Ubuntu
openvpn package

Merge ~sergiodj/ubuntu/+source/openvpn:merge-2.5.5-1-jammy into ubuntu/+source/openvpn:debian/sid

Proposed by Sergio Durigan Junior on 2022-02-23

Status:

Merged

Merge reported by:

Sergio Durigan Junior

Merged at revision:

ad4f944a8e98f11c467fe28ac394af352a951a02

Proposed branch:

~sergiodj/ubuntu/+source/openvpn:merge-2.5.5-1-jammy

Merge into:

ubuntu/+source/openvpn:debian/sid

Diff against target:

1237 lines (+910/-5)

6 files modified

debian/changelog (+743/-1)
debian/control (+4/-3)
debian/openvpn@.service (+1/-1)
debian/patches/OpenSSL3.patch (+70/-0)
debian/patches/openvpn-fips-2.4.patch (+90/-0)
debian/patches/series (+2/-0)

Related bugs:

Bug #1945980: openvpn: Fail to build against OpenSSL 3.0	Undecided	Fix Released
Bug #1946884: Merge openvpn from Debian unstable for 22.04	Undecided	Fix Released

Link a bug report

Reviewer	Date Requested	Status
Utkarsh Gupta (community)	2022-02-23	Approve on 2022-02-24
Andreas Hasenack	2022-02-23	Approve on 2022-02-24
Review via email: mp+415977@code.launchpad.net

Description of the change

This is the merge of openvpn 2.5.5-1 from Debian unstable.

The merge has been relatively trivial; aside from having to refresh d/p/OpenSSL3.patch, nothing else was dropped/added. We will eventually drop the OpenSSL3 patch once we go to the 2.6 version, but for now it is still required.

I checked upstream's Changes.rst file to make sure that nothing surprising was added. Everything seems OK there: the items listed as "New features" are either related to Windows-specific changes or small things that won't directly affect a user.

A bunch of Debian's delta has been dropped with 2.5.5; mostly CVE patches that are part of upstream now.

There is a PPA with the proposed changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/openvpn-merge/+packages

autopkgtest is still passing:

autopkgtest [15:55:01]: @@@@@@@@@@@@@@@@@@@@ summary
server-setup-with-ca PASS
server-setup-with-static-key PASS

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2022-02-23:

I'll take a look at this one!

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2022-02-24:

Concurrently with utkarsh ;)

range-diff ok, tags ok, delta ok

Build log still has many openssl3 deprecation warnings, so upstream still has some way to go.

review: Approve

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2022-02-24:

Hello,

This looks good, except for one thing - the missing "Origin" field in one of the patches. I did drop an inline comment for that.

Since we're almost reaching feature-freeze, I'll approve in the hope that you'll add the field or at least give us a reason to not to. :D

Thank you! \o/

review: Approve

Revision history for this message

Sergio Durigan Junior (sergiodj) on 2022-02-24:

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-02-24:

Thanks for the reviews.

Uploaded:

$ dput openvpn_2.5.5-1ubuntu1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openvpn/openvpn_2.5.5-1ubuntu1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openvpn/openvpn_2.5.5-1ubuntu1.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openvpn_2.5.5-1ubuntu1.dsc: done.
  Uploading openvpn_2.5.5.orig.tar.xz: done.
  Uploading openvpn_2.5.5-1ubuntu1.debian.tar.xz: done.
  Uploading openvpn_2.5.5-1ubuntu1_source.buildinfo: done.
  Uploading openvpn_2.5.5-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-02-25:

This has migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Sergio Durigan Junior

