Merge ~utkarsh/ubuntu/+source/openvpn:merge-lp1917438-hirsute into ubuntu/+source/openvpn:debian/sid
- Git
- lp:~utkarsh/ubuntu/+source/openvpn
- merge-lp1917438-hirsute
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Lucas Kanashiro |
Approved revision: | 36550535eb0463f8b89e93144386c8a11333090e |
Merge reported by: | Bryce Harrington |
Merged at revision: | 36550535eb0463f8b89e93144386c8a11333090e |
Proposed branch: | ~utkarsh/ubuntu/+source/openvpn:merge-lp1917438-hirsute |
Merge into: | ubuntu/+source/openvpn:debian/sid |
Diff against target: |
1112 lines (+782/-9) 7 files modified
debian/changelog (+682/-1) debian/control (+4/-3) debian/openvpn@.service (+1/-1) debian/patches/openvpn-fips-2.4.patch (+90/-0) debian/patches/series (+1/-0) debian/tests/server-setup-with-ca (+2/-2) debian/tests/server-setup-with-static-key (+2/-2) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Lucas Kanashiro (community) | Approve | ||
Canonical Server packageset reviewers | Pending | ||
Canonical Server | Pending | ||
Review via email: mp+398987@code.launchpad.net |
Commit message
Description of the change
Hey,
This MP is a merge with what's in Debian sid (which is a bux fix release from upstream),
PPA could be found at: https:/
Tests passing:
```
autopkgtest [19:48:45]: test server-
autopkgtest [19:48:46]: test server-
server-
autopkgtest [19:48:46]: @@@@@@@
server-
server-
```
Requesting you to review and upload the same. TIA! :)
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Uploaded:
$ git push pkg upload/
Enumerating objects: 43, done.
Counting objects: 100% (43/43), done.
Delta compression using up to 8 threads
Compressing objects: 100% (28/28), done.
Writing objects: 100% (33/33), 10.41 KiB | 1.49 MiB/s, done.
Total 33 (delta 23), reused 6 (delta 5), pack-reused 0
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../openvpn_
D: Setting host argument.
Checking signature on .changes
gpg: ../openvpn_
Checking signature on .dsc
gpg: ../openvpn_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading openvpn_
Uploading openvpn_
Uploading openvpn_
Successfully uploaded packages.
Bryce Harrington (bryce) wrote : | # |
This has migrated
* openvpn: merge-lp1917438
- Source Package: openvpn
- Current Version: 2.5.1-1ubuntu1
- Debian Version: 2.5.1-1
- New Version: 2.5.1-1ubuntu1
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 0636869..845db0b 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,9 +1,44 @@ |
6 | +openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable (LP: #1917438). Remaining changes: |
9 | + - d/control: Demote easy-rsa to Suggests (universe package). |
10 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
11 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
12 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
13 | + + d/t/server-setup-*: adapt tests to output of v2.5.0 |
14 | + |
15 | + -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Tue, 02 Mar 2021 16:35:37 +0530 |
16 | + |
17 | openvpn (2.5.1-1) unstable; urgency=medium |
18 | |
19 | * New upstream version 2.5.1 (bugfix release) |
20 | |
21 | -- Bernhard Schmidt <berni@debian.org> Wed, 24 Feb 2021 19:54:34 +0100 |
22 | |
23 | +openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium |
24 | + |
25 | + * Merge with Debian unstable. Remaining changes: |
26 | + - d/control: Demote easy-rsa to Suggests (universe package). |
27 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
28 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
29 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
30 | + [updated to match 2.5.0] |
31 | + * Dropped changes [in Debian since 2.5~beta3-1] |
32 | + - d/tests: add two DEP-8 test cases |
33 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
34 | + using a static key. |
35 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
36 | + CA built with easy-rsa. |
37 | + - d/openvpn*.service: Drop reload support from systemd unit files |
38 | + (LP #1868127). The current reload implementation (sending a SIGHUP |
39 | + signal to the process) fails, and the difference between reload and |
40 | + restart is not clear. Systemd does not require an implementation for |
41 | + reload. |
42 | + * Added Changes: |
43 | + - d/t/server-setup-*: adapt tests to output of v2.5.0 |
44 | + |
45 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 01 Dec 2020 16:15:12 +0100 |
46 | + |
47 | openvpn (2.5.0-1) unstable; urgency=medium |
48 | |
49 | * New upstream version 2.5.0 - final release |
50 | @@ -29,7 +64,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium |
51 | |
52 | [ Lucas Kanashiro ] |
53 | * Add two DEP-8 test cases for the server side |
54 | - * Drop reload support from systemd unit files (LP: #1868127) |
55 | + * Drop reload support from systemd unit files (LP 1868127) |
56 | |
57 | [ Bernhard Schmidt ] |
58 | * Revert "d/gbp.conf for experimental 2.5 branch" |
59 | @@ -59,6 +94,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium |
60 | |
61 | -- Bernhard Schmidt <berni@debian.org> Sat, 15 Aug 2020 21:32:49 +0200 |
62 | |
63 | +openvpn (2.4.9-3ubuntu1) groovy; urgency=medium |
64 | + |
65 | + * Merge with Debian unstable. Remaining changes: |
66 | + - d/control: Demote easy-rsa to Suggests (universe package). |
67 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
68 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
69 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
70 | + - d/tests: add two DEP-8 test cases |
71 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
72 | + using a static key. |
73 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
74 | + CA built with easy-rsa. |
75 | + - d/openvpn*.service: Drop reload support from systemd unit files |
76 | + (LP #1868127). The current reload implementation (sending a SIGHUP |
77 | + signal to the process) fails, and the difference between reload and |
78 | + restart is not clear. Systemd does not require an implementation for |
79 | + reload. |
80 | + |
81 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 18 Aug 2020 08:42:11 -0300 |
82 | + |
83 | openvpn (2.4.9-3) unstable; urgency=medium |
84 | |
85 | [ Jörg Frings-Fürst ] |
86 | @@ -77,6 +132,28 @@ openvpn (2.4.9-3) unstable; urgency=medium |
87 | |
88 | -- Jörg Frings-Fürst <debian@jff.email> Sat, 02 May 2020 18:14:36 +0200 |
89 | |
90 | +openvpn (2.4.9-2ubuntu2) groovy; urgency=medium |
91 | + |
