes: |
765 | + + debian/openvpn.init.d: |
766 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
767 | + - Show per-VPN result messages. |
768 | + - Add "--script-security 2" by default for backwards compatabliity. |
769 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
770 | + + debian/update-resolv-conf: Support multiple domains. |
771 | + |
772 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000 |
773 | + |
774 | openvpn (2.1.3-4) unstable; urgency=low |
775 | |
776 | * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd. |
777 | @@ -763,6 +1334,31 @@ openvpn (2.1.3-3) unstable; urgency=low |
778 | |
779 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100 |
780 | |
781 | +openvpn (2.1.3-2ubuntu3) natty; urgency=low |
782 | + |
783 | + * update-resolv-conf: Correctly handle multiple dns search domains, |
784 | + using the same logic as nameservers. Patch courtesy of Jeremy |
785 | + Zawodny. (LP: #662847) |
786 | + |
787 | + -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000 |
788 | + |
789 | +openvpn (2.1.3-2ubuntu2) natty; urgency=low |
790 | + |
791 | + * update-resolv-conf: Support mulitple domains (LP: #714358) |
792 | + |
793 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500 |
794 | + |
795 | +openvpn (2.1.3-2ubuntu1) natty; urgency=low |
796 | + |
797 | + * Merge from debian unstable. Remaining changes: |
798 | + + debian/openvpn.init.d: |
799 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
800 | + - Show per-VPN result messages. |
801 | + - Add "--script-security 2" by default for backwards compatabliity. |
802 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
803 | + |
804 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100 |
805 | + |
806 | openvpn (2.1.3-2) unstable; urgency=low |
807 | |
808 | * Applied upstream patch to solve random routes added when using |
809 | @@ -770,6 +1366,24 @@ openvpn (2.1.3-2) unstable; urgency=low |
810 | |
811 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200 |
812 | |
813 | +openvpn (2.1.3-1ubuntu2) natty; urgency=low |
814 | + |
815 | + * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in |
816 | + corner cases where ! host && addr (LP: #627973) |
817 | + |
818 | + -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200 |
819 | + |
820 | +openvpn (2.1.3-1ubuntu1) natty; urgency=low |
821 | + |
822 | + * Merge from debian unstable. Remaining changes: |
823 | + + debian/openvpn.init.d: |
824 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
825 | + - Show per-VPN result messages. |
826 | + - Add "--script-security 2" by default for backwards compatablitiy |
827 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
828 | + |
829 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100 |
830 | + |
831 | openvpn (2.1.3-1) unstable; urgency=low |
832 | |
833 | * New upstream release (Closes: #595684) |
834 | @@ -781,6 +1395,17 @@ openvpn (2.1.3-1) unstable; urgency=low |
835 | |
836 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200 |
837 | |
838 | +openvpn (2.1.0-3ubuntu1) maverick; urgency=low |
839 | + |
840 | + * Merge from debian unstable. Remaining changes: |
841 | + + debian/openvpn.init.d: |
842 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
843 | + - Show per-VPN result messages |
844 | + - Add "--script-security 2" by default for backwards compatablitiy |
845 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
846 | + |
847 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400 |
848 | + |
849 | openvpn (2.1.0-3) unstable; urgency=low |
850 | |
851 | * The 'happy birthday to me' release |
852 | @@ -790,6 +1415,24 @@ openvpn (2.1.0-3) unstable; urgency=low |
853 | |
854 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200 |
855 | |
856 | +openvpn (2.1.0-2ubuntu2) maverick; urgency=low |
857 | + |
858 | + * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging |
859 | + on PUSH_REQUEST when server does not push any option (LP: #579737) |
860 | + |
861 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200 |
862 | + |
863 | +openvpn (2.1.0-2ubuntu1) maverick; urgency=low |
864 | + |
865 | + * Merge from debian unstable. Remaining changes: |
866 | + + debian/openvpn.init.d: |
867 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
868 | + - Show per-VPN result messages |
869 | + - Add "--script-security 2" by default for backwards compatablitiy |
870 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
871 | + |
872 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100 |
873 | + |
874 | openvpn (2.1.0-2) unstable; urgency=low |
875 | |
876 | * Patched ssl.[ch] to fix integer overflow. (Closes: #576827) |
877 | @@ -802,6 +1445,17 @@ openvpn (2.1.0-2) unstable; urgency=low |
878 | |
879 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200 |
880 | |
881 | +openvpn (2.1.0-1ubuntu1) lucid; urgency=low |
882 | + |
883 | + * Merge from debian testing (LP: #509078), remaining changes: |
