Ubuntu
openvpn package

Merge ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish into ubuntu/+source/openvpn:debian/sid

Proposed by Utkarsh Gupta on 2021-05-17

Status:	Merged
Merge reported by:	Utkarsh Gupta
Merged at revision:	769fd64b627bdae3d18ca552a2b84988f290d33c
Proposed branch:	~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish
Merge into:	ubuntu/+source/openvpn:debian/sid
Diff against target:	1116 lines (+802/-5) 5 files modified debian/changelog (+706/-1) debian/control (+4/-3) debian/openvpn@.service (+1/-1) debian/patches/openvpn-fips-2.4.patch (+90/-0) debian/patches/series (+1/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Robie Basak	2021-05-17	Approve on 2021-05-18
Christian Ehrhardt  (community)	2021-05-17	Abstain on 2021-05-18
Canonical Server	2021-05-18	Pending
Canonical Server packageset reviewers	2021-05-17	Pending
git-ubuntu developers	2021-05-17	Pending
Review via email: mp+402809@code.launchpad.net

Description of the change

Hey,

Yet another merge -> bug fixes one though.
PPA at https://launchpad.net/~utkarsh/+archive/ubuntu/experimental-dump.

Build's good and autopkgtest passes:
```
autopkgtest [16:56:46]: @@@@@@@@@@@@@@@@@@@@ summary
server-setup-with-ca PASS
server-setup-with-static-key PASS
```

Requesting you to please review and sponsor the upload. TIA! \o/

[Assigning review to Robie]

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-18:

Really not meant to be free for all, so I consumed the Team review slot with this update

review: Abstain

Revision history for this message

Robie Basak (racb) wrote on 2021-05-18:

Looks good!

Although merge is correct, your logical tag is wrong. The tree of lp1917438/logical/2.5.0-1ubuntu1 should be identical to pkg/import/2.5.0-1ubuntu1 except for debian/changelog and update-maintainer. The idea is that it should reflect the _previous_ Ubuntu delta precisely, but broken down. Instead, it looks like you either already dropped the delta you were going to drop for this merge, or tagged it late. It doesn't matter this time, but it helps with the workflow and assists review if it is correct.

Uploaded.

review: Approve

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2021-05-18:

Ooh yeah, I *did* drop the delta already and then tagged the logical tag. My bad. Thanks for the upload, though! \o/