92 | + * Drop reload support from systemd unit files (LP: #1868127) |
93 | + |
94 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 26 May 2020 19:04:33 -0300 |
95 | + |
96 | +openvpn (2.4.9-2ubuntu1) groovy; urgency=medium |
97 | + |
98 | + * Merge with Debian unstable. Remaining changes: |
99 | + - d/control: Demote easy-rsa to Suggests (universe package). |
100 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
101 | + got added to debian/openvpn.init.d ages ago (LP 1454725) |
102 | + - Allow MD5 for PRF in FIPS mode openssl. |
103 | + * Added changes: |
104 | + - d/tests: add two DEP-8 test cases |
105 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
106 | + using a static key. |
107 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
108 | + CA built with easy-rsa. |
109 | + |
110 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 29 Apr 2020 15:35:56 -0300 |
111 | + |
112 | openvpn (2.4.9-2) unstable; urgency=medium |
113 | |
114 | * Cherry-Pick upstream patch to fix ssl_do_config error with |
115 | @@ -112,6 +189,28 @@ openvpn (2.4.9-1) unstable; urgency=medium |
116 | |
117 | -- Bernhard Schmidt <berni@debian.org> Sun, 19 Apr 2020 15:52:57 +0200 |
118 | |
119 | +openvpn (2.4.7-1ubuntu2) eoan; urgency=medium |
120 | + |
121 | + * No-change upload with strops.h and sys/strops.h removed in glibc. |
122 | + |
123 | + -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:05:25 +0000 |
124 | + |
125 | +openvpn (2.4.7-1ubuntu1) eoan; urgency=medium |
126 | + |
127 | + * Merge with Debian unstable (LP: #1828771). Remaining changes: |
128 | + - d/control: Demote easy-rsa to Suggests (universe package). |
129 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
130 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
131 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
132 | + (LP 1807439) |
133 | + * Dropped changes: |
134 | + - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
135 | + scripts breaking due to sudo/pam being unable to audit the action. |
136 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208) |
137 | + [in Debian now] |
138 | + |
139 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200 |
140 | + |
141 | openvpn (2.4.7-1) unstable; urgency=medium |
142 | |
143 | [ Bernhard Schmidt ] |
144 | @@ -131,6 +230,30 @@ openvpn (2.4.7-1) unstable; urgency=medium |
145 | |
146 | -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100 |
147 | |
148 | +openvpn (2.4.6-1ubuntu3) disco; urgency=medium |
149 | + |
150 | + * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
151 | + (LP: #1807439) |
152 | + |
153 | + -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600 |
154 | + |
155 | +openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium |
156 | + |
157 | + * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
158 | + scripts breaking due to sudo/pam being unable to audit the action. |
159 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208) |
160 | + |
161 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200 |
162 | + |
163 | +openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium |
164 | + |
165 | + * Merge with Debian unstable. Remaining changes: |
166 | + - d/control: Demote easy-rsa to Suggests (universe package). |
167 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
168 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
169 | + |
170 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200 |
171 | + |
172 | openvpn (2.4.6-1) unstable; urgency=medium |
173 | |
174 | [ Jörg Frings-Fürst ] |
175 | @@ -174,6 +297,15 @@ openvpn (2.4.5-1) unstable; urgency=medium |
176 | |
177 | -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100 |
178 | |
179 | +openvpn (2.4.4-2ubuntu1) bionic; urgency=low |
180 | + |
181 | + * Sync with Debian. Remaining changes: |
182 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
183 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
184 | + - Demote easy-rsa to Suggests (universe package). |
185 | + |
186 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000 |
187 | + |
188 | openvpn (2.4.4-2) unstable; urgency=medium |
189 | |
190 | * Build against OpenSSL 1.1.0 (Closes: #828477) |
191 | @@ -181,6 +313,15 @@ openvpn (2.4.4-2) unstable; urgency=medium |
192 | |
193 | -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100 |
194 | |
195 | +openvpn (2.4.4-1ubuntu1) bionic; urgency=medium |
196 | + |
197 | + * Sync with Debian. Remaining changes: |
198 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
199 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
200 | + - Demote easy-rsa to Suggests (universe package). |
201 | + |
202 | + -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400 |
203 | + |
204 | openvpn (2.4.4-1) unstable; urgency=medium |
205 | |
206 | [ Jörg Frings-Fürst ] |
207 | @@ -302,6 +443,65 @@ openvpn (2.4.0-5) unstable; urgency=high |
208 | |
209 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200 |
210 | |
211 | +openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium |
212 | + |
213 | + * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet |
214 | + - debian/patches/CVE-2017-7508.patch: remove assert in |
215 | + src/openvpn/mss.c. |
216 | + - CVE-2017-7508 |
217 | + * SECURITY UPDATE: Remote-triggerable memory leaks |
218 | + - debian/patches/CVE-2017-7512.patch: fix leaks in |
219 | + src/openvpn/ssl_verify_openssl.c. |
220 | + - CVE-2017-7512 |
221 | + * SECURITY UPDATE: Pre-authentication remote crash/information disclosure |
222 | + for clients |
223 | + - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer |
224 | + OOB reads and a crash for invalid input data in src/openvpn/ntlm.c. |
225 | + - CVE-2017-7520 |
226 | + * SECURITY UPDATE: Potential double-free in --x509-alt-username and |
227 | + memory leaks |
228 | + - debian/patches/CVE-2017-7521.patch: fix double-free in |
229 | + src/openvpn/ssl_verify_openssl.c. |
230 | + - CVE-2017-7521 |
231 | + * SECURITY UPDATE: DoS in establish_http_proxy_passthru() |
232 | + - debian/patches/establish_http_proxy_passthru_dos.patch: fix |
233 | + null-pointer dereference in src/openvpn/proxy.c. |
234 | + - No CVE number |
235 | + |
236 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400 |
237 | + |
238 | +openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium |
239 | + |
240 | + * SECURITY UPDATE: pre-authentication denial-of-service vulnerability |
