Ubuntu
openvpn package

Merge ~utkarsh/ubuntu/+source/openvpn:merge-lp1917438-hirsute into ubuntu/+source/openvpn:debian/sid

Proposed by Utkarsh Gupta on 2021-03-02

Status:	Merged
Approved by:	Lucas Kanashiro on 2021-03-03
Approved revision:	36550535eb0463f8b89e93144386c8a11333090e
Merge reported by:	Bryce Harrington
Merged at revision:	36550535eb0463f8b89e93144386c8a11333090e
Proposed branch:	~utkarsh/ubuntu/+source/openvpn:merge-lp1917438-hirsute
Merge into:	ubuntu/+source/openvpn:debian/sid
Diff against target:	1112 lines (+782/-9) 7 files modified debian/changelog (+682/-1) debian/control (+4/-3) debian/openvpn@.service (+1/-1) debian/patches/openvpn-fips-2.4.patch (+90/-0) debian/patches/series (+1/-0) debian/tests/server-setup-with-ca (+2/-2) debian/tests/server-setup-with-static-key (+2/-2)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Lucas Kanashiro (community)	2021-03-02	Approve on 2021-03-03
Canonical Server packageset reviewers	2021-03-02	Pending
Canonical Server	2021-03-02	Pending
Review via email: mp+398987@code.launchpad.net

Description of the change

Hey,

This MP is a merge with what's in Debian sid (which is a bux fix release from upstream),

PPA could be found at: https://launchpad.net/~utkarsh/+archive/ubuntu/openvpn-merge-1917438

Tests passing:
```
autopkgtest [19:48:45]: test server-setup-with-static-key: -----------------------]
autopkgtest [19:48:46]: test server-setup-with-static-key: - - - - - - - - - - results - - - - - - - - - -
server-setup-with-static-key PASS
autopkgtest [19:48:46]: @@@@@@@@@@@@@@@@@@@@ summary
server-setup-with-ca PASS
server-setup-with-static-key PASS
```

Requesting you to review and upload the same. TIA! :)

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2021-03-03:

* Changelog:
  - [√] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [√] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [√] no upstream changes to consider
  - [√] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [-] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [√] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [√] no new patches added
  - [-] patches match what was proposed upstream
  - [-] patches correctly included in debian/patches/series
  - [-] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [√] autopkgtest against the PPA package passes
  - [√] sanity checks test fine

LGTM, +1.

I am going to sponsor this upload for you, please track its migration to the release pocket.

review: Approve

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2021-03-03:

Uploaded:

$ git push pkg upload/2.5.1-1ubuntu1
Enumerating objects: 43, done.
Counting objects: 100% (43/43), done.
Delta compression using up to 8 threads
Compressing objects: 100% (28/28), done.
Writing objects: 100% (33/33), 10.41 KiB | 1.49 MiB/s, done.
Total 33 (delta 23), reused 6 (delta 5), pack-reused 0
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openvpn
* [new tag] upload/2.5.1-1ubuntu1 -> upload/2.5.1-1ubuntu1
$ dput ubuntu ../openvpn_2.5.1-1ubuntu1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../openvpn_2.5.1-1ubuntu1_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../openvpn_2.5.1-1ubuntu1.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openvpn_2.5.1-1ubuntu1.dsc: done.
  Uploading openvpn_2.5.1-1ubuntu1.debian.tar.xz: done.
  Uploading openvpn_2.5.1-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message

Bryce Harrington (bryce) wrote on 2021-03-08:

This has migrated

* openvpn: merge-lp1917438-hirsute -> debian/sid
  - Source Package: openvpn
  - Current Version: 2.5.1-1ubuntu1
  - Debian Version: 2.5.1-1
  - New Version: 2.5.1-1ubuntu1