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Utkarsh Gupta

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index f1c969f..a1eb824 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,16 @@
++openvpn (2.5.1-3ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++  * Dropped changes:
++    - d/t/server-setup-*: adapt tests to output of v2.5.0
++      [Included in 2.5.1-3]
++
++ -- Utkarsh Gupta <utkarsh.gupta@canonical.com>  Mon, 17 May 2021 14:38:17 +0530
++
  openvpn (2.5.1-3) unstable; urgency=medium
    * Fix autopkgtest (Closes: #983662)
@@ -7,6 +20,17 @@ openvpn (2.5.1-3) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Fri, 14 May 2021 09:40:04 +0200
++openvpn (2.5.1-2ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++    - d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Mon, 03 May 2021 17:56:39 -0300
++
  openvpn (2.5.1-2) unstable; urgency=high
    * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix
@@ -15,12 +39,47 @@ openvpn (2.5.1-2) unstable; urgency=high
   -- Bernhard Schmidt <berni@debian.org>  Wed, 28 Apr 2021 14:41:58 +0200
++openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable (LP: #1917438). Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++      + d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Utkarsh Gupta <utkarsh.gupta@canonical.com>  Tue, 02 Mar 2021 16:35:37 +0530
++
  openvpn (2.5.1-1) unstable; urgency=medium
    * New upstream version 2.5.1 (bugfix release)
   -- Bernhard Schmidt <berni@debian.org>  Wed, 24 Feb 2021 19:54:34 +0100
++openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++      [updated to match 2.5.0]
++  * Dropped changes [in Debian since 2.5~beta3-1]
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++    - d/openvpn*.service: Drop reload support from systemd unit files
++      (LP #1868127).  The current reload implementation (sending a SIGHUP
++      signal to the process) fails, and the difference between reload and
++      restart is not clear. Systemd does not require an implementation for
++      reload.
++  * Added Changes:
++    - d/t/server-setup-*: adapt tests to output of v2.5.0
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 01 Dec 2020 16:15:12 +0100
++
  openvpn (2.5.0-1) unstable; urgency=medium
    * New upstream version 2.5.0 - final release
@@ -46,7 +105,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium
    [ Lucas Kanashiro ]
    * Add two DEP-8 test cases for the server side
--  * Drop reload support from systemd unit files (LP: #1868127)
++  * Drop reload support from systemd unit files (LP 1868127)
    [ Bernhard Schmidt ]
    * Revert "d/gbp.conf for experimental 2.5 branch"
@@ -76,6 +135,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sat, 15 Aug 2020 21:32:49 +0200
++openvpn (2.4.9-3ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP #1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++    - d/openvpn*.service: Drop reload support from systemd unit files
++      (LP #1868127).  The current reload implementation (sending a SIGHUP
++      signal to the process) fails, and the difference between reload and
++      restart is not clear. Systemd does not require an implementation for
++      reload.
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 18 Aug 2020 08:42:11 -0300
++
  openvpn (2.4.9-3) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -94,6 +173,28 @@ openvpn (2.4.9-3) unstable; urgency=medium
   -- Jörg Frings-Fürst <debian@jff.email>  Sat, 02 May 2020 18:14:36 +0200
++openvpn (2.4.9-2ubuntu2) groovy; urgency=medium
++
++  * Drop reload support from systemd unit files (LP: #1868127)
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 26 May 2020 19:04:33 -0300
++
++openvpn (2.4.9-2ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what
++      got added to debian/openvpn.init.d ages ago (LP 1454725)
++    - Allow MD5 for PRF in FIPS mode openssl.
++  * Added changes:
++    - d/tests: add two DEP-8 test cases
++      + d/t/server-setup-with-static-key: test the OpenVPN server side setup
++        using a static key.
++      + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
++        CA built with easy-rsa.
++
++ -- Lucas Kanashiro <lucas.kanashiro@canonical.com>  Wed, 29 Apr 2020 15:35:56 -0300
++
  openvpn (2.4.9-2) unstable; urgency=medium
    * Cherry-Pick upstream patch to fix ssl_do_config error with
@@ -129,6 +230,28 @@ openvpn (2.4.9-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sun, 19 Apr 2020 15:52:57 +0200
++openvpn (2.4.7-1ubuntu2) eoan; urgency=medium
++
++  * No-change upload with strops.h and sys/strops.h removed in glibc.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 05 Sep 2019 11:05:25 +0000
++
++openvpn (2.4.7-1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable (LP: #1828771). Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what got