241 | + (both client and server) from a too-large control packet. |
242 | + - debian/patches/CVE-2017-7478.patch: Do not assert on too-large |
243 | + control packet |
244 | + - CVE-2017-7478 |
245 | + * SECURITY UPDATE: authenticated remote DoS vulnerability due to |
246 | + packet ID rollover |
247 | + - debian/patches/CVE-2017-7479-prereq.patch: merge |
248 | + packet_id_alloc_outgoing() into packet_id_write() |
249 | + - debian/patches/CVE-2017-7478.patch: do not assert when packet ID |
250 | + rollover occurs |
251 | + - CVE-2017-7478 |
252 | + * SECURITY UPDATE: auth tokens left in memory after de-auth |
253 | + - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token |
254 | + as soon as a TLS session is considered broken. |
255 | + |
256 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700 |
257 | + |
258 | +openvpn (2.4.0-4ubuntu1) zesty; urgency=medium |
259 | + |
260 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
261 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
262 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
263 | + - Demote easy-rsa to Suggests (universe package). |
264 | + * Drop: |
265 | + - debian/control: Actually drop the initscripts dependency. |
266 | + (Closes: #804968). Already in Debian |
267 | + |
268 | + -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600 |
269 | + |
270 | openvpn (2.4.0-4) unstable; urgency=medium |
271 | |
272 | * Add NEWS entries on possible 2.4 migration issues. |
273 | @@ -371,6 +571,24 @@ openvpn (2.3.11-2) unstable; urgency=medium |
274 | |
275 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200 |
276 | |
277 | +openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium |
278 | + |
279 | + * debian/control: Actually drop the initscripts dependency. |
280 | + (Closes: #804968) |
281 | + |
282 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200 |
283 | + |
284 | +openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium |
285 | + |
286 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
287 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
288 | + added to debian/openvpn.init.d ages ago (see LP: #260291). |
289 | + - Demote easy-rsa to Suggests (universe package). |
290 | + * Drop intrusive changes (showing per-VPN result messages) from |
291 | + debian/openvpn.init.d. This isn't being used under systemd. |
292 | + |
293 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200 |
294 | + |
295 | openvpn (2.3.11-1) unstable; urgency=medium |
296 | |
297 | * New upstream release. |
298 | @@ -382,6 +600,25 @@ openvpn (2.3.11-1) unstable; urgency=medium |
299 | |
300 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200 |
301 | |
302 | +openvpn (2.3.10-1ubuntu2) xenial; urgency=medium |
303 | + |
304 | + * debian/openvpn@.service: Add --script-security similar to what got added |
305 | + to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725) |
306 | + |
307 | + -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100 |
308 | + |
309 | +openvpn (2.3.10-1ubuntu1) xenial; urgency=medium |
310 | + |
311 | + * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes: |
312 | + - debian/openvpn.init.d: |
313 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
314 | + + Show per-VPN result messages. |
315 | + + Add "--script-security 2" by default for backwards compatabliity. |
316 | + (LP #260291) |
317 | + - Demote easy-rsa to Suggests |
318 | + |
319 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100 |
320 | + |
321 | openvpn (2.3.10-1) unstable; urgency=medium |
322 | |
323 | * New upstream release. (Closes: #804368) |
324 | @@ -400,6 +637,21 @@ openvpn (2.3.10-1) unstable; urgency=medium |
325 | |
326 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100 |
327 | |
328 | +openvpn (2.3.8-1ubuntu1) xenial; urgency=medium |
329 | + |
330 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
331 | + - debian/openvpn.init.d: |
332 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
333 | + + Show per-VPN result messages. |
334 | + + Add "--script-security 2" by default for backwards compatabliity. |
335 | + - Demote easy-rsa to Suggests |
336 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
337 | + gettys and lightdm starting on top of possible password prompts. This |
338 | + provides the equivalent of the init.d script's X-Start-Before:. |
339 | + (Closes: #803032) |
340 | + |
341 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100 |
342 | + |
343 | openvpn (2.3.8-1) unstable; urgency=medium |
344 | |
345 | * New upstream release. Drop patch from 2.3.7-2. |
346 | @@ -413,6 +665,21 @@ openvpn (2.3.8-1) unstable; urgency=medium |
347 | |
348 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100 |
349 | |
350 | +openvpn (2.3.7-2ubuntu1) xenial; urgency=medium |
351 | + |
352 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
353 | + - debian/openvpn.init.d: |
354 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
355 | + + Show per-VPN result messages. |
356 | + + Add "--script-security 2" by default for backwards compatabliity. |
357 | + - Demote easy-rsa to Suggests |
358 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
359 | + gettys and lightdm starting on top of possible password prompts. This |
360 | + provides the equivalent of the init.d script's X-Start-Before:. |
361 | + (Closes: #803032) |
362 | + |
363 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100 |
364 | + |
365 | openvpn (2.3.7-2) unstable; urgency=medium |
366 | |
367 | * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev. |
368 | @@ -423,6 +690,20 @@ openvpn (2.3.7-2) unstable; urgency=medium |
369 | |
370 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000 |
371 | |
372 | +openvpn (2.3.7-1ubuntu1) wily; urgency=medium |
373 | + |
374 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
375 | + - debian/openvpn.init.d: |
376 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
377 | + + Show per-VPN result messages. |
378 | + + Add "--script-security 2" by default for backwards compatabliity. |
379 | + - Demote easy-rsa to Suggests |
380 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
381 | + gettys and lightdm starting on top of possible password prompts. This |
382 | + provides the equivalent of the init.d script's X-Start-Before:. |
383 | + |
384 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200 |
385 | + |