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Utkarsh Gupta

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index 0636869..845db0b 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,9 +1,44 @@
++openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable (LP: #1917438). Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++      + d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Utkarsh Gupta <utkarsh.gupta@canonical.com>  Tue, 02 Mar 2021 16:35:37 +0530
++
  openvpn (2.5.1-1) unstable; urgency=medium
    * New upstream version 2.5.1 (bugfix release)
   -- Bernhard Schmidt <berni@debian.org>  Wed, 24 Feb 2021 19:54:34 +0100
++openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++      [updated to match 2.5.0]
++  * Dropped changes [in Debian since 2.5~beta3-1]
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++    - d/openvpn*.service: Drop reload support from systemd unit files
++      (LP #1868127).  The current reload implementation (sending a SIGHUP
++      signal to the process) fails, and the difference between reload and
++      restart is not clear. Systemd does not require an implementation for
++      reload.
++  * Added Changes:
++    - d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 01 Dec 2020 16:15:12 +0100
++
  openvpn (2.5.0-1) unstable; urgency=medium
    * New upstream version 2.5.0 - final release
@@ -29,7 +64,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium
    [ Lucas Kanashiro ]
    * Add two DEP-8 test cases for the server side
--  * Drop reload support from systemd unit files (LP: #1868127)
++  * Drop reload support from systemd unit files (LP 1868127)
    [ Bernhard Schmidt ]
    * Revert "d/gbp.conf for experimental 2.5 branch"
@@ -59,6 +94,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sat, 15 Aug 2020 21:32:49 +0200
++openvpn (2.4.9-3ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++    - d/openvpn*.service: Drop reload support from systemd unit files
++      (LP #1868127).  The current reload implementation (sending a SIGHUP
++      signal to the process) fails, and the difference between reload and
++      restart is not clear. Systemd does not require an implementation for
++      reload.
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 18 Aug 2020 08:42:11 -0300
++
  openvpn (2.4.9-3) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -77,6 +132,28 @@ openvpn (2.4.9-3) unstable; urgency=medium
   -- Jörg Frings-Fürst <debian@jff.email>  Sat, 02 May 2020 18:14:36 +0200
++openvpn (2.4.9-2ubuntu2) groovy; urgency=medium
++
++  * Drop reload support from systemd unit files (LP: #1868127)
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 26 May 2020 19:04:33 -0300
++
++openvpn (2.4.9-2ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP 1454725)
++    - Allow MD5 for PRF in FIPS mode openssl.
++  * Added changes:
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++
++ -- Lucas Kanashiro <lucas.kanashiro@canonical.com>  Wed, 29 Apr 2020 15:35:56 -0300
++
  openvpn (2.4.9-2) unstable; urgency=medium
    * Cherry-Pick upstream patch to fix ssl_do_config error with
@@ -112,6 +189,28 @@ openvpn (2.4.9-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sun, 19 Apr 2020 15:52:57 +0200
++openvpn (2.4.7-1ubuntu2) eoan; urgency=medium
++
++  * No-change upload with strops.h and sys/strops.h removed in glibc.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 05 Sep 2019 11:05:25 +0000
++
++openvpn (2.4.7-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable (LP: #1828771). Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what got
++      added to debian/openvpn.init.d ages ago (LP 1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
++      (LP 1807439)
++  * Dropped changes:
++    - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
++      scripts breaking due to sudo/pam being unable to audit the action.
++      Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
++      [in Debian now]
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 13 May 2019 15:55:22 +0200
++
  openvpn (2.4.7-1) unstable; urgency=medium
    [ Bernhard Schmidt ]
@@ -131,6 +230,30 @@ openvpn (2.4.7-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Wed, 20 Feb 2019 14:50:03 +0100
++openvpn (2.4.6-1ubuntu3) disco; urgency=medium
++
++  * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
++    (LP: #1807439)
++
++ -- Joy Latten <joy.latten@canonical.com>  Wed, 09 Jan 2019 12:25:59 -0600
++
++openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium
++
++  * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