++      added to debian/openvpn.init.d ages ago (LP 1454725)
++    - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
++      (LP 1807439)
++  * Dropped changes:
++    - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
++      scripts breaking due to sudo/pam being unable to audit the action.
++      Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
++      [in Debian now]
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 13 May 2019 15:55:22 +0200
++
  openvpn (2.4.7-1) unstable; urgency=medium
    [ Bernhard Schmidt ]
@@ -148,6 +271,30 @@ openvpn (2.4.7-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Wed, 20 Feb 2019 14:50:03 +0100
++openvpn (2.4.6-1ubuntu3) disco; urgency=medium
++
++  * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
++    (LP: #1807439)
++
++ -- Joy Latten <joy.latten@canonical.com>  Wed, 09 Jan 2019 12:25:59 -0600
++
++openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium
++
++  * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
++    scripts breaking due to sudo/pam being unable to audit the action.
++    Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 03 Sep 2018 10:57:35 +0200
++
++openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: Demote easy-rsa to Suggests (universe package).
++    - debian/openvpn@.service: Add '--script-security 2' similar to what got
++      added to debian/openvpn.init.d ages ago (LP 1454725)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 20 Aug 2018 13:30:20 +0200
++
  openvpn (2.4.6-1) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -191,6 +338,15 @@ openvpn (2.4.5-1) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Sun, 04 Mar 2018 22:23:47 +0100
++openvpn (2.4.4-2ubuntu1) bionic; urgency=low
++
++  * Sync with Debian. Remaining changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 10 Feb 2018 20:27:56 +0000
++
  openvpn (2.4.4-2) unstable; urgency=medium
    * Build against OpenSSL 1.1.0 (Closes: #828477)
@@ -198,6 +354,15 @@ openvpn (2.4.4-2) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Mon, 11 Dec 2017 00:22:11 +0100
++openvpn (2.4.4-1ubuntu1) bionic; urgency=medium
++
++  * Sync with Debian. Remaining changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++
++ -- Jeremy Bicha <jbicha@ubuntu.com>  Sat, 28 Oct 2017 15:13:58 -0400
++
  openvpn (2.4.4-1) unstable; urgency=medium
    [ Jörg Frings-Fürst ]
@@ -319,6 +484,65 @@ openvpn (2.4.0-5) unstable; urgency=high
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 11 May 2017 14:15:21 +0200
++openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
++    - debian/patches/CVE-2017-7508.patch: remove assert in
++      src/openvpn/mss.c.
++    - CVE-2017-7508
++  * SECURITY UPDATE: Remote-triggerable memory leaks
++    - debian/patches/CVE-2017-7512.patch: fix leaks in
++      src/openvpn/ssl_verify_openssl.c.
++    - CVE-2017-7512
++  * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
++    for clients
++    - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
++      OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
++    - CVE-2017-7520
++  * SECURITY UPDATE: Potential double-free in --x509-alt-username and
++    memory leaks
++    - debian/patches/CVE-2017-7521.patch: fix double-free in
++      src/openvpn/ssl_verify_openssl.c.
++    - CVE-2017-7521
++  * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
++    - debian/patches/establish_http_proxy_passthru_dos.patch: fix
++      null-pointer dereference in src/openvpn/proxy.c.
++    - No CVE number
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 22 Jun 2017 08:37:49 -0400
++
++openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: pre-authentication denial-of-service vulnerability
++    (both client and server) from a too-large control packet.
++    - debian/patches/CVE-2017-7478.patch: Do not assert on too-large
++      control packet
++    - CVE-2017-7478
++  * SECURITY UPDATE: authenticated remote DoS vulnerability due to
++    packet ID rollover
++    - debian/patches/CVE-2017-7479-prereq.patch: merge
++      packet_id_alloc_outgoing() into packet_id_write()
++    - debian/patches/CVE-2017-7478.patch: do not assert when packet ID
++      rollover occurs
++    - CVE-2017-7478
++  * SECURITY UPDATE: auth tokens left in memory after de-auth
++    - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token
++      as soon as a TLS session is considered broken.
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Wed, 10 May 2017 15:21:05 -0700
++
++openvpn (2.4.0-4ubuntu1) zesty; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (LP: #1454725)
++    - Demote easy-rsa to Suggests (universe package).
++  * Drop:
++    - debian/control: Actually drop the initscripts dependency.
++      (Closes: #804968). Already in Debian
++
++ -- Jon Grimm <jon.grimm@canonical.com>  Fri, 10 Feb 2017 12:16:57 -0600