386 | openvpn (2.3.7-1) unstable; urgency=medium |
387 | |
388 | * New upstream version |
389 | @@ -444,6 +725,20 @@ openvpn (2.3.5-1) unstable; urgency=medium |
390 | |
391 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100 |
392 | |
393 | +openvpn (2.3.4-5ubuntu1) wily; urgency=medium |
394 | + |
395 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
396 | + - debian/openvpn.init.d: |
397 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
398 | + + Show per-VPN result messages. |
399 | + + Add "--script-security 2" by default for backwards compatabliity. |
400 | + - Demote easy-rsa to Suggests |
401 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
402 | + gettys and lightdm starting on top of possible password prompts. This |
403 | + provides the equivalent of the init.d script's X-Start-Before:. |
404 | + |
405 | + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200 |
406 | + |
407 | openvpn (2.3.4-5) unstable; urgency=high |
408 | |
409 | * Apply upstream patch that fixes possible DoS by authenticated |
410 | @@ -502,6 +797,52 @@ openvpn (2.3.3-1) experimental; urgency=medium |
411 | |
412 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100 |
413 | |
414 | +openvpn (2.3.2-9ubuntu4) vivid; urgency=medium |
415 | + |
416 | + * Run openvpn@.service before systemd-user-sessions.service to avoid gettys |
417 | + and lightdm starting on top of possible password prompts. This provides |
418 | + the equivalent of the init.d script's X-Start-Before:. |
419 | + |
420 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500 |
421 | + |
422 | +openvpn (2.3.2-9ubuntu3) vivid; urgency=medium |
423 | + |
424 | + * Add better_systemd_detection.patch to avoid calling systemd-ask-password |
425 | + under upstart. Backported from upstream. (Closes: #747265) |
426 | + * Add systemd unit and generator from current Debian package. This avoids |
427 | + using the init.d script, which unnecessarily blocks lightdm startup on the |
428 | + network becoming online even if there are no auto-start connections |
429 | + (LP: #1443489). |
430 | + |
431 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500 |
432 | + |
433 | +openvpn (2.3.2-9ubuntu2) vivid; urgency=medium |
434 | + |
435 | + * SECURITY UPDATE: server denial of service via too-short control channel |
436 | + packets |
437 | + - debian/patches/CVE-2014-8104.patch: drop too-short control channel |
438 | + packets instead of asserting out in src/openvpn/ssl.c. |
439 | + - CVE-2014-8104 |
440 | + * debian/patches/update_certs.patch: update test certs to fix FTBFS. |
441 | + |
442 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500 |
443 | + |
444 | +openvpn (2.3.2-9ubuntu1) utopic; urgency=medium |
445 | + |
446 | + * Merge from Debian unstable. Remaining changes: |
447 | + - debian/openvpn.init.d: |
448 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
449 | + + Show per-VPN result messages. |
450 | + + Add "--script-security 2" by default for backwards compatabliity. |
451 | + - Demote easy-rsa to Suggests |
452 | + - Patch libtool.m4 and configure to support ppc64el. |
453 | + - Refresh delta with debian/openvpn.init.d: |
454 | + + Make stop action reliable by killing if needed |
455 | + (LP: #1274254, LP: #1200519) |
456 | + + Use new path for status file (LP: #1261088) |
457 | + |
458 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400 |
459 | + |
460 | openvpn (2.3.2-9) unstable; urgency=medium |
461 | |
462 | * Create /run/openvpn in init script even if no VPN is |
463 | @@ -517,6 +858,33 @@ openvpn (2.3.2-8) unstable; urgency=medium |
464 | |
465 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100 |
466 | |
467 | +openvpn (2.3.2-7ubuntu3) trusty; urgency=medium |
468 | + |
469 | + [ Simon Deziel ] |
470 | + * Refresh delta with debian/openvpn.init.d: |
471 | + - Make stop action reliable by killing if needed |
472 | + (LP: #1274254, LP: #1200519) |
473 | + - Use new path for status file (LP: #1261088) |
474 | + |
475 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500 |
476 | + |
477 | +openvpn (2.3.2-7ubuntu2) trusty; urgency=medium |
478 | + |
479 | + * Patch libtool.m4 and configure to support ppc64el. |
480 | + |
481 | + -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100 |
482 | + |
483 | +openvpn (2.3.2-7ubuntu1) trusty; urgency=low |
484 | + |
485 | + * Merge from Debian unstable. Remaining changes: |
486 | + - debian/openvpn.init.d: |
487 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
488 | + + Show per-VPN result messages. |
489 | + + Add "--script-security 2" by default for backwards compatabliity. |
490 | + - Demote easy-rsa to Suggests |
491 | + |
492 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500 |
493 | + |
494 | openvpn (2.3.2-7) unstable; urgency=low |
495 | |
496 | * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/. |
497 | @@ -533,6 +901,17 @@ openvpn (2.3.2-6) unstable; urgency=low |
498 | |
499 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100 |
500 | |
501 | +openvpn (2.3.2-5ubuntu1) trusty; urgency=low |
502 | + |
503 | + * Merge from Debian unstable. Remaining changes: |
504 | + - debian/openvpn.init.d: |
505 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
506 | + + Show per-VPN result messages. |
507 | + + Add "--script-security 2" by default for backwards compatabliity. |
508 | + - Demote easy-rsa to Suggests |
509 | + |
510 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400 |
511 | + |
512 | openvpn (2.3.2-5) unstable; urgency=low |
513 | |
514 | * Patch init script to fix race conditions on restarts. |
515 | @@ -542,6 +921,16 @@ openvpn (2.3.2-5) unstable; urgency=low |
516 | |
517 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200 |
518 | |
519 | +openvpn (2.3.2-4ubuntu1) saucy; urgency=low |
520 | + |
521 | + * Merge from Debian unstable. Remaining changes: |
522 | + - debian/openvpn.init.d: |
523 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
524 | + + Show per-VPN result messages. |
525 | + + Add "--script-security 2" by default for backwards compatabliity. |
526 | + |
527 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400 |
528 | + |
529 | openvpn (2.3.2-4) unstable; urgency=low |
530 | |
531 | * Fix depends on iproute to iproute2. |
532 | @@ -574,6 +963,23 @@ openvpn (2.3.2-1) unstable; urgency=low |
533 | |
534 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200 |
535 | |
