ubuntu/+source/openvpn:ubuntu/yakkety-security

Last commit made on 2017-06-22
Get this branch:
git clone -b ubuntu/yakkety-security https://git.launchpad.net/ubuntu/+source/openvpn
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/yakkety-security
Repository:
lp:ubuntu/+source/openvpn

Recent commits

2384735... by Marc Deslauriers on 2017-06-22

Import patches-unapplied version 2.3.11-1ubuntu2.1 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 89b23bcfd9f2ee51a3185553385ce6f10d08245b

New changelog entries:
  * SECURITY UPDATE: birthday attack when using 64-bit block cipher
    - debian/patches/CVE-2016-6329.patch: print warning if 64-bit cipher is
      selected in src/openvpn/crypto.c, src/openvpn/crypto_openssl.c,
      src/openvpn/crypto_polarssl.c, tests/t_lpback.sh.
    - CVE-2016-6329
  * SECURITY UPDATE: DoS due to Exhaustion of Packet-ID counter
    - debian/patches/CVE-2017-7479-pre.patch: merge
      packet_id_alloc_outgoing() into packet_id_write() in
      src/openvpn/crypto.c, src/openvpn/packet_id.c,
      src/openvpn/packet_id.h.
    - debian/patches/CVE-2017-7479.patch: drop packets instead of assert
      out if packet id rolls over in src/openvpn/crypto.c,
      src/openvpn/packet_id.c, src/openvpn/packet_id.h.
    - CVE-2017-7479
  * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
    - debian/patches/CVE-2017-7508.patch: remove assert in
      src/openvpn/mss.c.
    - CVE-2017-7508
  * SECURITY UPDATE: Remote-triggerable memory leaks
    - debian/patches/CVE-2017-7512.patch: fix leaks in
      src/openvpn/ssl_verify_openssl.c.
    - CVE-2017-7512
  * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
    for clients
    - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
      OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
    - CVE-2017-7520
  * SECURITY UPDATE: Potential double-free in --x509-alt-username and
    memory leaks
    - debian/patches/CVE-2017-7521.patch: fix double-free in
      src/openvpn/ssl_verify_openssl.c.
    - CVE-2017-7521
  * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
    - debian/patches/establish_http_proxy_passthru_dos.patch: fix
      null-pointer dereference in src/openvpn/proxy.c.
    - No CVE number

89b23bc... by Martin Pitt on 2016-06-22

Import patches-unapplied version 2.3.11-1ubuntu2 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 25f623d0e017be0574a0318a4a81292d06edcece

New changelog entries:
  * debian/control: Actually drop the initscripts dependency.
    (Closes: #804968)

25f623d... by Martin Pitt on 2016-05-20

Import patches-unapplied version 2.3.11-1ubuntu1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 8eb37bbaa2a08b219d3313dfb22687e41c2badb8

New changelog entries:
  * Merge with Debian unstable. Remaining Ubuntu changes:
    - debian/openvpn@.service: Add "--script-security 2" similar to what got
      added to debian/openvpn.init.d ages ago (see LP: #260291).
    - Demote easy-rsa to Suggests (universe package).
  * Drop intrusive changes (showing per-VPN result messages) from
    debian/openvpn.init.d. This isn't being used under systemd.

8eb37bb... by Alberto Gonzalez Iniesta <email address hidden> on 2016-05-10

Import patches-unapplied version 2.3.11-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c07fed5ec9e72ca6d6e579115ae009ffd3e4aaed

New changelog entries:
  * New upstream release.
  * tun.c: patch to fix FTBFS in kfreebsd. (Closes: #815283)
    Thanks Steven Chamberlain for the patch.
  * README.Debian: Document limits in the service file.
    (Closes: #819919, #823621)
  * Removed versioned dependency on initscripts. (Closes: #804968)

c07fed5... by Alberto Gonzalez Iniesta <email address hidden> on 2016-01-20

Import patches-unapplied version 2.3.10-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 30470c8603ba5b41192d7be2408be40c58d7b1ec

New changelog entries:
  * New upstream release. (Closes: #804368)
    Drop password_prompt_in_systemd.patch. Applied upstream.
  * Unify pidfile path on systemd and sysV. (Closes: #811010)
    Thanks Guillem Jover for noticing.
  * Increase start-stop-daemon timeout on stop to let openvpn
    tear down the connection properly in some cases.
    (Closes: #799592, #796914)
  * Add CAP_AUDIT_WRITE to openvpn@.service CapabilityBoundingSet
    to fix auth-pam plugin. (Closes: #795313)
  * Patch from Martin Pitt to start OpenVPN before user sessions
    to avoid hidding possible password prompts. (Closes: #803032)
  * Make another copy of t_client.sh to help keeping the build
    environment clean. (Closes: #765447)

30470c8... by Alberto Gonzalez Iniesta <email address hidden> on 2015-10-28

Import patches-unapplied version 2.3.8-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ab67501a9fdcebc65b782cdcf011fb3bb03e1e9b

New changelog entries:
  * New upstream release. Drop patch from 2.3.7-2.
    Hopefully (Closes: #791829)
  * Apply upstream fix for systemd password prompt that
    delayed this upload. Sorry SysV users.
  * debian/rules: remove obsolete options (*-path) to configure
  * openvpn@.service: Use KillMode=mixed to fix signaling of some plugins.
    (Closes: #792907). Also add PrivateTmp & LimitNPROC options.
    Thanks Daniel Hahler for the patch.

ab67501... by Alberto Gonzalez Iniesta <email address hidden> on 2015-09-08

Import patches-unapplied version 2.3.7-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 242defcf6824e354ecbfb1ecb3dfc4b1b5abe5bd

New changelog entries:
  * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
    Add Build-Dep on systemd. (Closes: #791904)
  * Bumped Standards-Version to 3.9.6
  * Apply upstream patch to fix stdin password prompt.
    (Closes: #791829)

242defc... by Alberto Gonzalez Iniesta <email address hidden> on 2015-07-01

Import patches-unapplied version 2.3.7-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 21f9de4acb15a9c34f52c182b5646cfc24297e9c

New changelog entries:
  * New upstream version
  * Add --no-block to if-up.d script to avoid hanging boot on
    interfaces with openvpn instances. (Closes: #787090, #785200)
  * Add ProtectSystem=yes to systemd's service file. (Closes: #771626)
  * Removed upstream applied patches:
     - 0001-Drop-too-short-control-channel-packets-instead-of-as.patch
     - update_sample_certs.patch
  * New upstream release. Removed patches applied upstream:
    client_connect_tmp_files.patch
    better_systemd_detection.patch
  * Add Build-Depends on libsystemd-daemon-dev.

21f9de4... by Alberto Gonzalez Iniesta <email address hidden> on 2014-12-01

Import patches-unapplied version 2.3.4-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 756bb50645d989618ee879048dd7774f183fd08c

New changelog entries:
  * Apply upstream patch that fixes possible DoS by authenticated
    clients. CVE-2014-8104
  * Patch sample certs since they were expired and made the package
    build fail. (Closes: #770835)

756bb50... by Alberto Gonzalez Iniesta <email address hidden> on 2014-11-07

Import patches-unapplied version 2.3.4-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 8b97a9e6866146eaafede96791a5323774621068

New changelog entries:
  * Use dh-systemd in order to enable the service unit.
    (Closes: #768411)
  * Add comment on /etc/default/openvpn file about options
    not supported on systemd. (Closes: #768384)