++
  openvpn (2.4.0-4) unstable; urgency=medium
    * Add NEWS entries on possible 2.4 migration issues.
@@ -388,6 +612,24 @@ openvpn (2.3.11-2) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 23 May 2016 09:55:30 +0200
++openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium
++
++  * debian/control: Actually drop the initscripts dependency.
++    (Closes: #804968)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 22 Jun 2016 16:54:51 +0200
++
++openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn@.service: Add "--script-security 2" similar to what got
++      added to debian/openvpn.init.d ages ago (see LP: #260291).
++    - Demote easy-rsa to Suggests (universe package).
++  * Drop intrusive changes (showing per-VPN result messages) from
++    debian/openvpn.init.d. This isn't being used under systemd.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 20 May 2016 17:30:27 +0200
++
  openvpn (2.3.11-1) unstable; urgency=medium
    * New upstream release.
@@ -399,6 +641,25 @@ openvpn (2.3.11-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 10 May 2016 17:41:53 +0200
++openvpn (2.3.10-1ubuntu2) xenial; urgency=medium
++
++  * debian/openvpn@.service: Add --script-security similar to what got added
++    to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Tue, 02 Feb 2016 13:33:39 +0100
++
++openvpn (2.3.10-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++        (LP #260291)
++    - Demote easy-rsa to Suggests
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Thu, 21 Jan 2016 11:37:08 +0100
++
  openvpn (2.3.10-1) unstable; urgency=medium
    * New upstream release. (Closes: #804368)
@@ -417,6 +678,21 @@ openvpn (2.3.10-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 20 Jan 2016 12:01:36 +0100
++openvpn (2.3.8-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++      (Closes: #803032)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 04 Jan 2016 11:48:31 +0100
++
  openvpn (2.3.8-1) unstable; urgency=medium
    * New upstream release. Drop patch from 2.3.7-2.
@@ -430,6 +706,21 @@ openvpn (2.3.8-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 28 Oct 2015 17:34:26 +0100
++openvpn (2.3.7-2ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++      (Closes: #803032)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 26 Oct 2015 09:32:31 +0100
++
  openvpn (2.3.7-2) unstable; urgency=medium
    * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
@@ -440,6 +731,20 @@ openvpn (2.3.7-2) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 08 Sep 2015 08:23:19 +0000
++openvpn (2.3.7-1ubuntu1) wily; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 08 Jul 2015 12:28:54 +0200
++
  openvpn (2.3.7-1) unstable; urgency=medium
    * New upstream version
@@ -461,6 +766,20 @@ openvpn (2.3.5-1) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 29 Oct 2014 17:44:06 +0100
++openvpn (2.3.4-5ubuntu1) wily; urgency=medium
++
++  * Merge with Debian unstable. Remaining Ubuntu changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Run openvpn@.service before systemd-user-sessions.service to avoid
++      gettys and lightdm starting on top of possible password prompts. This
++      provides the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 07 May 2015 15:35:52 +0200
++
  openvpn (2.3.4-5) unstable; urgency=high
    * Apply upstream patch that fixes possible DoS by authenticated
@@ -519,6 +838,52 @@ openvpn (2.3.3-1) experimental; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 17 Mar 2014 19:40:12 +0100
++openvpn (2.3.2-9ubuntu4) vivid; urgency=medium
++
++  * Run openvpn@.service before systemd-user-sessions.service to avoid gettys
++    and lightdm starting on top of possible password prompts. This provides
++    the equivalent of the init.d script's X-Start-Before:.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 13 Apr 2015 16:09:01 -0500
++
++openvpn (2.3.2-9ubuntu3) vivid; urgency=medium
++
++  * Add better_systemd_detection.patch to avoid calling systemd-ask-password
++    under upstart. Backported from upstream. (Closes: #747265)
++  * Add systemd unit and generator from current Debian package. This avoids
++    using the init.d script, which unnecessarily blocks lightdm startup on the
++    network becoming online even if there are no auto-start connections
++    (LP: #1443489).
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 13 Apr 2015 11:22:56 -0500
++
++openvpn (2.3.2-9ubuntu2) vivid; urgency=medium
++
++  * SECURITY UPDATE: server denial of service via too-short control channel
++    packets
++    - debian/patches/CVE-2014-8104.patch: drop too-short control channel
++      packets instead of asserting out in src/openvpn/ssl.c.
++    - CVE-2014-8104
++  * debian/patches/update_certs.patch: update test certs to fix FTBFS.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 01 Dec 2014 15:26:58 -0500