536 | +openvpn (2.3.1-2ubuntu2) saucy; urgency=low |
537 | + |
538 | + * Move easy-rsa from Recommends to Suggests as it's not in main and isn't |
539 | + actually required to operate an openvpn server. |
540 | + |
541 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400 |
542 | + |
543 | +openvpn (2.3.1-2ubuntu1) saucy; urgency=low |
544 | + |
545 | + * Merge from Debian unstable. Remaining changes: |
546 | + - debian/openvpn.init.d: |
547 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
548 | + + Show per-VPN result messages. |
549 | + + Add "--script-security 2" by default for backwards compatabliity. |
550 | + |
551 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400 |
552 | + |
553 | openvpn (2.3.1-2) unstable; urgency=low |
554 | |
555 | * Add net-tools to Build-Depends. (Closes: #709108) |
556 | @@ -601,6 +1007,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low |
557 | |
558 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100 |
559 | |
560 | +openvpn (2.2.1-8ubuntu3) raring; urgency=low |
561 | + |
562 | + [ Marc Gariépy ] |
563 | + * Add --script-security to the init.d script (was generated but not passed |
564 | + to openvpn). (LP: #1124398) |
565 | + |
566 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500 |
567 | + |
568 | +openvpn (2.2.1-8ubuntu2) quantal; urgency=low |
569 | + |
570 | + * Rebuild for new armel compiler default of ARMv5t. |
571 | + |
572 | + -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100 |
573 | + |
574 | +openvpn (2.2.1-8ubuntu1) precise; urgency=low |
575 | + |
576 | + * Merge at Simon Deziel's request to build with PIE. |
577 | + * Merge from Debian unstable. Remaining changes: |
578 | + + debian/openvpn.init.d: |
579 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
580 | + - Show per-VPN result messages. |
581 | + - Add "--script-security 2" by default for backwards compatabliity. |
582 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
583 | + |
584 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400 |
585 | + |
586 | openvpn (2.2.1-8) unstable; urgency=low |
587 | |
588 | * Enable "PIE" and "BINDOW" hardening flags. |
589 | @@ -625,6 +1057,17 @@ openvpn (2.2.1-6) unstable; urgency=low |
590 | |
591 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100 |
592 | |
593 | +openvpn (2.2.1-5ubuntu1) precise; urgency=low |
594 | + |
595 | + * Merge from Debian unstable. Remaining changes: (LP: #907828) |
596 | + + debian/openvpn.init.d: |
597 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
598 | + - Show per-VPN result messages. |
599 | + - Add "--script-security 2" by default for backwards compatabliity. |
600 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
601 | + |
602 | + -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500 |
603 | + |
604 | openvpn (2.2.1-5) unstable; urgency=low |
605 | |
606 | * Avoid sending ICMP redirects when using tun devices and "subnet" |
607 | @@ -647,6 +1090,20 @@ openvpn (2.2.1-4) unstable; urgency=low |
608 | |
609 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100 |
610 | |
611 | +openvpn (2.2.1-3ubuntu1) precise; urgency=low |
612 | + |
613 | + * Merge from Debian testing. Remaining changes: |
614 | + + debian/openvpn.init.d: |
615 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
616 | + - Show per-VPN result messages. |
617 | + - Add "--script-security 2" by default for backwards compatabliity. |
618 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
619 | + + debian/update-resolv-conf: Support multiple domains. |
620 | + + fix bug where '--script-security 2' would be passed for all |
621 | + daemons after the first. (LP: #794916) |
622 | + |
623 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000 |
624 | + |
625 | openvpn (2.2.1-3) unstable; urgency=low |
626 | |
627 | * The iproute fiasco release. |
628 | @@ -675,6 +1132,20 @@ openvpn (2.2.1-1) unstable; urgency=low |
629 | |
630 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100 |
631 | |
632 | +openvpn (2.2.0-2ubuntu1) oneiric; urgency=low |
633 | + |
634 | + * Merge from debian unstable. Remaining changes: |
635 | + + debian/openvpn.init.d: |
636 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
637 | + - Show per-VPN result messages. |
638 | + - Add "--script-security 2" by default for backwards compatabliity. |
639 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
640 | + + debian/update-resolv-conf: Support multiple domains. |
641 | + + fix bug where '--script-security 2' would be passed for all |
642 | + daemons after the first. (LP: #794916 |
643 | + |
644 | + -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100 |
645 | + |
646 | openvpn (2.2.0-2) unstable; urgency=low |
647 | |
648 | * Upload to unstable |
649 | @@ -709,6 +1180,45 @@ openvpn (2.1.3-5) experimental; urgency=low |
650 | |
651 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100 |
652 | |
653 | +openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low |
654 | + |
655 | + [Alexander Zielke] |
656 | + * fix bug where '--script-security 2' would be passed for all |
657 | + daemons after the first. (LP: #794916) |
658 | + |
659 | + -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400 |
660 | + |
661 | +openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low |
662 | + |
663 | + * Merge from debian unstable. Remaining changes: |
664 | + + debian/openvpn.init.d: |
665 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
666 | + - Show per-VPN result messages. |
667 | + - Add "--script-security 2" by default for backwards compatabliity. |
668 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
669 | + + debian/update-resolv-conf: Support multiple domains. |
670 | + |
671 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100 |
672 | + |
673 | +openvpn (2.1.3-4.1) unstable; urgency=low |
674 | + |
675 | + * Non-maintainer upload. |
676 | + * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503) |
677 | + |
678 | + -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200 |
679 | + |
680 | +openvpn (2.1.3-4ubuntu1) oneiric; urgency=low |
681 | + |
682 | + * Merge from debian unstable. Remaining changes: |
683 | + + debian/openvpn.init.d: |
684 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
685 | + - Show per-VPN result messages. |
686 | + - Add "--script-security 2" by default for backwards compatabliity. |
687 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