++    scripts breaking due to sudo/pam being unable to audit the action.
++    Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 03 Sep 2018 10:57:35 +0200
++
++openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what got
++      added to debian/openvpn.init.d ages ago (LP 1454725)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 20 Aug 2018 13:30:20 +0200
++
  openvpn (2.4.6-1) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -174,6 +297,15 @@ openvpn (2.4.5-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sun, 04 Mar 2018 22:23:47 +0100
++openvpn (2.4.4-2ubuntu1) bionic; urgency=low
++
++  * Sync with Debian. Remaining changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 10 Feb 2018 20:27:56 +0000
++
  openvpn (2.4.4-2) unstable; urgency=medium
    * Build against OpenSSL 1.1.0 (Closes: #828477)
@@ -181,6 +313,15 @@ openvpn (2.4.4-2) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Mon, 11 Dec 2017 00:22:11 +0100
++openvpn (2.4.4-1ubuntu1) bionic; urgency=medium
++
++  * Sync with Debian. Remaining changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++
++ -- Jeremy Bicha <jbicha@ubuntu.com>  Sat, 28 Oct 2017 15:13:58 -0400
++
  openvpn (2.4.4-1) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -302,6 +443,65 @@ openvpn (2.4.0-5) unstable; urgency=high
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 11 May 2017 14:15:21 +0200
++openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
++    - debian/patches/CVE-2017-7508.patch: remove assert in
++      src/openvpn/mss.c.
++    - CVE-2017-7508
++  * SECURITY UPDATE: Remote-triggerable memory leaks
++    - debian/patches/CVE-2017-7512.patch: fix leaks in
++      src/openvpn/ssl_verify_openssl.c.
++    - CVE-2017-7512
++  * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
++    for clients
++    - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
++      OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
++    - CVE-2017-7520
++  * SECURITY UPDATE: Potential double-free in --x509-alt-username and
++    memory leaks
++    - debian/patches/CVE-2017-7521.patch: fix double-free in
++      src/openvpn/ssl_verify_openssl.c.
++    - CVE-2017-7521
++  * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
++    - debian/patches/establish_http_proxy_passthru_dos.patch: fix
++      null-pointer dereference in src/openvpn/proxy.c.
++    - No CVE number
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 22 Jun 2017 08:37:49 -0400
++
++openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: pre-authentication denial-of-service vulnerability
++    (both client and server) from a too-large control packet.
++    - debian/patches/CVE-2017-7478.patch: Do not assert on too-large
++      control packet
++    - CVE-2017-7478
++  * SECURITY UPDATE: authenticated remote DoS vulnerability due to
++    packet ID rollover
++    - debian/patches/CVE-2017-7479-prereq.patch: merge
++      packet_id_alloc_outgoing() into packet_id_write()
++    - debian/patches/CVE-2017-7478.patch: do not assert when packet ID
++      rollover occurs
++    - CVE-2017-7478
++  * SECURITY UPDATE: auth tokens left in memory after de-auth
++    - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token
++      as soon as a TLS session is considered broken.
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Wed, 10 May 2017 15:21:05 -0700
++
++openvpn (2.4.0-4ubuntu1) zesty; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++  * Drop:
++    - debian/control: Actually drop the initscripts dependency.
++      (Closes: #804968). Already in Debian
++
++ -- Jon Grimm <jon.grimm@canonical.com>  Fri, 10 Feb 2017 12:16:57 -0600
++
  openvpn (2.4.0-4) unstable; urgency=medium
    * Add NEWS entries on possible 2.4 migration issues.
@@ -371,6 +571,24 @@ openvpn (2.3.11-2) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 23 May 2016 09:55:30 +0200
++openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium
++
++  * debian/control: Actually drop the initscripts dependency.
++    (Closes: #804968)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 22 Jun 2016 16:54:51 +0200
++
++openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (see LP: #260291).
++    - Demote easy-rsa to Suggests (universe package).
++  * Drop intrusive changes (showing per-VPN result messages) from
++    debian/openvpn.init.d. This isn't being used under systemd.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 20 May 2016 17:30:27 +0200
++
  openvpn (2.3.11-1) unstable; urgency=medium
    * New upstream release.
@@ -382,6 +600,25 @@ openvpn (2.3.11-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 10 May 2016 17:41:53 +0200