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index cabf0c0..16576c4 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,15 @@
++openvpn (2.5.5-1ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable (LP: #1946884). Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++    - d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between
++      the OpenSSL3 branch and the OpenVPN 2.5 branch (LP #1945980)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Wed, 23 Feb 2022 10:14:27 -0500
++
  openvpn (2.5.5-1) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -13,6 +25,44 @@ openvpn (2.5.5-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Mon, 21 Feb 2022 12:05:55 +0100
++openvpn (2.5.1-3ubuntu5) jammy; urgency=medium
++
++  * No-change rebuild to update maintainer scripts, see LP: 1959054
++
++ -- Dave Jones <dave.jones@canonical.com>  Wed, 16 Feb 2022 17:16:30 +0000
++
++openvpn (2.5.1-3ubuntu4) jammy; urgency=medium
++
++  * d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between
++    the OpenSSL3 branch and the OpenVPN 2.5 branch (LP: #1945980)
++
++ -- Simon Chopin <simon.chopin@canonical.com>  Thu, 18 Nov 2021 15:05:21 +0100
++
++openvpn (2.5.1-3ubuntu3) jammy; urgency=medium
++
++  * No-change rebuild against openssl3
++
++ -- Simon Chopin <simon.chopin@canonical.com>  Wed, 01 Dec 2021 16:09:52 +0000
++
++openvpn (2.5.1-3ubuntu2) impish; urgency=medium
++
++  * No-change rebuild to build packages with zstd compression.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 07 Oct 2021 12:21:59 +0200
++
++openvpn (2.5.1-3ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++  * Dropped changes:
++    - d/t/server-setup-*: adapt tests to output of v2.5.0
++      [Included in 2.5.1-3]
++
++ -- Utkarsh Gupta <utkarsh.gupta@canonical.com>  Mon, 17 May 2021 14:38:17 +0530
++
  openvpn (2.5.1-3) unstable; urgency=medium
    * Fix autopkgtest (Closes: #983662)
@@ -22,6 +72,17 @@ openvpn (2.5.1-3) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Fri, 14 May 2021 09:40:04 +0200
++openvpn (2.5.1-2ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++    - d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Mon, 03 May 2021 17:56:39 -0300
++
  openvpn (2.5.1-2) unstable; urgency=high
    * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix
@@ -30,12 +91,47 @@ openvpn (2.5.1-2) unstable; urgency=high
   -- Bernhard Schmidt <berni@debian.org>  Wed, 28 Apr 2021 14:41:58 +0200
++openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable (LP: #1917438). Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++      + d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Utkarsh Gupta <utkarsh.gupta@canonical.com>  Tue, 02 Mar 2021 16:35:37 +0530
++
  openvpn (2.5.1-1) unstable; urgency=medium
    * New upstream version 2.5.1 (bugfix release)
   -- Bernhard Schmidt <berni@debian.org>  Wed, 24 Feb 2021 19:54:34 +0100
++openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++      [updated to match 2.5.0]
++  * Dropped changes [in Debian since 2.5~beta3-1]
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++    - d/openvpn*.service: Drop reload support from systemd unit files
++      (LP #1868127).  The current reload implementation (sending a SIGHUP
++      signal to the process) fails, and the difference between reload and
++      restart is not clear. Systemd does not require an implementation for
++      reload.
++  * Added Changes:
++    - d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 01 Dec 2020 16:15:12 +0100
++
  openvpn (2.5.0-1) unstable; urgency=medium
    * New upstream version 2.5.0 - final release
@@ -61,7 +157,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium
    [ Lucas Kanashiro ]
    * Add two DEP-8 test cases for the server side
--  * Drop reload support from systemd unit files (LP: #1868127)
++  * Drop reload support from systemd unit files (LP 1868127)
    [ Bernhard Schmidt ]
    * Revert "d/gbp.conf for experimental 2.5 branch"
@@ -91,6 +187,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sat, 15 Aug 2020 21:32:49 +0200
++openvpn (2.4.9-3ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++    - d/openvpn*.service: Drop reload support from systemd unit files
++      (LP #1868127).  The current reload implementation (sending a SIGHUP
++      signal to the process) fails, and the difference between reload and
++      restart is not clear. Systemd does not require an implementation for
++      reload.
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 18 Aug 2020 08:42:11 -0300
++
  openvpn (2.4.9-3) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -109,6 +225,28 @@ openvpn (2.4.9-3) unstable; urgency=medium
   -- Jörg Frings-Fürst <debian@jff.email>  Sat, 02 May 2020 18:14:36 +0200
++openvpn (2.4.9-2ubuntu2) groovy; urgency=medium
++
++  * Drop reload support from systemd unit files (LP: #1868127)
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 26 May 2020 19:04:33 -0300
++
++openvpn (2.4.9-2ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP 1454725)