688 | + + debian/update-resolv-conf: Support multiple domains. |
689 | + |
690 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000 |
691 | + |
692 | openvpn (2.1.3-4) unstable; urgency=low |
693 | |
694 | * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd. |
695 | @@ -731,6 +1241,31 @@ openvpn (2.1.3-3) unstable; urgency=low |
696 | |
697 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100 |
698 | |
699 | +openvpn (2.1.3-2ubuntu3) natty; urgency=low |
700 | + |
701 | + * update-resolv-conf: Correctly handle multiple dns search domains, |
702 | + using the same logic as nameservers. Patch courtesy of Jeremy |
703 | + Zawodny. (LP: #662847) |
704 | + |
705 | + -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000 |
706 | + |
707 | +openvpn (2.1.3-2ubuntu2) natty; urgency=low |
708 | + |
709 | + * update-resolv-conf: Support mulitple domains (LP: #714358) |
710 | + |
711 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500 |
712 | + |
713 | +openvpn (2.1.3-2ubuntu1) natty; urgency=low |
714 | + |
715 | + * Merge from debian unstable. Remaining changes: |
716 | + + debian/openvpn.init.d: |
717 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
718 | + - Show per-VPN result messages. |
719 | + - Add "--script-security 2" by default for backwards compatabliity. |
720 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
721 | + |
722 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100 |
723 | + |
724 | openvpn (2.1.3-2) unstable; urgency=low |
725 | |
726 | * Applied upstream patch to solve random routes added when using |
727 | @@ -738,6 +1273,24 @@ openvpn (2.1.3-2) unstable; urgency=low |
728 | |
729 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200 |
730 | |
731 | +openvpn (2.1.3-1ubuntu2) natty; urgency=low |
732 | + |
733 | + * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in |
734 | + corner cases where ! host && addr (LP: #627973) |
735 | + |
736 | + -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200 |
737 | + |
738 | +openvpn (2.1.3-1ubuntu1) natty; urgency=low |
739 | + |
740 | + * Merge from debian unstable. Remaining changes: |
741 | + + debian/openvpn.init.d: |
742 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
743 | + - Show per-VPN result messages. |
744 | + - Add "--script-security 2" by default for backwards compatablitiy |
745 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
746 | + |
747 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100 |
748 | + |
749 | openvpn (2.1.3-1) unstable; urgency=low |
750 | |
751 | * New upstream release (Closes: #595684) |
752 | @@ -749,6 +1302,17 @@ openvpn (2.1.3-1) unstable; urgency=low |
753 | |
754 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200 |
755 | |
756 | +openvpn (2.1.0-3ubuntu1) maverick; urgency=low |
757 | + |
758 | + * Merge from debian unstable. Remaining changes: |
759 | + + debian/openvpn.init.d: |
760 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
761 | + - Show per-VPN result messages |
762 | + - Add "--script-security 2" by default for backwards compatablitiy |
763 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
764 | + |
765 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400 |
766 | + |
767 | openvpn (2.1.0-3) unstable; urgency=low |
768 | |
769 | * The 'happy birthday to me' release |
770 | @@ -758,6 +1322,24 @@ openvpn (2.1.0-3) unstable; urgency=low |
771 | |
772 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200 |
773 | |
774 | +openvpn (2.1.0-2ubuntu2) maverick; urgency=low |
775 | + |
776 | + * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging |
777 | + on PUSH_REQUEST when server does not push any option (LP: #579737) |
778 | + |
779 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200 |
780 | + |
781 | +openvpn (2.1.0-2ubuntu1) maverick; urgency=low |
782 | + |
783 | + * Merge from debian unstable. Remaining changes: |
784 | + + debian/openvpn.init.d: |
785 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
786 | + - Show per-VPN result messages |
787 | + - Add "--script-security 2" by default for backwards compatablitiy |
788 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
789 | + |
790 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100 |
791 | + |
792 | openvpn (2.1.0-2) unstable; urgency=low |
793 | |
794 | * Patched ssl.[ch] to fix integer overflow. (Closes: #576827) |
795 | @@ -770,6 +1352,17 @@ openvpn (2.1.0-2) unstable; urgency=low |
796 | |
797 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200 |
798 | |
799 | +openvpn (2.1.0-1ubuntu1) lucid; urgency=low |
800 | + |
801 | + * Merge from debian testing (LP: #509078), remaining changes: |
802 | + + debian/openvpn.init.d: |
803 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
804 | + - Show per-VPN result messages |
805 | + - Add "--script-security 2" by default for backwards compatibility |
806 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
807 | + |
808 | + -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100 |
809 | + |
810 | openvpn (2.1.0-1) unstable; urgency=low |
811 | |
812 | * New upstream release |
813 | @@ -807,6 +1400,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low |
814 | |
815 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100 |
816 | |
817 | +openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low |
818 | + |
819 | + * Merge from debian testing, remaining changes: |
820 | + + debian/openvpn.init.d: |
821 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking |
822 | + boot. |
823 | + - show per-VPN result messages |
824 | + - add "--script-security 2" by default for backwards compatibility |
825 | + - Add lab-base >= 3.2-14 to allow status_of_proc() |
826 | + + Dropped debian/patches/redirect-gateway.patch: Already applied |
827 | + upstream. |
828 | + |
829 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000 |
830 | + |
831 | openvpn (2.1~rc20-2) unstable; urgency=low |
832 | |
833 | * init.d script: Added X-Interactive header. (Closes: #549424) |
834 | @@ -831,6 +1438,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low |
835 | |
836 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200 |
837 | |
838 | +openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low |
839 | + |
840 | + * debian/patches/redirect-gateway.patch: Fix regression introduced in |
841 | + 2.1rc17 that makes redirect-gateway (without options) to be ignored. |