884 | + + debian/openvpn.init.d: |
885 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
886 | + - Show per-VPN result messages |
887 | + - Add "--script-security 2" by default for backwards compatibility |
888 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
889 | + |
890 | + -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100 |
891 | + |
892 | openvpn (2.1.0-1) unstable; urgency=low |
893 | |
894 | * New upstream release |
895 | @@ -839,6 +1493,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low |
896 | |
897 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100 |
898 | |
899 | +openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low |
900 | + |
901 | + * Merge from debian testing, remaining changes: |
902 | + + debian/openvpn.init.d: |
903 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking |
904 | + boot. |
905 | + - show per-VPN result messages |
906 | + - add "--script-security 2" by default for backwards compatibility |
907 | + - Add lab-base >= 3.2-14 to allow status_of_proc() |
908 | + + Dropped debian/patches/redirect-gateway.patch: Already applied |
909 | + upstream. |
910 | + |
911 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000 |
912 | + |
913 | openvpn (2.1~rc20-2) unstable; urgency=low |
914 | |
915 | * init.d script: Added X-Interactive header. (Closes: #549424) |
916 | @@ -863,6 +1531,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low |
917 | |
918 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200 |
919 | |
920 | +openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low |
921 | + |
922 | + * debian/patches/redirect-gateway.patch: Fix regression introduced in |
923 | + 2.1rc17 that makes redirect-gateway (without options) to be ignored. |
924 | + Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695 |
925 | + |
926 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200 |
927 | + |
928 | +openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low |
929 | + |
930 | + * Merge from debian unstable (LP: #404099), remaining changes: |
931 | + - debian/openvpn.init.d: |
932 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
933 | + - show per-VPN result messages |
934 | + - add "--script-security 2" by default for backwards compatibility |
935 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
936 | + |
937 | + -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530 |
938 | + |
939 | openvpn (2.1~rc19-1) unstable; urgency=low |
940 | |
941 | * New upstream version |
942 | @@ -872,6 +1559,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low |
943 | |
944 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200 |
945 | |
946 | +openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low |
947 | + |
948 | + * Merge from debian unstable (LP: #372358), remaining changes: |
949 | + - debian/openvpn.init.d: |
950 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
951 | + - show per-VPN result messages |
952 | + - add "--script-security 2" by default for backwards compatibility |
953 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
954 | + |
955 | + -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500 |
956 | + |
957 | openvpn (2.1~rc15-1) unstable; urgency=low |
958 | |
959 | * New upstream version (Closes: #515575) |
960 | @@ -891,6 +1589,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low |
961 | |
962 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200 |
963 | |
964 | +openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low |
965 | + |
966 | + * debian/openvpn.init.d: |
967 | + - Fix unexpected operator on startup (LP: #340120) |
968 | + |
969 | + -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400 |
970 | + |
971 | +openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low |
972 | + |
973 | + * debian/openvpn.init.d: |
974 | + - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent |
975 | + openvpn prompts from blocking the boot (LP: #280428) |
976 | + - Fix VPNs always reported started [ OK ] |
977 | + |
978 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200 |
979 | + |
980 | +openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low |
981 | + |
982 | + * Merge with Debian (LP: #279655), remaining diffs: |
983 | + - debian/openvpn.init.d: Added 'status' action to init script, show |
984 | + per-VPN result messages and add "--script-security 2" by default for |
985 | + backwards compatibility |
986 | + - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
987 | + * Fixes regression when calling commands with arguments (LP: #277447) |
988 | + |
989 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200 |
990 | + |
991 | openvpn (2.1~rc11-1) unstable; urgency=low |
992 | |
993 | * New upstream version |
994 | @@ -911,6 +1636,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low |
995 | |
996 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200 |
997 | |
998 | +openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low |