++    - Allow MD5 for PRF in FIPS mode openssl.
++  * Added changes:
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++
++ -- Lucas Kanashiro <lucas.kanashiro@canonical.com>  Wed, 29 Apr 2020 15:35:56 -0300
++
  openvpn (2.4.9-2) unstable; urgency=medium
    * Cherry-Pick upstream patch to fix ssl_do_config error with
@@ -144,6 +282,28 @@ openvpn (2.4.9-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sun, 19 Apr 2020 15:52:57 +0200
++openvpn (2.4.7-1ubuntu2) eoan; urgency=medium
++
++  * No-change upload with strops.h and sys/strops.h removed in glibc.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 05 Sep 2019 11:05:25 +0000
++
++openvpn (2.4.7-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable (LP: #1828771). Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what got
++      added to debian/openvpn.init.d ages ago (LP 1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
++      (LP 1807439)
++  * Dropped changes:
++    - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
++      scripts breaking due to sudo/pam being unable to audit the action.
++      Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
++      [in Debian now]
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 13 May 2019 15:55:22 +0200
++
  openvpn (2.4.7-1) unstable; urgency=medium
    [ Bernhard Schmidt ]
@@ -163,6 +323,30 @@ openvpn (2.4.7-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Wed, 20 Feb 2019 14:50:03 +0100
++openvpn (2.4.6-1ubuntu3) disco; urgency=medium
++
++  * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
++    (LP: #1807439)
++
++ -- Joy Latten <joy.latten@canonical.com>  Wed, 09 Jan 2019 12:25:59 -0600
++
++openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium
++
++  * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
++    scripts breaking due to sudo/pam being unable to audit the action.
++    Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 03 Sep 2018 10:57:35 +0200
++
++openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what got
++      added to debian/openvpn.init.d ages ago (LP 1454725)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 20 Aug 2018 13:30:20 +0200
++
  openvpn (2.4.6-1) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -206,6 +390,15 @@ openvpn (2.4.5-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sun, 04 Mar 2018 22:23:47 +0100
++openvpn (2.4.4-2ubuntu1) bionic; urgency=low
++
++  * Sync with Debian. Remaining changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 10 Feb 2018 20:27:56 +0000
++
  openvpn (2.4.4-2) unstable; urgency=medium
    * Build against OpenSSL 1.1.0 (Closes: #828477)
@@ -213,6 +406,15 @@ openvpn (2.4.4-2) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Mon, 11 Dec 2017 00:22:11 +0100
++openvpn (2.4.4-1ubuntu1) bionic; urgency=medium
++
++  * Sync with Debian. Remaining changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++
++ -- Jeremy Bicha <jbicha@ubuntu.com>  Sat, 28 Oct 2017 15:13:58 -0400
++
  openvpn (2.4.4-1) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -334,6 +536,65 @@ openvpn (2.4.0-5) unstable; urgency=high
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 11 May 2017 14:15:21 +0200
++openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
++    - debian/patches/CVE-2017-7508.patch: remove assert in
++      src/openvpn/mss.c.
++    - CVE-2017-7508
++  * SECURITY UPDATE: Remote-triggerable memory leaks
++    - debian/patches/CVE-2017-7512.patch: fix leaks in
++      src/openvpn/ssl_verify_openssl.c.
++    - CVE-2017-7512
++  * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
++    for clients
++    - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
++      OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
++    - CVE-2017-7520
++  * SECURITY UPDATE: Potential double-free in --x509-alt-username and
++    memory leaks
++    - debian/patches/CVE-2017-7521.patch: fix double-free in
++      src/openvpn/ssl_verify_openssl.c.
++    - CVE-2017-7521
++  * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
++    - debian/patches/establish_http_proxy_passthru_dos.patch: fix
++      null-pointer dereference in src/openvpn/proxy.c.
++    - No CVE number
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 22 Jun 2017 08:37:49 -0400
++
++openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: pre-authentication denial-of-service vulnerability
++    (both client and server) from a too-large control packet.
++    - debian/patches/CVE-2017-7478.patch: Do not assert on too-large
++      control packet
++    - CVE-2017-7478
++  * SECURITY UPDATE: authenticated remote DoS vulnerability due to
++    packet ID rollover
++    - debian/patches/CVE-2017-7479-prereq.patch: merge
++      packet_id_alloc_outgoing() into packet_id_write()
++    - debian/patches/CVE-2017-7478.patch: do not assert when packet ID
++      rollover occurs
++    - CVE-2017-7478
++  * SECURITY UPDATE: auth tokens left in memory after de-auth
++    - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token