++openvpn (2.3.10-1ubuntu2) xenial; urgency=medium
++
++  * debian/openvpn@.service: Add --script-security similar to what got added
++    to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Tue, 02 Feb 2016 13:33:39 +0100
++
++openvpn (2.3.10-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++        (LP #260291)
++    - Demote easy-rsa to Suggests
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Thu, 21 Jan 2016 11:37:08 +0100
++
  openvpn (2.3.10-1) unstable; urgency=medium
    * New upstream release. (Closes: #804368)
@@ -400,6 +637,21 @@ openvpn (2.3.10-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 20 Jan 2016 12:01:36 +0100
++openvpn (2.3.8-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++      (Closes: #803032)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 04 Jan 2016 11:48:31 +0100
++
  openvpn (2.3.8-1) unstable; urgency=medium
    * New upstream release. Drop patch from 2.3.7-2.
@@ -413,6 +665,21 @@ openvpn (2.3.8-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 28 Oct 2015 17:34:26 +0100
++openvpn (2.3.7-2ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++      (Closes: #803032)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 26 Oct 2015 09:32:31 +0100
++
  openvpn (2.3.7-2) unstable; urgency=medium
    * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
@@ -423,6 +690,20 @@ openvpn (2.3.7-2) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 08 Sep 2015 08:23:19 +0000
++openvpn (2.3.7-1ubuntu1) wily; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 08 Jul 2015 12:28:54 +0200
++
  openvpn (2.3.7-1) unstable; urgency=medium
    * New upstream version
@@ -444,6 +725,20 @@ openvpn (2.3.5-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 29 Oct 2014 17:44:06 +0100
++openvpn (2.3.4-5ubuntu1) wily; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 07 May 2015 15:35:52 +0200
++
  openvpn (2.3.4-5) unstable; urgency=high
    * Apply upstream patch that fixes possible DoS by authenticated
@@ -502,6 +797,52 @@ openvpn (2.3.3-1) experimental; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 17 Mar 2014 19:40:12 +0100
++openvpn (2.3.2-9ubuntu4) vivid; urgency=medium
++
++  * Run openvpn@.service before systemd-user-sessions.service to avoid gettys
++    and lightdm starting on top of possible password prompts. This provides
++    the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 13 Apr 2015 16:09:01 -0500
++
++openvpn (2.3.2-9ubuntu3) vivid; urgency=medium
++
++  * Add better_systemd_detection.patch to avoid calling systemd-ask-password
++    under upstart. Backported from upstream. (Closes: #747265)
++  * Add systemd unit and generator from current Debian package. This avoids
++    using the init.d script, which unnecessarily blocks lightdm startup on the
++    network becoming online even if there are no auto-start connections
++    (LP: #1443489).
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 13 Apr 2015 11:22:56 -0500
++
++openvpn (2.3.2-9ubuntu2) vivid; urgency=medium
++
++  * SECURITY UPDATE: server denial of service via too-short control channel
++    packets
++    - debian/patches/CVE-2014-8104.patch: drop too-short control channel
++      packets instead of asserting out in src/openvpn/ssl.c.
++    - CVE-2014-8104
++  * debian/patches/update_certs.patch: update test certs to fix FTBFS.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 01 Dec 2014 15:26:58 -0500
++
++openvpn (2.3.2-9ubuntu1) utopic; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Patch libtool.m4 and configure to support ppc64el.
++    - Refresh delta with debian/openvpn.init.d:
++      + Make stop action reliable by killing if needed
++        (LP: #1274254, LP: #1200519)
++      + Use new path for status file (LP: #1261088)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 02 May 2014 16:00:55 -0400
++
  openvpn (2.3.2-9) unstable; urgency=medium
    * Create /run/openvpn in init script even if no VPN is
@@ -517,6 +858,33 @@ openvpn (2.3.2-8) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 14 Mar 2014 12:59:57 +0100
++openvpn (2.3.2-7ubuntu3) trusty; urgency=medium
++
++  [ Simon Deziel ]
++  * Refresh delta with debian/openvpn.init.d:
++   - Make stop action reliable by killing if needed
++     (LP: #1274254, LP: #1200519)
++   - Use new path for status file (LP: #1261088)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Tue, 04 Feb 2014 09:31:39 -0500
++
++openvpn (2.3.2-7ubuntu2) trusty; urgency=medium
++
++  * Patch libtool.m4 and configure to support ppc64el.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 30 Dec 2013 12:32:35 +0100