842 | + Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695 |
843 | + |
844 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200 |
845 | + |
846 | +openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low |
847 | + |
848 | + * Merge from debian unstable (LP: #404099), remaining changes: |
849 | + - debian/openvpn.init.d: |
850 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
851 | + - show per-VPN result messages |
852 | + - add "--script-security 2" by default for backwards compatibility |
853 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
854 | + |
855 | + -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530 |
856 | + |
857 | openvpn (2.1~rc19-1) unstable; urgency=low |
858 | |
859 | * New upstream version |
860 | @@ -840,6 +1466,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low |
861 | |
862 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200 |
863 | |
864 | +openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low |
865 | + |
866 | + * Merge from debian unstable (LP: #372358), remaining changes: |
867 | + - debian/openvpn.init.d: |
868 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
869 | + - show per-VPN result messages |
870 | + - add "--script-security 2" by default for backwards compatibility |
871 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
872 | + |
873 | + -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500 |
874 | + |
875 | openvpn (2.1~rc15-1) unstable; urgency=low |
876 | |
877 | * New upstream version (Closes: #515575) |
878 | @@ -859,6 +1496,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low |
879 | |
880 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200 |
881 | |
882 | +openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low |
883 | + |
884 | + * debian/openvpn.init.d: |
885 | + - Fix unexpected operator on startup (LP: #340120) |
886 | + |
887 | + -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400 |
888 | + |
889 | +openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low |
890 | + |
891 | + * debian/openvpn.init.d: |
892 | + - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent |
893 | + openvpn prompts from blocking the boot (LP: #280428) |
894 | + - Fix VPNs always reported started [ OK ] |
895 | + |
896 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200 |
897 | + |
898 | +openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low |
899 | + |
900 | + * Merge with Debian (LP: #279655), remaining diffs: |
901 | + - debian/openvpn.init.d: Added 'status' action to init script, show |
902 | + per-VPN result messages and add "--script-security 2" by default for |
903 | + backwards compatibility |
904 | + - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
905 | + * Fixes regression when calling commands with arguments (LP: #277447) |
906 | + |
907 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200 |
908 | + |
909 | openvpn (2.1~rc11-1) unstable; urgency=low |
910 | |
911 | * New upstream version |
912 | @@ -879,6 +1543,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low |
913 | |
914 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200 |
915 | |
916 | +openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low |
917 | + |
918 | + * debian/openvpn.init.d: |
919 | + - Added 'status' action to init script (LP: #251641) |
920 | + - Restored per-VPN result messages by using log_action_begin_msg and |
921 | + one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966) |
922 | + * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
923 | + |
924 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200 |
925 | + |
926 | +openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low |
927 | + |
928 | + * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility |
929 | + (LP: #260291) |
930 | + |
931 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400 |
932 | + |
933 | openvpn (2.1~rc9-3) unstable; urgency=low |
934 | |
935 | * debian/rules: run ./configure with path to 'route', for |
936 | diff --git a/debian/control b/debian/control |
937 | index 63a8262..40ed491 100644 |
938 | --- a/debian/control |
939 | +++ b/debian/control |
940 | @@ -1,7 +1,8 @@ |
941 | Source: openvpn |
942 | Section: net |
943 | Priority: optional |
944 | -Maintainer: Bernhard Schmidt <berni@debian.org> |
945 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
946 | +XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org> |
947 | Uploaders: Jörg Frings-Fürst <debian@jff.email> |
948 | Build-Depends: |
949 | debhelper-compat (= 12), |
950 | @@ -39,8 +40,8 @@ Depends: |
951 | Suggests: |
952 | openssl, |
953 | resolvconf, |
954 | - openvpn-systemd-resolved |
955 | -Recommends: easy-rsa |
956 | + openvpn-systemd-resolved, |
957 | + easy-rsa |
958 | Description: virtual private network daemon |
959 | OpenVPN is an application to securely tunnel IP networks over a |
960 | single UDP or TCP port. It can be used to access remote sites, make |
961 | diff --git a/debian/openvpn@.service b/debian/openvpn@.service |
962 | index 945874b..6d59b13 100644 |
963 | --- a/debian/openvpn@.service |
964 | +++ b/debian/openvpn@.service |
965 | @@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO |
966 | Type=notify |
967 | PrivateTmp=true |
968 | WorkingDirectory=/etc/openvpn |
969 | -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
970 | +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
971 | PIDFile=/run/openvpn/%i.pid |
972 | KillMode=process |
973 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE |
974 | diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch |
975 | new file mode 100644 |
976 | index 0000000..1c4f068 |
977 | --- /dev/null |
978 | +++ b/debian/patches/openvpn-fips-2.4.patch |
979 | @@ -0,0 +1,90 @@ |
980 | +Description: Use openssl FIPS flag to indicate MD5 use for PRF. |
981 | + MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs |
982 | + to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl |
983 | + for PRF to indicate the exception. |
984 | +Bug: https://community.openvpn.net/openvpn/ticket/725 |
985 | +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439 |
986 | +Author: Stephan Mueller <stephan.mueller@atsec.com> |
987 | + |
988 | +--- a/src/openvpn/crypto.c |
989 | ++++ b/src/openvpn/crypto.c |
990 | +@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const |
991 | + if (kt->digest && kt->hmac_length > 0) |
992 | + { |