++      as soon as a TLS session is considered broken.
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Wed, 10 May 2017 15:21:05 -0700
++
++openvpn (2.4.0-4ubuntu1) zesty; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++  * Drop:
++    - debian/control: Actually drop the initscripts dependency.
++      (Closes: #804968). Already in Debian
++
++ -- Jon Grimm <jon.grimm@canonical.com>  Fri, 10 Feb 2017 12:16:57 -0600
++
  openvpn (2.4.0-4) unstable; urgency=medium
    * Add NEWS entries on possible 2.4 migration issues.
@@ -403,6 +664,24 @@ openvpn (2.3.11-2) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 23 May 2016 09:55:30 +0200
++openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium
++
++  * debian/control: Actually drop the initscripts dependency.
++    (Closes: #804968)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 22 Jun 2016 16:54:51 +0200
++
++openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (see LP: #260291).
++    - Demote easy-rsa to Suggests (universe package).
++  * Drop intrusive changes (showing per-VPN result messages) from
++    debian/openvpn.init.d. This isn't being used under systemd.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 20 May 2016 17:30:27 +0200
++
  openvpn (2.3.11-1) unstable; urgency=medium
    * New upstream release.
@@ -414,6 +693,25 @@ openvpn (2.3.11-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 10 May 2016 17:41:53 +0200
++openvpn (2.3.10-1ubuntu2) xenial; urgency=medium
++
++  * debian/openvpn@.service: Add --script-security similar to what got added
++    to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Tue, 02 Feb 2016 13:33:39 +0100
++
++openvpn (2.3.10-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++        (LP #260291)
++    - Demote easy-rsa to Suggests
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Thu, 21 Jan 2016 11:37:08 +0100
++
  openvpn (2.3.10-1) unstable; urgency=medium
    * New upstream release. (Closes: #804368)
@@ -432,6 +730,21 @@ openvpn (2.3.10-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 20 Jan 2016 12:01:36 +0100
++openvpn (2.3.8-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++      (Closes: #803032)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 04 Jan 2016 11:48:31 +0100
++
  openvpn (2.3.8-1) unstable; urgency=medium
    * New upstream release. Drop patch from 2.3.7-2.
@@ -445,6 +758,21 @@ openvpn (2.3.8-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 28 Oct 2015 17:34:26 +0100
++openvpn (2.3.7-2ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++      (Closes: #803032)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 26 Oct 2015 09:32:31 +0100
++
  openvpn (2.3.7-2) unstable; urgency=medium
    * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
@@ -455,6 +783,20 @@ openvpn (2.3.7-2) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 08 Sep 2015 08:23:19 +0000
++openvpn (2.3.7-1ubuntu1) wily; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 08 Jul 2015 12:28:54 +0200
++
  openvpn (2.3.7-1) unstable; urgency=medium
    * New upstream version
@@ -476,6 +818,20 @@ openvpn (2.3.5-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 29 Oct 2014 17:44:06 +0100
++openvpn (2.3.4-5ubuntu1) wily; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 07 May 2015 15:35:52 +0200
++
  openvpn (2.3.4-5) unstable; urgency=high
    * Apply upstream patch that fixes possible DoS by authenticated
@@ -534,6 +890,52 @@ openvpn (2.3.3-1) experimental; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 17 Mar 2014 19:40:12 +0100
++openvpn (2.3.2-9ubuntu4) vivid; urgency=medium
++
++  * Run openvpn@.service before systemd-user-sessions.service to avoid gettys
++    and lightdm starting on top of possible password prompts. This provides
++    the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 13 Apr 2015 16:09:01 -0500
++
++openvpn (2.3.2-9ubuntu3) vivid; urgency=medium
++
++  * Add better_systemd_detection.patch to avoid calling systemd-ask-password
++    under upstart. Backported from upstream. (Closes: #747265)
++  * Add systemd unit and generator from current Debian package. This avoids
++    using the init.d script, which unnecessarily blocks lightdm startup on the
++    network becoming online even if there are no auto-start connections
++    (LP: #1443489).
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 13 Apr 2015 11:22:56 -0500
++
++openvpn (2.3.2-9ubuntu2) vivid; urgency=medium
++
++  * SECURITY UPDATE: server denial of service via too-short control channel
++    packets
++    - debian/patches/CVE-2014-8104.patch: drop too-short control channel
++      packets instead of asserting out in src/openvpn/ssl.c.
++    - CVE-2014-8104
++  * debian/patches/update_certs.patch: update test certs to fix FTBFS.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 01 Dec 2014 15:26:58 -0500
++
++openvpn (2.3.2-9ubuntu1) utopic; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Patch libtool.m4 and configure to support ppc64el.
++    - Refresh delta with debian/openvpn.init.d:
++      + Make stop action reliable by killing if needed
++        (LP: #1274254, LP: #1200519)
++      + Use new path for status file (LP: #1261088)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 02 May 2014 16:00:55 -0400
++
  openvpn (2.3.2-9) unstable; urgency=medium
    * Create /run/openvpn in init script even if no VPN is
@@ -549,6 +951,33 @@ openvpn (2.3.2-8) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 14 Mar 2014 12:59:57 +0100
++openvpn (2.3.2-7ubuntu3) trusty; urgency=medium
++
++  [ Simon Deziel ]
++  * Refresh delta with debian/openvpn.init.d:
++   - Make stop action reliable by killing if needed
++     (LP: #1274254, LP: #1200519)
++   - Use new path for status file (LP: #1261088)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Tue, 04 Feb 2014 09:31:39 -0500
++
++openvpn (2.3.2-7ubuntu2) trusty; urgency=medium
++
++  * Patch libtool.m4 and configure to support ppc64el.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 30 Dec 2013 12:32:35 +0100
++
++openvpn (2.3.2-7ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 02 Dec 2013 18:14:42 -0500
++
  openvpn (2.3.2-7) unstable; urgency=low
    * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.
@@ -565,6 +994,17 @@ openvpn (2.3.2-6) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 27 Nov 2013 13:58:33 +0100
++openvpn (2.3.2-5ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 21 Oct 2013 13:07:37 -0400
++
  openvpn (2.3.2-5) unstable; urgency=low
    * Patch init script to fix race conditions on restarts.
@@ -574,6 +1014,16 @@ openvpn (2.3.2-5) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 15 Jul 2013 16:10:59 +0200
++openvpn (2.3.2-4ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Tue, 09 Jul 2013 17:20:31 -0400
++
  openvpn (2.3.2-4) unstable; urgency=low
    * Fix depends on iproute to iproute2.
@@ -606,6 +1056,23 @@ openvpn (2.3.2-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 03 Jun 2013 18:48:44 +0200
++openvpn (2.3.1-2ubuntu2) saucy; urgency=low
++
++  * Move easy-rsa from Recommends to Suggests as it's not in main and isn't
++    actually required to operate an openvpn server.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 19 Jun 2013 14:37:54 -0400
++
++openvpn (2.3.1-2ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 24 May 2013 17:42:45 -0400
++
  openvpn (2.3.1-2) unstable; urgency=low
    * Add net-tools to Build-Depends. (Closes: #709108)
@@ -633,6 +1100,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 05 Nov 2012 16:31:15 +0100
++openvpn (2.2.1-8ubuntu3) raring; urgency=low
++
++  [ Marc Gariépy ]
++  * Add --script-security to the init.d script (was generated but not passed
++    to openvpn). (LP: #1124398)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 13 Feb 2013 16:10:48 -0500
++
++openvpn (2.2.1-8ubuntu2) quantal; urgency=low
++
++  * Rebuild for new armel compiler default of ARMv5t.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 08 Oct 2012 08:36:47 +0100
++
++openvpn (2.2.1-8ubuntu1) precise; urgency=low
++
++  * Merge at Simon Deziel's request to build with PIE.
++  * Merge from Debian unstable. Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 30 Mar 2012 13:19:09 -0400
++
  openvpn (2.2.1-8) unstable; urgency=low
    * Enable "PIE" and "BINDOW" hardening flags.
@@ -657,6 +1150,17 @@ openvpn (2.2.1-6) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 09 Mar 2012 13:44:50 +0100
++openvpn (2.2.1-5ubuntu1) precise; urgency=low
++
++  * Merge from Debian unstable. Remaining changes: (LP: #907828)
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Sat, 25 Feb 2012 21:08:48 -0500
++
  openvpn (2.2.1-5) unstable; urgency=low
    * Avoid sending ICMP redirects when using tun devices and "subnet"
@@ -679,6 +1183,20 @@ openvpn (2.2.1-4) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 08 Feb 2012 16:31:32 +0100
++openvpn (2.2.1-3ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++    + fix bug where '--script-security 2' would be passed for all
++      daemons after the first. (LP: #794916)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sat, 31 Dec 2011 04:55:56 +0000
++
  openvpn (2.2.1-3) unstable; urgency=low
    * The iproute fiasco release.
@@ -707,6 +1225,20 @@ openvpn (2.2.1-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 13 Dec 2011 11:04:22 +0100
++openvpn (2.2.0-2ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++    + fix bug where '--script-security 2' would be passed for all
++      daemons after the first. (LP: #794916
++
++ -- Chuck Short <zulcss@ubuntu.com>  Thu, 16 Jun 2011 18:33:37 +0100
++
  openvpn (2.2.0-2) unstable; urgency=low
    * Upload to unstable
@@ -741,6 +1273,45 @@ openvpn (2.1.3-5) experimental; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 22 Mar 2011 10:57:18 +0100
++openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low
++
++  [Alexander Zielke]
++  * fix bug where '--script-security 2' would be passed for all
++    daemons after the first. (LP: #794916)
++
++ -- Scott Moser <smoser@ubuntu.com>  Thu, 09 Jun 2011 13:59:08 -0400