999 | + |
1000 | + * debian/openvpn.init.d: |
1001 | + - Added 'status' action to init script (LP: #251641) |
1002 | + - Restored per-VPN result messages by using log_action_begin_msg and |
1003 | + one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966) |
1004 | + * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
1005 | + |
1006 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200 |
1007 | + |
1008 | +openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low |
1009 | + |
1010 | + * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility |
1011 | + (LP: #260291) |
1012 | + |
1013 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400 |
1014 | + |
1015 | openvpn (2.1~rc9-3) unstable; urgency=low |
1016 | |
1017 | * debian/rules: run ./configure with path to 'route', for |
1018 | diff --git a/debian/control b/debian/control |
1019 | index e91334e..0784e91 100644 |
1020 | --- a/debian/control |
1021 | +++ b/debian/control |
1022 | @@ -1,7 +1,8 @@ |
1023 | Source: openvpn |
1024 | Section: net |
1025 | Priority: optional |
1026 | -Maintainer: Bernhard Schmidt <berni@debian.org> |
1027 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1028 | +XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org> |
1029 | Uploaders: Jörg Frings-Fürst <debian@jff.email> |
1030 | Build-Depends: |
1031 | debhelper-compat (= 12), |
1032 | @@ -35,8 +36,8 @@ Depends: |
1033 | Suggests: |
1034 | openssl, |
1035 | resolvconf, |
1036 | - openvpn-systemd-resolved |
1037 | -Recommends: easy-rsa |
1038 | + openvpn-systemd-resolved, |
1039 | + easy-rsa |
1040 | Description: virtual private network daemon |
1041 | OpenVPN is an application to securely tunnel IP networks over a |
1042 | single UDP or TCP port. It can be used to access remote sites, make |
1043 | diff --git a/debian/openvpn@.service b/debian/openvpn@.service |
1044 | index 945874b..6d59b13 100644 |
1045 | --- a/debian/openvpn@.service |
1046 | +++ b/debian/openvpn@.service |
1047 | @@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO |
1048 | Type=notify |
1049 | PrivateTmp=true |
1050 | WorkingDirectory=/etc/openvpn |
1051 | -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
1052 | +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
1053 | PIDFile=/run/openvpn/%i.pid |
1054 | KillMode=process |
1055 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE |
1056 | diff --git a/debian/patches/OpenSSL3.patch b/debian/patches/OpenSSL3.patch |
1057 | new file mode 100644 |
1058 | index 0000000..79f2bc3 |
1059 | --- /dev/null |
1060 | +++ b/debian/patches/OpenSSL3.patch |
1061 | @@ -0,0 +1,70 @@ |
1062 | +From eb450c8f99cc668ff7dd0139d31e139bd9621176 Mon Sep 17 00:00:00 2001 |
1063 | +From: Simon Chopin <simon.chopin@canonical.com> |
1064 | +Date: Thu, 18 Nov 2021 14:27:56 +0100 |
1065 | +Subject: [PATCH] OpenSSL3: load the legacy provider |
1066 | +Forwarded: not-needed |
1067 | +Origin: vendor |
1068 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1945980 |
1069 | + |
1070 | +Some algorithms still supported by the 2.5 branch of OpenVPN have been |
1071 | +moved to the "legacy" provider of OpenSSL 3.0. This temporary patch |
1072 | +explicitly loads said provider in order not to break OpenVPN. |
1073 | + |
1074 | +This patch can probably be dropped when we reach the 2.6 branch |
1075 | +upstream. |
1076 | + |
1077 | +--- |
1078 | + src/openvpn/crypto_openssl.c | 21 +++++++++++++++++++++ |
1079 | + 1 file changed, 21 insertions(+) |
1080 | + |
1081 | +Index: openvpn/src/openvpn/crypto_openssl.c |
1082 | +=================================================================== |
1083 | +--- openvpn.orig/src/openvpn/crypto_openssl.c 2022-02-23 10:19:00.283964587 -0500 |
1084 | ++++ openvpn/src/openvpn/crypto_openssl.c 2022-02-23 10:19:00.279964608 -0500 |
1085 | +@@ -55,6 +55,10 @@ |
1086 | + #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported. |
1087 | + #endif |
1088 | + |
1089 | ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L |
1090 | ++#include <openssl/provider.h> |
1091 | ++#endif |
1092 | ++ |
1093 | + /* |
1094 | + * Check for key size creepage. |
1095 | + */ |
1096 | +@@ -151,6 +155,11 @@ |
1097 | + * |
1098 | + */ |
1099 | + |
1100 | ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L |
1101 | ++static OSSL_PROVIDER *legacy_provider; |
1102 | ++static OSSL_PROVIDER *deflt_provider; |
1103 | ++#endif |
1104 | ++ |
1105 | + void |
1106 | + crypto_init_lib(void) |
1107 | + { |
1108 | +@@ -168,11 +177,23 @@ |
1109 | + #ifdef CRYPTO_MDEBUG |
1110 | + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); |
1111 | + #endif |
1112 | ++ |
1113 | ++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
1114 | ++ legacy_provider = OSSL_PROVIDER_load(NULL, "legacy"); |
1115 | ++ ASSERT(legacy_provider); |
1116 | ++ deflt_provider = OSSL_PROVIDER_load(NULL, "default"); |
1117 | ++ ASSERT(deflt_provider); |
1118 | ++#endif |