++
++openvpn (2.3.2-7ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 02 Dec 2013 18:14:42 -0500
++
  openvpn (2.3.2-7) unstable; urgency=low
    * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.
@@ -533,6 +901,17 @@ openvpn (2.3.2-6) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 27 Nov 2013 13:58:33 +0100
++openvpn (2.3.2-5ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 21 Oct 2013 13:07:37 -0400
++
  openvpn (2.3.2-5) unstable; urgency=low
    * Patch init script to fix race conditions on restarts.
@@ -542,6 +921,16 @@ openvpn (2.3.2-5) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 15 Jul 2013 16:10:59 +0200
++openvpn (2.3.2-4ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Tue, 09 Jul 2013 17:20:31 -0400
++
  openvpn (2.3.2-4) unstable; urgency=low
    * Fix depends on iproute to iproute2.
@@ -574,6 +963,23 @@ openvpn (2.3.2-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 03 Jun 2013 18:48:44 +0200
++openvpn (2.3.1-2ubuntu2) saucy; urgency=low
++
++  * Move easy-rsa from Recommends to Suggests as it's not in main and isn't
++    actually required to operate an openvpn server.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 19 Jun 2013 14:37:54 -0400
++
++openvpn (2.3.1-2ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 24 May 2013 17:42:45 -0400
++
  openvpn (2.3.1-2) unstable; urgency=low
    * Add net-tools to Build-Depends. (Closes: #709108)
@@ -601,6 +1007,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 05 Nov 2012 16:31:15 +0100
++openvpn (2.2.1-8ubuntu3) raring; urgency=low
++
++  [ Marc Gariépy ]
++  * Add --script-security to the init.d script (was generated but not passed
++    to openvpn). (LP: #1124398)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 13 Feb 2013 16:10:48 -0500
++
++openvpn (2.2.1-8ubuntu2) quantal; urgency=low
++
++  * Rebuild for new armel compiler default of ARMv5t.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 08 Oct 2012 08:36:47 +0100
++
++openvpn (2.2.1-8ubuntu1) precise; urgency=low
++
++  * Merge at Simon Deziel's request to build with PIE.
++  * Merge from Debian unstable. Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 30 Mar 2012 13:19:09 -0400
++
  openvpn (2.2.1-8) unstable; urgency=low
    * Enable "PIE" and "BINDOW" hardening flags.
@@ -625,6 +1057,17 @@ openvpn (2.2.1-6) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 09 Mar 2012 13:44:50 +0100
++openvpn (2.2.1-5ubuntu1) precise; urgency=low
++
++  * Merge from Debian unstable. Remaining changes: (LP: #907828)
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Sat, 25 Feb 2012 21:08:48 -0500
++
  openvpn (2.2.1-5) unstable; urgency=low
    * Avoid sending ICMP redirects when using tun devices and "subnet"
@@ -647,6 +1090,20 @@ openvpn (2.2.1-4) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 08 Feb 2012 16:31:32 +0100
++openvpn (2.2.1-3ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++    + fix bug where '--script-security 2' would be passed for all
++      daemons after the first. (LP: #794916)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sat, 31 Dec 2011 04:55:56 +0000
++
  openvpn (2.2.1-3) unstable; urgency=low
    * The iproute fiasco release.
@@ -675,6 +1132,20 @@ openvpn (2.2.1-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 13 Dec 2011 11:04:22 +0100
++openvpn (2.2.0-2ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++    + fix bug where '--script-security 2' would be passed for all
++      daemons after the first. (LP: #794916
++
++ -- Chuck Short <zulcss@ubuntu.com>  Thu, 16 Jun 2011 18:33:37 +0100
++
  openvpn (2.2.0-2) unstable; urgency=low
    * Upload to unstable
@@ -709,6 +1180,45 @@ openvpn (2.1.3-5) experimental; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 22 Mar 2011 10:57:18 +0100
++openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low
++
++  [Alexander Zielke]
++  * fix bug where '--script-security 2' would be passed for all
++    daemons after the first. (LP: #794916)
++
++ -- Scott Moser <smoser@ubuntu.com>  Thu, 09 Jun 2011 13:59:08 -0400
++
++openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 17 May 2011 02:14:39 +0100
++
++openvpn (2.1.3-4.1) unstable; urgency=low
++
++  * Non-maintainer upload.
++  * Drop hard-coded dependency on libssl0.9.8.  (Closes: #623503)
++
++ -- Philipp Kern <pkern@debian.org>  Mon, 09 May 2011 23:20:03 +0200
++
++openvpn (2.1.3-4ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 22 Mar 2011 23:28:26 +0000
++
  openvpn (2.1.3-4) unstable; urgency=low
    * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.