++
++openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 17 May 2011 02:14:39 +0100
++
++openvpn (2.1.3-4.1) unstable; urgency=low
++
++  * Non-maintainer upload.
++  * Drop hard-coded dependency on libssl0.9.8.  (Closes: #623503)
++
++ -- Philipp Kern <pkern@debian.org>  Mon, 09 May 2011 23:20:03 +0200
++
++openvpn (2.1.3-4ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 22 Mar 2011 23:28:26 +0000
++
  openvpn (2.1.3-4) unstable; urgency=low
    * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.
@@ -763,6 +1334,31 @@ openvpn (2.1.3-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 11 Mar 2011 13:08:12 +0100
++openvpn (2.1.3-2ubuntu3) natty; urgency=low
++
++  * update-resolv-conf: Correctly handle multiple dns search domains,
++    using the same logic as nameservers.  Patch courtesy of Jeremy
++    Zawodny. (LP: #662847)
++
++ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com>  Fri, 11 Mar 2011 00:23:59 +0000
++
++openvpn (2.1.3-2ubuntu2) natty; urgency=low
++
++  * update-resolv-conf: Support mulitple domains (LP: #714358)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 14 Feb 2011 15:21:46 -0500
++
++openvpn (2.1.3-2ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    +  debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sat, 23 Oct 2010 01:59:28 +0100
++
  openvpn (2.1.3-2) unstable; urgency=low
    * Applied upstream patch to solve random routes added when using
@@ -770,6 +1366,24 @@ openvpn (2.1.3-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 21 Oct 2010 12:21:33 +0200
++openvpn (2.1.3-1ubuntu2) natty; urgency=low
++
++  * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
++    corner cases where ! host && addr (LP: #627973)
++
++ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com>  Wed, 20 Oct 2010 16:22:25 +0200
++
++openvpn (2.1.3-1ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatablitiy
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 05 Oct 2010 06:21:14 +0100
++
  openvpn (2.1.3-1) unstable; urgency=low
    * New upstream release (Closes: #595684)
@@ -781,6 +1395,17 @@ openvpn (2.1.3-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 29 Sep 2010 13:07:37 +0200
++openvpn (2.1.0-3ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable. Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatablitiy
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 12 Jul 2010 09:39:43 -0400
++
  openvpn (2.1.0-3) unstable; urgency=low
    * The 'happy birthday to me' release
@@ -790,6 +1415,24 @@ openvpn (2.1.0-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 09 Jul 2010 12:22:09 +0200
++openvpn (2.1.0-2ubuntu2) maverick; urgency=low
++
++  * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
++    on PUSH_REQUEST when server does not push any option (LP: #579737)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Mon, 28 Jun 2010 10:45:23 +0200
++
++openvpn (2.1.0-2ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatablitiy
++     + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 05 May 2010 03:06:19 +0100
++
  openvpn (2.1.0-2) unstable; urgency=low
    * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)
@@ -802,6 +1445,17 @@ openvpn (2.1.0-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sat, 10 Apr 2010 17:26:42 +0200
++openvpn (2.1.0-1ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing (LP: #509078), remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatibility
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Jan Brinkmann <lucky@the-luckyduck.de>  Fri, 22 Jan 2010 00:47:33 +0100
++
  openvpn (2.1.0-1) unstable; urgency=low
    * New upstream release
@@ -839,6 +1493,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 04 Nov 2009 17:18:03 +0100
++openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing, remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking
++        boot.
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Add lab-base >= 3.2-14 to allow status_of_proc()
++     + Dropped debian/patches/redirect-gateway.patch: Already applied
++       upstream.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 06 Nov 2009 01:36:35 +0000
++
  openvpn (2.1~rc20-2) unstable; urgency=low
    * init.d script: Added X-Interactive header. (Closes: #549424)
@@ -863,6 +1531,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sun, 30 Aug 2009 20:20:11 +0200
++openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low
++
++  * debian/patches/redirect-gateway.patch: Fix regression introduced in
++    2.1rc17 that makes redirect-gateway (without options) to be ignored.
++    Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 13 Oct 2009 09:31:20 +0200
++
++openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable (LP: #404099), remaining changes:
++    - debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Bhavani Shankar <right2bhavi@gmail.com>  Fri, 24 Jul 2009 19:22:13 +0530
++
  openvpn (2.1~rc19-1) unstable; urgency=low
    * New upstream version
@@ -872,6 +1559,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 21 Jul 2009 17:00:56 +0200
++openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable (LP: #372358), remaining changes:
++    - debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Andres Rodriguez <andreserl@ubuntu.com>  Tue, 05 May 2009 14:25:37 -0500
++
  openvpn (2.1~rc15-1) unstable; urgency=low
    * New upstream version (Closes: #515575)
@@ -891,6 +1589,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 30 Apr 2009 12:35:05 +0200
++openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low
++
++  * debian/openvpn.init.d:
++    - Fix unexpected operator on startup (LP: #340120)
++
++ -- Michael Jeanson <mjeanson@revolutionlinux.com>  Mon, 09 Mar 2009 16:02:50 -0400
++
++openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low
++
++  * debian/openvpn.init.d:
++    - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent
++      openvpn prompts from blocking the boot (LP: #280428)
++    - Fix VPNs always reported started [ OK ]
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 15 Oct 2008 17:12:54 +0200
++
++openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low
++
++  * Merge with Debian (LP: #279655), remaining diffs:
++    - debian/openvpn.init.d: Added 'status' action to init script, show
++      per-VPN result messages and add "--script-security 2" by default for
++      backwards compatibility
++    - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
++  * Fixes regression when calling commands with arguments (LP: #277447)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 07 Oct 2008 16:30:44 +0200
++
  openvpn (2.1~rc11-1) unstable; urgency=low
    * New upstream version
@@ -911,6 +1636,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 11 Sep 2008 16:58:37 +0200
++openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low
++
++  * debian/openvpn.init.d:
++    - Added 'status' action to init script (LP: #251641)
++    - Restored per-VPN result messages by using log_action_begin_msg and
++      one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966)
++  * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 09 Sep 2008 10:45:45 +0200
++
++openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low
++
++  * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
++    (LP: #260291)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 25 Aug 2008 10:20:31 -0400
++
  openvpn (2.1~rc9-3) unstable; urgency=low
    * debian/rules: run ./configure with path to 'route', for
 diff --git a/debian/control b/debian/control
 index e91334e..0784e91 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: openvpn
  Section: net
  Priority: optional
--Maintainer: Bernhard Schmidt <berni@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
  Uploaders: Jörg Frings-Fürst <debian@jff.email>
  Build-Depends:
   debhelper-compat (= 12),
@@ -35,8 +36,8 @@ Depends:
  Suggests:
   openssl,
   resolvconf,
-- openvpn-systemd-resolved
--Recommends: easy-rsa
++ openvpn-systemd-resolved,
++ easy-rsa
  Description: virtual private network daemon
   OpenVPN is an application to securely tunnel IP networks over a
   single UDP or TCP port. It can be used to access remote sites, make
 diff --git a/debian/openvpn@.service b/debian/openvpn@.service
 index 945874b..6d59b13 100644
 --- a/debian/openvpn@.service
 +++ b/debian/openvpn@.service
@@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
  Type=notify
  PrivateTmp=true
  WorkingDirectory=/etc/openvpn
--ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
++ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
  PIDFile=/run/openvpn/%i.pid
  KillMode=process
  CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 diff --git a/debian/patches/OpenSSL3.patch b/debian/patches/OpenSSL3.patch
 new file mode 100644
 index 0000000..79f2bc3
 --- /dev/null
 +++ b/debian/patches/OpenSSL3.patch
@@ -0,0 +1,70 @@
++From eb450c8f99cc668ff7dd0139d31e139bd9621176 Mon Sep 17 00:00:00 2001
++From: Simon Chopin <simon.chopin@canonical.com>
++Date: Thu, 18 Nov 2021 14:27:56 +0100
++Subject: [PATCH] OpenSSL3: load the legacy provider
++Forwarded: not-needed
++Origin: vendor
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1945980
++
++Some algorithms still supported by the 2.5 branch of OpenVPN have been
++moved to the "legacy" provider of OpenSSL 3.0. This temporary patch
++explicitly loads said provider in order not to break OpenVPN.
++
++This patch can probably be dropped when we reach the 2.6 branch
++upstream.
++
++---
++ src/openvpn/crypto_openssl.c | 21 +++++++++++++++++++++
++ 1 file changed, 21 insertions(+)
++
++Index: openvpn/src/openvpn/crypto_openssl.c
++===================================================================
++--- openvpn.orig/src/openvpn/crypto_openssl.c	2022-02-23 10:19:00.283964587 -0500
+++++ openvpn/src/openvpn/crypto_openssl.c	2022-02-23 10:19:00.279964608 -0500
++@@ -55,6 +55,10 @@
++ #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
++ #endif
++
+++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+++#include <openssl/provider.h>
+++#endif