++
++openvpn (2.3.2-9ubuntu1) utopic; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++    - Patch libtool.m4 and configure to support ppc64el.
++    - Refresh delta with debian/openvpn.init.d:
++      + Make stop action reliable by killing if needed
++        (LP: #1274254, LP: #1200519)
++      + Use new path for status file (LP: #1261088)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 02 May 2014 16:00:55 -0400
++
  openvpn (2.3.2-9) unstable; urgency=medium
    * Create /run/openvpn in init script even if no VPN is
@@ -534,6 +899,33 @@ openvpn (2.3.2-8) unstable; urgency=medium
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 14 Mar 2014 12:59:57 +0100
++openvpn (2.3.2-7ubuntu3) trusty; urgency=medium
++
++  [ Simon Deziel ]
++  * Refresh delta with debian/openvpn.init.d:
++   - Make stop action reliable by killing if needed
++     (LP: #1274254, LP: #1200519)
++   - Use new path for status file (LP: #1261088)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Tue, 04 Feb 2014 09:31:39 -0500
++
++openvpn (2.3.2-7ubuntu2) trusty; urgency=medium
++
++  * Patch libtool.m4 and configure to support ppc64el.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 30 Dec 2013 12:32:35 +0100
++
++openvpn (2.3.2-7ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 02 Dec 2013 18:14:42 -0500
++
  openvpn (2.3.2-7) unstable; urgency=low
    * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.
@@ -550,6 +942,17 @@ openvpn (2.3.2-6) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 27 Nov 2013 13:58:33 +0100
++openvpn (2.3.2-5ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++    - Demote easy-rsa to Suggests
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 21 Oct 2013 13:07:37 -0400
++
  openvpn (2.3.2-5) unstable; urgency=low
    * Patch init script to fix race conditions on restarts.
@@ -559,6 +962,16 @@ openvpn (2.3.2-5) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 15 Jul 2013 16:10:59 +0200
++openvpn (2.3.2-4ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Tue, 09 Jul 2013 17:20:31 -0400
++
  openvpn (2.3.2-4) unstable; urgency=low
    * Fix depends on iproute to iproute2.
@@ -591,6 +1004,23 @@ openvpn (2.3.2-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 03 Jun 2013 18:48:44 +0200
++openvpn (2.3.1-2ubuntu2) saucy; urgency=low
++
++  * Move easy-rsa from Recommends to Suggests as it's not in main and isn't
++    actually required to operate an openvpn server.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 19 Jun 2013 14:37:54 -0400
++
++openvpn (2.3.1-2ubuntu1) saucy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/openvpn.init.d:
++      + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      + Show per-VPN result messages.
++      + Add "--script-security 2" by default for backwards compatabliity.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 24 May 2013 17:42:45 -0400
++
  openvpn (2.3.1-2) unstable; urgency=low
    * Add net-tools to Build-Depends. (Closes: #709108)
@@ -618,6 +1048,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Mon, 05 Nov 2012 16:31:15 +0100
++openvpn (2.2.1-8ubuntu3) raring; urgency=low
++
++  [ Marc Gariépy ]
++  * Add --script-security to the init.d script (was generated but not passed
++    to openvpn). (LP: #1124398)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 13 Feb 2013 16:10:48 -0500
++
++openvpn (2.2.1-8ubuntu2) quantal; urgency=low
++
++  * Rebuild for new armel compiler default of ARMv5t.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 08 Oct 2012 08:36:47 +0100
++
++openvpn (2.2.1-8ubuntu1) precise; urgency=low
++
++  * Merge at Simon Deziel's request to build with PIE.
++  * Merge from Debian unstable. Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Fri, 30 Mar 2012 13:19:09 -0400
++
  openvpn (2.2.1-8) unstable; urgency=low
    * Enable "PIE" and "BINDOW" hardening flags.
@@ -642,6 +1098,17 @@ openvpn (2.2.1-6) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 09 Mar 2012 13:44:50 +0100
++openvpn (2.2.1-5ubuntu1) precise; urgency=low
++
++  * Merge from Debian unstable. Remaining changes: (LP: #907828)
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Sat, 25 Feb 2012 21:08:48 -0500
++
  openvpn (2.2.1-5) unstable; urgency=low
    * Avoid sending ICMP redirects when using tun devices and "subnet"
@@ -664,6 +1131,20 @@ openvpn (2.2.1-4) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 08 Feb 2012 16:31:32 +0100
++openvpn (2.2.1-3ubuntu1) precise; urgency=low
++
++  * Merge from Debian testing.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++    + fix bug where '--script-security 2' would be passed for all
++      daemons after the first. (LP: #794916)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sat, 31 Dec 2011 04:55:56 +0000
++
  openvpn (2.2.1-3) unstable; urgency=low