@@ -731,6 +1241,31 @@ openvpn (2.1.3-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 11 Mar 2011 13:08:12 +0100
++openvpn (2.1.3-2ubuntu3) natty; urgency=low
++
++  * update-resolv-conf: Correctly handle multiple dns search domains,
++    using the same logic as nameservers.  Patch courtesy of Jeremy
++    Zawodny. (LP: #662847)
++
++ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com>  Fri, 11 Mar 2011 00:23:59 +0000
++
++openvpn (2.1.3-2ubuntu2) natty; urgency=low
++
++  * update-resolv-conf: Support mulitple domains (LP: #714358)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 14 Feb 2011 15:21:46 -0500
++
++openvpn (2.1.3-2ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    +  debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sat, 23 Oct 2010 01:59:28 +0100
++
  openvpn (2.1.3-2) unstable; urgency=low
    * Applied upstream patch to solve random routes added when using
@@ -738,6 +1273,24 @@ openvpn (2.1.3-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 21 Oct 2010 12:21:33 +0200
++openvpn (2.1.3-1ubuntu2) natty; urgency=low
++
++  * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
++    corner cases where ! host && addr (LP: #627973)
++
++ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com>  Wed, 20 Oct 2010 16:22:25 +0200
++
++openvpn (2.1.3-1ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatablitiy
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 05 Oct 2010 06:21:14 +0100
++
  openvpn (2.1.3-1) unstable; urgency=low
    * New upstream release (Closes: #595684)
@@ -749,6 +1302,17 @@ openvpn (2.1.3-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 29 Sep 2010 13:07:37 +0200
++openvpn (2.1.0-3ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable. Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatablitiy
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 12 Jul 2010 09:39:43 -0400
++
  openvpn (2.1.0-3) unstable; urgency=low
    * The 'happy birthday to me' release
@@ -758,6 +1322,24 @@ openvpn (2.1.0-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 09 Jul 2010 12:22:09 +0200
++openvpn (2.1.0-2ubuntu2) maverick; urgency=low
++
++  * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
++    on PUSH_REQUEST when server does not push any option (LP: #579737)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Mon, 28 Jun 2010 10:45:23 +0200
++
++openvpn (2.1.0-2ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatablitiy
++     + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 05 May 2010 03:06:19 +0100
++
  openvpn (2.1.0-2) unstable; urgency=low
    * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)
@@ -770,6 +1352,17 @@ openvpn (2.1.0-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sat, 10 Apr 2010 17:26:42 +0200
++openvpn (2.1.0-1ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing (LP: #509078), remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatibility
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Jan Brinkmann <lucky@the-luckyduck.de>  Fri, 22 Jan 2010 00:47:33 +0100
++
  openvpn (2.1.0-1) unstable; urgency=low
    * New upstream release
@@ -807,6 +1400,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 04 Nov 2009 17:18:03 +0100
++openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing, remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking
++        boot.
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Add lab-base >= 3.2-14 to allow status_of_proc()
++     + Dropped debian/patches/redirect-gateway.patch: Already applied
++       upstream.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 06 Nov 2009 01:36:35 +0000
++
  openvpn (2.1~rc20-2) unstable; urgency=low
    * init.d script: Added X-Interactive header. (Closes: #549424)
@@ -831,6 +1438,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sun, 30 Aug 2009 20:20:11 +0200
++openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low
++
++  * debian/patches/redirect-gateway.patch: Fix regression introduced in
++    2.1rc17 that makes redirect-gateway (without options) to be ignored.
++    Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 13 Oct 2009 09:31:20 +0200
++
++openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable (LP: #404099), remaining changes:
++    - debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Bhavani Shankar <right2bhavi@gmail.com>  Fri, 24 Jul 2009 19:22:13 +0530
++
  openvpn (2.1~rc19-1) unstable; urgency=low
    * New upstream version
@@ -840,6 +1466,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 21 Jul 2009 17:00:56 +0200
++openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable (LP: #372358), remaining changes:
++    - debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Andres Rodriguez <andreserl@ubuntu.com>  Tue, 05 May 2009 14:25:37 -0500
++
  openvpn (2.1~rc15-1) unstable; urgency=low
    * New upstream version (Closes: #515575)
@@ -859,6 +1496,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 30 Apr 2009 12:35:05 +0200
++openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low
++
++  * debian/openvpn.init.d:
++    - Fix unexpected operator on startup (LP: #340120)
++
++ -- Michael Jeanson <mjeanson@revolutionlinux.com>  Mon, 09 Mar 2009 16:02:50 -0400
++
++openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low
++
++  * debian/openvpn.init.d:
++    - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent
++      openvpn prompts from blocking the boot (LP: #280428)
++    - Fix VPNs always reported started [ OK ]
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 15 Oct 2008 17:12:54 +0200
++
++openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low
++
++  * Merge with Debian (LP: #279655), remaining diffs:
++    - debian/openvpn.init.d: Added 'status' action to init script, show
++      per-VPN result messages and add "--script-security 2" by default for
++      backwards compatibility
++    - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
++  * Fixes regression when calling commands with arguments (LP: #277447)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 07 Oct 2008 16:30:44 +0200
++
  openvpn (2.1~rc11-1) unstable; urgency=low
    * New upstream version
@@ -879,6 +1543,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 11 Sep 2008 16:58:37 +0200
++openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low
++
++  * debian/openvpn.init.d:
++    - Added 'status' action to init script (LP: #251641)
++    - Restored per-VPN result messages by using log_action_begin_msg and
++      one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966)
++  * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 09 Sep 2008 10:45:45 +0200
++
++openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low
++
++  * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
++    (LP: #260291)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 25 Aug 2008 10:20:31 -0400
++
  openvpn (2.1~rc9-3) unstable; urgency=low
    * debian/rules: run ./configure with path to 'route', for
 diff --git a/debian/control b/debian/control
 index 63a8262..40ed491 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: openvpn
  Section: net
  Priority: optional
--Maintainer: Bernhard Schmidt <berni@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
  Uploaders: Jörg Frings-Fürst <debian@jff.email>
  Build-Depends:
   debhelper-compat (= 12),
@@ -39,8 +40,8 @@ Depends:
  Suggests:
   openssl,
   resolvconf,
-- openvpn-systemd-resolved
--Recommends: easy-rsa
++ openvpn-systemd-resolved,
++ easy-rsa
  Description: virtual private network daemon
   OpenVPN is an application to securely tunnel IP networks over a
   single UDP or TCP port. It can be used to access remote sites, make
 diff --git a/debian/openvpn@.service b/debian/openvpn@.service
 index 945874b..6d59b13 100644
 --- a/debian/openvpn@.service
 +++ b/debian/openvpn@.service
@@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
  Type=notify
  PrivateTmp=true
  WorkingDirectory=/etc/openvpn
--ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
++ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
  PIDFile=/run/openvpn/%i.pid
  KillMode=process
  CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch
 new file mode 100644
 index 0000000..1c4f068
 --- /dev/null
 +++ b/debian/patches/openvpn-fips-2.4.patch
@@ -0,0 +1,90 @@
++Description:  Use openssl FIPS flag to indicate MD5 use for PRF.
++ MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs
++ to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl
++ for PRF to indicate the exception.
++Bug: https://community.openvpn.net/openvpn/ticket/725
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439
++Author: Stephan Mueller <stephan.mueller@atsec.com>
++
++--- a/src/openvpn/crypto.c
+++++ b/src/openvpn/crypto.c
++@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
++     if (kt->digest && kt->hmac_length > 0)
++     {
++         ctx->hmac = hmac_ctx_new();
++-        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+++        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
++
++         msg(D_HANDSHAKE,
++             "%s: Using %d bit message hash '%s' for HMAC authentication",
++--- a/src/openvpn/crypto_backend.h
+++++ b/src/openvpn/crypto_backend.h