+++
++ /*
++  * Check for key size creepage.
++  */
++@@ -151,6 +155,11 @@
++  *
++  */
++
+++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+++static OSSL_PROVIDER *legacy_provider;
+++static OSSL_PROVIDER *deflt_provider;
+++#endif
+++
++ void
++ crypto_init_lib(void)
++ {
++@@ -168,11 +177,23 @@
++ #ifdef CRYPTO_MDEBUG
++     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
++ #endif
+++
+++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+++    legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
+++    ASSERT(legacy_provider);
+++    deflt_provider = OSSL_PROVIDER_load(NULL, "default");
+++    ASSERT(deflt_provider);
+++#endif
++ }
++
++ void
++ crypto_uninit_lib(void)
++ {
+++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+++    OSSL_PROVIDER_unload(deflt_provider);
+++    OSSL_PROVIDER_unload(legacy_provider);
+++#endif
+++
++ #ifdef CRYPTO_MDEBUG
++     FILE *fp = fopen("sdlog", "w");
++     ASSERT(fp);
 diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch
 new file mode 100644
 index 0000000..1c4f068
 --- /dev/null
 +++ b/debian/patches/openvpn-fips-2.4.patch
@@ -0,0 +1,90 @@
++Description:  Use openssl FIPS flag to indicate MD5 use for PRF.
++ MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs
++ to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl
++ for PRF to indicate the exception.
++Bug: https://community.openvpn.net/openvpn/ticket/725
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439
++Author: Stephan Mueller <stephan.mueller@atsec.com>
++
++--- a/src/openvpn/crypto.c
+++++ b/src/openvpn/crypto.c
++@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
++     if (kt->digest && kt->hmac_length > 0)
++     {
++         ctx->hmac = hmac_ctx_new();
++-        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+++        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
++
++         msg(D_HANDSHAKE,
++             "%s: Using %d bit message hash '%s' for HMAC authentication",
++--- a/src/openvpn/crypto_backend.h
+++++ b/src/openvpn/crypto_backend.h
++@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
++  * @param key           The key to use for the HMAC
++  * @param key_len       The key length to use
++  * @param kt            Static message digest parameters
+++ * @param prf_use       Intended use for PRF in TLS protocol
++  *
++  */
++ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
++-                   const md_kt_t *kt);
+++                   const md_kt_t *kt, bool prf_use);
++
++ /*
++  * Free the given HMAC context.
++--- a/src/openvpn/crypto_mbedtls.c
+++++ b/src/openvpn/crypto_mbedtls.c
++@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx)
++
++ void
++ hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
++-              const mbedtls_md_info_t *kt)
+++              const mbedtls_md_info_t *kt, bool prf_use)
++ {
++     ASSERT(NULL != kt && NULL != ctx);
++
++--- a/src/openvpn/crypto_openssl.c
+++++ b/src/openvpn/crypto_openssl.c
++@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx)
++
++ void
++ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
++-              const EVP_MD *kt)
+++              const EVP_MD *kt, bool prf_use)
++ {
++     ASSERT(NULL != kt && NULL != ctx);
++
++     HMAC_CTX_reset(ctx);
+++
+++   /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+++    * to be used anywhere else */
+++    if(kt == EVP_md5() && prf_use)
+++       HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+++
++     HMAC_Init_ex(ctx, key, key_len, kt, NULL);
++
++     /* make sure we used a big enough key */
++--- a/src/openvpn/ntlm.c
+++++ b/src/openvpn/ntlm.c
++@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
++     const md_kt_t *md5_kt = md_kt_get("MD5");
++     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
++
++-    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+++    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
++     hmac_ctx_update(hmac_ctx, data, data_len);
++     hmac_ctx_final(hmac_ctx, result);
++     hmac_ctx_cleanup(hmac_ctx);
++--- a/src/openvpn/ssl.c
+++++ b/src/openvpn/ssl.c
++@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt,
++     int chunk = md_kt_size(md_kt);
++     unsigned int A1_len = md_kt_size(md_kt);
++
++-    hmac_ctx_init(ctx, sec, sec_len, md_kt);
++-    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
+++    hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
+++    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
++
++     hmac_ctx_update(ctx,seed,seed_len);
++     hmac_ctx_final(ctx, A1);
 diff --git a/debian/patches/series b/debian/patches/series
 index f9b5e73..4c7ab6b 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -5,3 +5,5 @@ openvpn-pkcs11warn.patch
  #kfreebsd_support.patch
  match-manpage-and-command-help.patch
  systemd.patch
++openvpn-fips-2.4.patch
++OpenSSL3.patch

Ubuntuopenvpn package

Merge ~sergiodj/ubuntu/+source/openvpn:merge-2.5.5-1-jammy into ubuntu/+source/openvpn:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openvpn package