    * The iproute fiasco release.
@@ -692,6 +1173,20 @@ openvpn (2.2.1-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 13 Dec 2011 11:04:22 +0100
++openvpn (2.2.0-2ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++    + fix bug where '--script-security 2' would be passed for all
++      daemons after the first. (LP: #794916
++
++ -- Chuck Short <zulcss@ubuntu.com>  Thu, 16 Jun 2011 18:33:37 +0100
++
  openvpn (2.2.0-2) unstable; urgency=low
    * Upload to unstable
@@ -726,6 +1221,45 @@ openvpn (2.1.3-5) experimental; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 22 Mar 2011 10:57:18 +0100
++openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low
++
++  [Alexander Zielke]
++  * fix bug where '--script-security 2' would be passed for all
++    daemons after the first. (LP: #794916)
++
++ -- Scott Moser <smoser@ubuntu.com>  Thu, 09 Jun 2011 13:59:08 -0400
++
++openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++   + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 17 May 2011 02:14:39 +0100
++
++openvpn (2.1.3-4.1) unstable; urgency=low
++
++  * Non-maintainer upload.
++  * Drop hard-coded dependency on libssl0.9.8.  (Closes: #623503)
++
++ -- Philipp Kern <pkern@debian.org>  Mon, 09 May 2011 23:20:03 +0200
++
++openvpn (2.1.3-4ubuntu1) oneiric; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++    + debian/update-resolv-conf: Support multiple domains.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 22 Mar 2011 23:28:26 +0000
++
  openvpn (2.1.3-4) unstable; urgency=low
    * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.
@@ -748,6 +1282,31 @@ openvpn (2.1.3-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 11 Mar 2011 13:08:12 +0100
++openvpn (2.1.3-2ubuntu3) natty; urgency=low
++
++  * update-resolv-conf: Correctly handle multiple dns search domains,
++    using the same logic as nameservers.  Patch courtesy of Jeremy
++    Zawodny. (LP: #662847)
++
++ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com>  Fri, 11 Mar 2011 00:23:59 +0000
++
++openvpn (2.1.3-2ubuntu2) natty; urgency=low
++
++  * update-resolv-conf: Support mulitple domains (LP: #714358)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 14 Feb 2011 15:21:46 -0500
++
++openvpn (2.1.3-2ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatabliity.
++    +  debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Sat, 23 Oct 2010 01:59:28 +0100
++
  openvpn (2.1.3-2) unstable; urgency=low
    * Applied upstream patch to solve random routes added when using
@@ -755,6 +1314,24 @@ openvpn (2.1.3-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 21 Oct 2010 12:21:33 +0200
++openvpn (2.1.3-1ubuntu2) natty; urgency=low
++
++  * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
++    corner cases where ! host && addr (LP: #627973)
++
++ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com>  Wed, 20 Oct 2010 16:22:25 +0200
++
++openvpn (2.1.3-1ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
++      - Show per-VPN result messages.
++      - Add "--script-security 2" by default for backwards compatablitiy
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Tue, 05 Oct 2010 06:21:14 +0100
++
  openvpn (2.1.3-1) unstable; urgency=low
    * New upstream release (Closes: #595684)
@@ -766,6 +1343,17 @@ openvpn (2.1.3-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 29 Sep 2010 13:07:37 +0200
++openvpn (2.1.0-3ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable. Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatablitiy
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 12 Jul 2010 09:39:43 -0400
++
  openvpn (2.1.0-3) unstable; urgency=low
    * The 'happy birthday to me' release
@@ -775,6 +1363,24 @@ openvpn (2.1.0-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 09 Jul 2010 12:22:09 +0200
++openvpn (2.1.0-2ubuntu2) maverick; urgency=low
++
++  * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
++    on PUSH_REQUEST when server does not push any option (LP: #579737)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Mon, 28 Jun 2010 10:45:23 +0200
++
++openvpn (2.1.0-2ubuntu1) maverick; urgency=low
++
++  * Merge from debian unstable.  Remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatablitiy
++     + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 05 May 2010 03:06:19 +0100
++
  openvpn (2.1.0-2) unstable; urgency=low
    * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)
@@ -787,6 +1393,17 @@ openvpn (2.1.0-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sat, 10 Apr 2010 17:26:42 +0200
++openvpn (2.1.0-1ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing (LP: #509078), remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - Show per-VPN result messages
++      - Add "--script-security 2" by default for backwards compatibility
++    + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