993 | + ctx->hmac = hmac_ctx_new(); |
994 | +- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); |
995 | ++ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); |
996 | + |
997 | + msg(D_HANDSHAKE, |
998 | + "%s: Using %d bit message hash '%s' for HMAC authentication", |
999 | +--- a/src/openvpn/crypto_backend.h |
1000 | ++++ b/src/openvpn/crypto_backend.h |
1001 | +@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); |
1002 | + * @param key The key to use for the HMAC |
1003 | + * @param key_len The key length to use |
1004 | + * @param kt Static message digest parameters |
1005 | ++ * @param prf_use Intended use for PRF in TLS protocol |
1006 | + * |
1007 | + */ |
1008 | + void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, |
1009 | +- const md_kt_t *kt); |
1010 | ++ const md_kt_t *kt, bool prf_use); |
1011 | + |
1012 | + /* |
1013 | + * Free the given HMAC context. |
1014 | +--- a/src/openvpn/crypto_mbedtls.c |
1015 | ++++ b/src/openvpn/crypto_mbedtls.c |
1016 | +@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx) |
1017 | + |
1018 | + void |
1019 | + hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, |
1020 | +- const mbedtls_md_info_t *kt) |
1021 | ++ const mbedtls_md_info_t *kt, bool prf_use) |
1022 | + { |
1023 | + ASSERT(NULL != kt && NULL != ctx); |
1024 | + |
1025 | +--- a/src/openvpn/crypto_openssl.c |
1026 | ++++ b/src/openvpn/crypto_openssl.c |
1027 | +@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx) |
1028 | + |
1029 | + void |
1030 | + hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, |
1031 | +- const EVP_MD *kt) |
1032 | ++ const EVP_MD *kt, bool prf_use) |
1033 | + { |
1034 | + ASSERT(NULL != kt && NULL != ctx); |
1035 | + |
1036 | + HMAC_CTX_reset(ctx); |
1037 | ++ |
1038 | ++ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not |
1039 | ++ * to be used anywhere else */ |
1040 | ++ if(kt == EVP_md5() && prf_use) |
1041 | ++ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
1042 | ++ |
1043 | + HMAC_Init_ex(ctx, key, key_len, kt, NULL); |
1044 | + |
1045 | + /* make sure we used a big enough key */ |
1046 | +--- a/src/openvpn/ntlm.c |
1047 | ++++ b/src/openvpn/ntlm.c |
1048 | +@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da |
1049 | + const md_kt_t *md5_kt = md_kt_get("MD5"); |
1050 | + hmac_ctx_t *hmac_ctx = hmac_ctx_new(); |
1051 | + |
1052 | +- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); |
1053 | ++ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0); |
1054 | + hmac_ctx_update(hmac_ctx, data, data_len); |
1055 | + hmac_ctx_final(hmac_ctx, result); |
1056 | + hmac_ctx_cleanup(hmac_ctx); |
1057 | +--- a/src/openvpn/ssl.c |
1058 | ++++ b/src/openvpn/ssl.c |
1059 | +@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt, |
1060 | + int chunk = md_kt_size(md_kt); |
1061 | + unsigned int A1_len = md_kt_size(md_kt); |
1062 | + |
1063 | +- hmac_ctx_init(ctx, sec, sec_len, md_kt); |
1064 | +- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); |
1065 | ++ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1); |
1066 | ++ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1); |
1067 | + |
1068 | + hmac_ctx_update(ctx,seed,seed_len); |
1069 | + hmac_ctx_final(ctx, A1); |
1070 | diff --git a/debian/patches/series b/debian/patches/series |
1071 | index 55bae8e..12d3a83 100644 |
1072 | --- a/debian/patches/series |
1073 | +++ b/debian/patches/series |
1074 | @@ -5,3 +5,4 @@ openvpn-pkcs11warn.patch |
1075 | #kfreebsd_support.patch |
1076 | match-manpage-and-command-help.patch |
1077 | systemd.patch |
1078 | +openvpn-fips-2.4.patch |
1079 | diff --git a/debian/tests/server-setup-with-ca b/debian/tests/server-setup-with-ca |
1080 | index 58df2e9..08a879e 100755 |
1081 | --- a/debian/tests/server-setup-with-ca |
1082 | +++ b/debian/tests/server-setup-with-ca |
1083 | @@ -75,10 +75,10 @@ info "Check if Diffie-Hellman was initialized" |
1084 | cat $LOG_FILE | grep 'Diffie-Hellman initialized' |
1085 | |
1086 | info "Check if the $DEVICE is linked" |
1087 | -cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up" |
1088 | +cat $LOG_FILE | grep "net_iface_up: set $DEVICE up" |
1089 | |
1090 | info "Check if the network route was correctly configured" |
1091 | -cat $LOG_FILE | grep "/sbin/ip route add $IP_NETWORK/24" |
1092 | +cat $LOG_FILE | grep "net_route_v4_add: $IP_NETWORK/24 via" |
1093 | |
1094 | info "Check if the Initialization Sequence completed" |
1095 | cat $LOG_FILE | grep 'Initialization Sequence Completed' |
1096 | diff --git a/debian/tests/server-setup-with-static-key b/debian/tests/server-setup-with-static-key |
1097 | index 9ddaecd..8c0addf 100755 |
1098 | --- a/debian/tests/server-setup-with-static-key |
1099 | +++ b/debian/tests/server-setup-with-static-key |
1100 | @@ -50,10 +50,10 @@ info "Check if the $STATIC_KEY is used by OpenVPN" |
1101 | cat $LOG_FILE | grep "shared_secret_file = '$CONFIG_DIR/$STATIC_KEY'" |
1102 | |
1103 | info "Check if the $DEVICE is linked" |
1104 | -cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up" |
1105 | +cat $LOG_FILE | grep "net_iface_up: set $DEVICE up" |
1106 | |
1107 | info "Check if the specified IP addresses were configured" |
1108 | -cat $LOG_FILE | grep "/sbin/ip addr add dev tun0 local $IP_SERVER peer $IP_CLIENT" |
1109 | +cat $LOG_FILE | grep "net_addr_ptp_v4_add: $IP_SERVER peer $IP_CLIENT dev tun0" |
1110 | |
1111 | # Clean up: kill tha OpenVPN process, remove the $DEVICE created and $STATIC_KEY |
1112 | cleanup() { |
* Changelog:
- [√] old content and logical tag match as expected
- [√] changelog entry correct version and targeted codename
- [√] changelog entries correct
- [√] update-maintainer has been run
* Actual changes:
- [√] no upstream changes to consider
- [√] no further upstream version to consider
- [√] debian changes look safe
* Old Delta:
- [-] dropped changes are ok to be dropped
- [√] nothing else to drop
- [√] changes forwarded upstream/debian (if appropriate)
* New Delta: patches/ series
- [√] no new patches added
- [-] patches match what was proposed upstream
- [-] patches correctly included in debian/
- [-] patches have correct DEP3 metadata
* Build/Test:
- [√] build is ok
- [√] verified PPA package installs/uninstalls
- [√] autopkgtest against the PPA package passes
- [√] sanity checks test fine
LGTM, +1.
I am going to sponsor this upload for you, please track its migration to the release pocket.