++@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
++  * @param key           The key to use for the HMAC
++  * @param key_len       The key length to use
++  * @param kt            Static message digest parameters
+++ * @param prf_use       Intended use for PRF in TLS protocol
++  *
++  */
++ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
++-                   const md_kt_t *kt);
+++                   const md_kt_t *kt, bool prf_use);
++
++ /*
++  * Free the given HMAC context.
++--- a/src/openvpn/crypto_mbedtls.c
+++++ b/src/openvpn/crypto_mbedtls.c
++@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx)
++
++ void
++ hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
++-              const mbedtls_md_info_t *kt)
+++              const mbedtls_md_info_t *kt, bool prf_use)
++ {
++     ASSERT(NULL != kt && NULL != ctx);
++
++--- a/src/openvpn/crypto_openssl.c
+++++ b/src/openvpn/crypto_openssl.c
++@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx)
++
++ void
++ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
++-              const EVP_MD *kt)
+++              const EVP_MD *kt, bool prf_use)
++ {
++     ASSERT(NULL != kt && NULL != ctx);
++
++     HMAC_CTX_reset(ctx);
+++
+++   /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+++    * to be used anywhere else */
+++    if(kt == EVP_md5() && prf_use)
+++       HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+++
++     HMAC_Init_ex(ctx, key, key_len, kt, NULL);
++
++     /* make sure we used a big enough key */
++--- a/src/openvpn/ntlm.c
+++++ b/src/openvpn/ntlm.c
++@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
++     const md_kt_t *md5_kt = md_kt_get("MD5");
++     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
++
++-    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+++    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
++     hmac_ctx_update(hmac_ctx, data, data_len);
++     hmac_ctx_final(hmac_ctx, result);
++     hmac_ctx_cleanup(hmac_ctx);
++--- a/src/openvpn/ssl.c
+++++ b/src/openvpn/ssl.c
++@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt,
++     int chunk = md_kt_size(md_kt);
++     unsigned int A1_len = md_kt_size(md_kt);
++
++-    hmac_ctx_init(ctx, sec, sec_len, md_kt);
++-    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
+++    hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
+++    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
++
++     hmac_ctx_update(ctx,seed,seed_len);
++     hmac_ctx_final(ctx, A1);
 diff --git a/debian/patches/series b/debian/patches/series
 index 55bae8e..12d3a83 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -5,3 +5,4 @@ openvpn-pkcs11warn.patch
  #kfreebsd_support.patch
  match-manpage-and-command-help.patch
  systemd.patch
++openvpn-fips-2.4.patch
 diff --git a/debian/tests/server-setup-with-ca b/debian/tests/server-setup-with-ca
 index 58df2e9..08a879e 100755
 --- a/debian/tests/server-setup-with-ca
 +++ b/debian/tests/server-setup-with-ca
@@ -75,10 +75,10 @@ info "Check if Diffie-Hellman was initialized"
  cat $LOG_FILE | grep 'Diffie-Hellman initialized'
  info "Check if the $DEVICE is linked"
--cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up"
++cat $LOG_FILE | grep "net_iface_up: set $DEVICE up"
  info "Check if the network route was correctly configured"
--cat $LOG_FILE | grep "/sbin/ip route add $IP_NETWORK/24"
++cat $LOG_FILE | grep "net_route_v4_add: $IP_NETWORK/24 via"
  info "Check if the Initialization Sequence completed"
  cat $LOG_FILE | grep 'Initialization Sequence Completed'
 diff --git a/debian/tests/server-setup-with-static-key b/debian/tests/server-setup-with-static-key
 index 9ddaecd..8c0addf 100755
 --- a/debian/tests/server-setup-with-static-key
 +++ b/debian/tests/server-setup-with-static-key
@@ -50,10 +50,10 @@ info "Check if the $STATIC_KEY is used by OpenVPN"
  cat $LOG_FILE | grep "shared_secret_file = '$CONFIG_DIR/$STATIC_KEY'"
  info "Check if the $DEVICE is linked"
--cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up"
++cat $LOG_FILE | grep "net_iface_up: set $DEVICE up"
  info "Check if the specified IP addresses were configured"
--cat $LOG_FILE | grep "/sbin/ip addr add dev tun0 local $IP_SERVER peer $IP_CLIENT"
++cat $LOG_FILE | grep "net_addr_ptp_v4_add: $IP_SERVER peer $IP_CLIENT dev tun0"
  # Clean up: kill tha OpenVPN process, remove the $DEVICE created and $STATIC_KEY
  cleanup() {

Ubuntuopenvpn package

Merge ~utkarsh/ubuntu/+source/openvpn:merge-lp1917438-hirsute into ubuntu/+source/openvpn:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openvpn package