++
++ -- Jan Brinkmann <lucky@the-luckyduck.de>  Fri, 22 Jan 2010 00:47:33 +0100
++
  openvpn (2.1.0-1) unstable; urgency=low
    * New upstream release
@@ -824,6 +1441,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Wed, 04 Nov 2009 17:18:03 +0100
++openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low
++
++  * Merge from debian testing, remaining changes:
++    + debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking
++        boot.
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Add lab-base >= 3.2-14 to allow status_of_proc()
++     + Dropped debian/patches/redirect-gateway.patch: Already applied
++       upstream.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 06 Nov 2009 01:36:35 +0000
++
  openvpn (2.1~rc20-2) unstable; urgency=low
    * init.d script: Added X-Interactive header. (Closes: #549424)
@@ -848,6 +1479,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sun, 30 Aug 2009 20:20:11 +0200
++openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low
++
++  * debian/patches/redirect-gateway.patch: Fix regression introduced in
++    2.1rc17 that makes redirect-gateway (without options) to be ignored.
++    Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 13 Oct 2009 09:31:20 +0200
++
++openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable (LP: #404099), remaining changes:
++    - debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Bhavani Shankar <right2bhavi@gmail.com>  Fri, 24 Jul 2009 19:22:13 +0530
++
  openvpn (2.1~rc19-1) unstable; urgency=low
    * New upstream version
@@ -857,6 +1507,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 21 Jul 2009 17:00:56 +0200
++openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low
++
++  * Merge from debian unstable (LP: #372358), remaining changes:
++    - debian/openvpn.init.d:
++      - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
++      - show per-VPN result messages
++      - add "--script-security 2" by default for backwards compatibility
++      - Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Andres Rodriguez <andreserl@ubuntu.com>  Tue, 05 May 2009 14:25:37 -0500
++
  openvpn (2.1~rc15-1) unstable; urgency=low
    * New upstream version (Closes: #515575)
@@ -876,6 +1537,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 30 Apr 2009 12:35:05 +0200
++openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low
++
++  * debian/openvpn.init.d:
++    - Fix unexpected operator on startup (LP: #340120)
++
++ -- Michael Jeanson <mjeanson@revolutionlinux.com>  Mon, 09 Mar 2009 16:02:50 -0400
++
++openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low
++
++  * debian/openvpn.init.d:
++    - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent
++      openvpn prompts from blocking the boot (LP: #280428)
++    - Fix VPNs always reported started [ OK ]
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 15 Oct 2008 17:12:54 +0200
++
++openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low
++
++  * Merge with Debian (LP: #279655), remaining diffs:
++    - debian/openvpn.init.d: Added 'status' action to init script, show
++      per-VPN result messages and add "--script-security 2" by default for
++      backwards compatibility
++    - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
++  * Fixes regression when calling commands with arguments (LP: #277447)
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 07 Oct 2008 16:30:44 +0200
++
  openvpn (2.1~rc11-1) unstable; urgency=low
    * New upstream version
@@ -896,6 +1584,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low
   -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 11 Sep 2008 16:58:37 +0200
++openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low
++
++  * debian/openvpn.init.d:
++    - Added 'status' action to init script (LP: #251641)
++    - Restored per-VPN result messages by using log_action_begin_msg and
++      one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966)
++  * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
++
++ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 09 Sep 2008 10:45:45 +0200
++
++openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low
++
++  * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
++    (LP: #260291)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 25 Aug 2008 10:20:31 -0400
++
  openvpn (2.1~rc9-3) unstable; urgency=low
    * debian/rules: run ./configure with path to 'route', for
 diff --git a/debian/control b/debian/control
 index 63a8262..40ed491 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: openvpn
  Section: net
  Priority: optional
--Maintainer: Bernhard Schmidt <berni@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
  Uploaders: Jörg Frings-Fürst <debian@jff.email>
  Build-Depends:
   debhelper-compat (= 12),
@@ -39,8 +40,8 @@ Depends:
  Suggests:
   openssl,
   resolvconf,
-- openvpn-systemd-resolved
--Recommends: easy-rsa
++ openvpn-systemd-resolved,
++ easy-rsa
  Description: virtual private network daemon
   OpenVPN is an application to securely tunnel IP networks over a
   single UDP or TCP port. It can be used to access remote sites, make
 diff --git a/debian/openvpn@.service b/debian/openvpn@.service
 index 945874b..6d59b13 100644
 --- a/debian/openvpn@.service
 +++ b/debian/openvpn@.service
@@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
  Type=notify
  PrivateTmp=true
  WorkingDirectory=/etc/openvpn
--ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
++ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
  PIDFile=/run/openvpn/%i.pid
  KillMode=process
  CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch
 new file mode 100644
 index 0000000..1c4f068
 --- /dev/null
 +++ b/debian/patches/openvpn-fips-2.4.patch
@@ -0,0 +1,90 @@
++Description:  Use openssl FIPS flag to indicate MD5 use for PRF.
++ MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs
++ to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl
++ for PRF to indicate the exception.
++Bug: https://community.openvpn.net/openvpn/ticket/725
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439
++Author: Stephan Mueller <stephan.mueller@atsec.com>
++
++--- a/src/openvpn/crypto.c
+++++ b/src/openvpn/crypto.c
++@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
++     if (kt->digest && kt->hmac_length > 0)
++     {
++         ctx->hmac = hmac_ctx_new();
++-        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+++        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
++
++         msg(D_HANDSHAKE,
++             "%s: Using %d bit message hash '%s' for HMAC authentication",
++--- a/src/openvpn/crypto_backend.h
+++++ b/src/openvpn/crypto_backend.h
++@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
++  * @param key           The key to use for the HMAC
++  * @param key_len       The key length to use
++  * @param kt            Static message digest parameters
+++ * @param prf_use       Intended use for PRF in TLS protocol
++  *
++  */
++ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
++-                   const md_kt_t *kt);
+++                   const md_kt_t *kt, bool prf_use);
++
++ /*
++  * Free the given HMAC context.
++--- a/src/openvpn/crypto_mbedtls.c
+++++ b/src/openvpn/crypto_mbedtls.c
++@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx)
++
++ void
++ hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
++-              const mbedtls_md_info_t *kt)
+++              const mbedtls_md_info_t *kt, bool prf_use)
++ {
++     ASSERT(NULL != kt && NULL != ctx);
++
++--- a/src/openvpn/crypto_openssl.c
+++++ b/src/openvpn/crypto_openssl.c
++@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx)
++
++ void
++ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
++-              const EVP_MD *kt)
+++              const EVP_MD *kt, bool prf_use)
++ {
++     ASSERT(NULL != kt && NULL != ctx);
++
++     HMAC_CTX_reset(ctx);
+++
+++   /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+++    * to be used anywhere else */
+++    if(kt == EVP_md5() && prf_use)
+++       HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+++
++     HMAC_Init_ex(ctx, key, key_len, kt, NULL);
++
++     /* make sure we used a big enough key */
++--- a/src/openvpn/ntlm.c
+++++ b/src/openvpn/ntlm.c
++@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
++     const md_kt_t *md5_kt = md_kt_get("MD5");
++     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
++
++-    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+++    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
++     hmac_ctx_update(hmac_ctx, data, data_len);
++     hmac_ctx_final(hmac_ctx, result);
++     hmac_ctx_cleanup(hmac_ctx);
++--- a/src/openvpn/ssl.c
+++++ b/src/openvpn/ssl.c
++@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt,
++     int chunk = md_kt_size(md_kt);
++     unsigned int A1_len = md_kt_size(md_kt);
++
++-    hmac_ctx_init(ctx, sec, sec_len, md_kt);
++-    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
+++    hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
+++    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
++
++     hmac_ctx_update(ctx,seed,seed_len);
++     hmac_ctx_final(ctx, A1);
 diff --git a/debian/patches/series b/debian/patches/series
 index 6bb0685..3d2c83a 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -10,3 +10,4 @@ CVE-2020-15078-1.patch
  CVE-2020-15078-2.patch
  CVE-2020-15078-3.patch
  Fix-condition-to-generate-session-keys.patch
++openvpn-fips-2.4.patch

Ubuntuopenvpn package

Merge ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish into ubuntu/+source/openvpn:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openvpn package