1119 | + } |
1120 | + |
1121 | + void |
1122 | + crypto_uninit_lib(void) |
1123 | + { |
1124 | ++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
1125 | ++ OSSL_PROVIDER_unload(deflt_provider); |
1126 | ++ OSSL_PROVIDER_unload(legacy_provider); |
1127 | ++#endif |
1128 | ++ |
1129 | + #ifdef CRYPTO_MDEBUG |
1130 | + FILE *fp = fopen("sdlog", "w"); |
1131 | + ASSERT(fp); |
1132 | diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch |
1133 | new file mode 100644 |
1134 | index 0000000..1c4f068 |
1135 | --- /dev/null |
1136 | +++ b/debian/patches/openvpn-fips-2.4.patch |
1137 | @@ -0,0 +1,90 @@ |
1138 | +Description: Use openssl FIPS flag to indicate MD5 use for PRF. |
1139 | + MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs |
1140 | + to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl |
1141 | + for PRF to indicate the exception. |
1142 | +Bug: https://community.openvpn.net/openvpn/ticket/725 |
1143 | +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439 |
1144 | +Author: Stephan Mueller <stephan.mueller@atsec.com> |
1145 | + |
1146 | +--- a/src/openvpn/crypto.c |
1147 | ++++ b/src/openvpn/crypto.c |
1148 | +@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const |
1149 | + if (kt->digest && kt->hmac_length > 0) |
1150 | + { |
1151 | + ctx->hmac = hmac_ctx_new(); |
1152 | +- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); |
1153 | ++ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); |
1154 | + |
1155 | + msg(D_HANDSHAKE, |
1156 | + "%s: Using %d bit message hash '%s' for HMAC authentication", |
1157 | +--- a/src/openvpn/crypto_backend.h |
1158 | ++++ b/src/openvpn/crypto_backend.h |
1159 | +@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); |
1160 | + * @param key The key to use for the HMAC |
1161 | + * @param key_len The key length to use |
1162 | + * @param kt Static message digest parameters |
1163 | ++ * @param prf_use Intended use for PRF in TLS protocol |
1164 | + * |
1165 | + */ |
1166 | + void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, |
1167 | +- const md_kt_t *kt); |
1168 | ++ const md_kt_t *kt, bool prf_use); |
1169 | + |
1170 | + /* |
1171 | + * Free the given HMAC context. |
1172 | +--- a/src/openvpn/crypto_mbedtls.c |
1173 | ++++ b/src/openvpn/crypto_mbedtls.c |
1174 | +@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx) |
1175 | + |
1176 | + void |
1177 | + hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, |
1178 | +- const mbedtls_md_info_t *kt) |
1179 | ++ const mbedtls_md_info_t *kt, bool prf_use) |
1180 | + { |
1181 | + ASSERT(NULL != kt && NULL != ctx); |
1182 | + |
1183 | +--- a/src/openvpn/crypto_openssl.c |
1184 | ++++ b/src/openvpn/crypto_openssl.c |
1185 | +@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx) |
1186 | + |
1187 | + void |
1188 | + hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, |
1189 | +- const EVP_MD *kt) |
1190 | ++ const EVP_MD *kt, bool prf_use) |
1191 | + { |
1192 | + ASSERT(NULL != kt && NULL != ctx); |
1193 | + |
1194 | + HMAC_CTX_reset(ctx); |
1195 | ++ |
1196 | ++ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not |
1197 | ++ * to be used anywhere else */ |
1198 | ++ if(kt == EVP_md5() && prf_use) |
1199 | ++ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
1200 | ++ |
1201 | + HMAC_Init_ex(ctx, key, key_len, kt, NULL); |
1202 | + |
1203 | + /* make sure we used a big enough key */ |
1204 | +--- a/src/openvpn/ntlm.c |
1205 | ++++ b/src/openvpn/ntlm.c |
1206 | +@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da |
1207 | + const md_kt_t *md5_kt = md_kt_get("MD5"); |
1208 | + hmac_ctx_t *hmac_ctx = hmac_ctx_new(); |
1209 | + |
1210 | +- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); |
1211 | ++ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0); |
1212 | + hmac_ctx_update(hmac_ctx, data, data_len); |
1213 | + hmac_ctx_final(hmac_ctx, result); |
1214 | + hmac_ctx_cleanup(hmac_ctx); |
1215 | +--- a/src/openvpn/ssl.c |
1216 | ++++ b/src/openvpn/ssl.c |
1217 | +@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt, |
1218 | + int chunk = md_kt_size(md_kt); |
1219 | + unsigned int A1_len = md_kt_size(md_kt); |
1220 | + |
1221 | +- hmac_ctx_init(ctx, sec, sec_len, md_kt); |
1222 | +- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); |
1223 | ++ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1); |
1224 | ++ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1); |
1225 | + |
1226 | + hmac_ctx_update(ctx,seed,seed_len); |
1227 | + hmac_ctx_final(ctx, A1); |
1228 | diff --git a/debian/patches/series b/debian/patches/series |
1229 | index f9b5e73..4c7ab6b 100644 |
1230 | --- a/debian/patches/series |
1231 | +++ b/debian/patches/series |
1232 | @@ -5,3 +5,5 @@ openvpn-pkcs11warn.patch |
1233 | #kfreebsd_support.patch |
1234 | match-manpage-and-command-help.patch |
1235 | systemd.patch |
1236 | +openvpn-fips-2.4.patch |
1237 | +OpenSSL3.patch |
I'll take a look at this one!