Merge ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish into ubuntu/+source/openvpn:debian/sid

Proposed by Utkarsh Gupta
Status: Merged
Merge reported by: Utkarsh Gupta
Merged at revision: 769fd64b627bdae3d18ca552a2b84988f290d33c
Proposed branch: ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish
Merge into: ubuntu/+source/openvpn:debian/sid
Diff against target: 1116 lines (+802/-5)
5 files modified
debian/changelog (+706/-1)
debian/control (+4/-3)
debian/openvpn@.service (+1/-1)
debian/patches/openvpn-fips-2.4.patch (+90/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Christian Ehrhardt  Abstain
Canonical Server Team Pending
Canonical Server packageset reviewers Pending
Ubuntu Server Dev import team Pending
Review via email: mp+402809@code.launchpad.net

Description of the change

Hey,

Yet another merge -> bug fixes one though.
PPA at https://launchpad.net/~utkarsh/+archive/ubuntu/experimental-dump.

Build's good and autopkgtest passes:
```
autopkgtest [16:56:46]: @@@@@@@@@@@@@@@@@@@@ summary
server-setup-with-ca PASS
server-setup-with-static-key PASS
```

Requesting you to please review and sponsor the upload. TIA! \o/

[Assigning review to Robie]

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Really not meant to be free for all, so I consumed the Team review slot with this update

review: Abstain
Revision history for this message
Robie Basak (racb) wrote :

Looks good!

Although merge is correct, your logical tag is wrong. The tree of lp1917438/logical/2.5.0-1ubuntu1 should be identical to pkg/import/2.5.0-1ubuntu1 except for debian/changelog and update-maintainer. The idea is that it should reflect the _previous_ Ubuntu delta precisely, but broken down. Instead, it looks like you either already dropped the delta you were going to drop for this merge, or tagged it late. It doesn't matter this time, but it helps with the workflow and assists review if it is correct.

Uploaded.

review: Approve
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Ooh yeah, I *did* drop the delta already and then tagged the logical tag. My bad. Thanks for the upload, though! \o/

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index f1c969f..a1eb824 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,16 @@
6+openvpn (2.5.1-3ubuntu1) impish; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/control: Demote easy-rsa to Suggests (universe package).
10+ - debian/openvpn@.service: Add '--script-security 2' similar to what
11+ got added to debian/openvpn.init.d ages ago (LP #1454725)
12+ - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
13+ * Dropped changes:
14+ - d/t/server-setup-*: adapt tests to output of v2.5.0
15+ [Included in 2.5.1-3]
16+
17+ -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Mon, 17 May 2021 14:38:17 +0530
18+
19 openvpn (2.5.1-3) unstable; urgency=medium
20
21 * Fix autopkgtest (Closes: #983662)
22@@ -7,6 +20,17 @@ openvpn (2.5.1-3) unstable; urgency=medium
23
24 -- Bernhard Schmidt <berni@debian.org> Fri, 14 May 2021 09:40:04 +0200
25
26+openvpn (2.5.1-2ubuntu1) impish; urgency=medium
27+
28+ * Merge with Debian unstable. Remaining changes:
29+ - d/control: Demote easy-rsa to Suggests (universe package).
30+ - debian/openvpn@.service: Add '--script-security 2' similar to what
31+ got added to debian/openvpn.init.d ages ago (LP #1454725)
32+ - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
33+ - d/t/server-setup-*: adapt tests to output of v2.5.0
34+
35+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 03 May 2021 17:56:39 -0300
36+
37 openvpn (2.5.1-2) unstable; urgency=high
38
39 * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix
40@@ -15,12 +39,47 @@ openvpn (2.5.1-2) unstable; urgency=high
41
42 -- Bernhard Schmidt <berni@debian.org> Wed, 28 Apr 2021 14:41:58 +0200
43
44+openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium
45+
46+ * Merge with Debian unstable (LP: #1917438). Remaining changes:
47+ - d/control: Demote easy-rsa to Suggests (universe package).
48+ - debian/openvpn@.service: Add '--script-security 2' similar to what
49+ got added to debian/openvpn.init.d ages ago (LP #1454725)
50+ - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
51+ + d/t/server-setup-*: adapt tests to output of v2.5.0
52+
53+ -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Tue, 02 Mar 2021 16:35:37 +0530
54+
55 openvpn (2.5.1-1) unstable; urgency=medium
56
57 * New upstream version 2.5.1 (bugfix release)
58
59 -- Bernhard Schmidt <berni@debian.org> Wed, 24 Feb 2021 19:54:34 +0100
60
61+openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium
62+
63+ * Merge with Debian unstable. Remaining changes:
64+ - d/control: Demote easy-rsa to Suggests (universe package).
65+ - debian/openvpn@.service: Add '--script-security 2' similar to what
66+ got added to debian/openvpn.init.d ages ago (LP #1454725)
67+ - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
68+ [updated to match 2.5.0]
69+ * Dropped changes [in Debian since 2.5~beta3-1]
70+ - d/tests: add two DEP-8 test cases
71+ + d/t/server-setup-with-static-key: test the OpenVPN server side setup
72+ using a static key.
73+ + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
74+ CA built with easy-rsa.
75+ - d/openvpn*.service: Drop reload support from systemd unit files
76+ (LP #1868127). The current reload implementation (sending a SIGHUP
77+ signal to the process) fails, and the difference between reload and
78+ restart is not clear. Systemd does not require an implementation for
79+ reload.
80+ * Added Changes:
81+ - d/t/server-setup-*: adapt tests to output of v2.5.0
82+
83+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 01 Dec 2020 16:15:12 +0100
84+
85 openvpn (2.5.0-1) unstable; urgency=medium
86
87 * New upstream version 2.5.0 - final release
88@@ -46,7 +105,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium
89
90 [ Lucas Kanashiro ]
91 * Add two DEP-8 test cases for the server side
92- * Drop reload support from systemd unit files (LP: #1868127)
93+ * Drop reload support from systemd unit files (LP 1868127)
94
95 [ Bernhard Schmidt ]
96 * Revert "d/gbp.conf for experimental 2.5 branch"
97@@ -76,6 +135,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium
98
99 -- Bernhard Schmidt <berni@debian.org> Sat, 15 Aug 2020 21:32:49 +0200
100
101+openvpn (2.4.9-3ubuntu1) groovy; urgency=medium
102+
103+ * Merge with Debian unstable. Remaining changes:
104+ - d/control: Demote easy-rsa to Suggests (universe package).
105+ - debian/openvpn@.service: Add '--script-security 2' similar to what
106+ got added to debian/openvpn.init.d ages ago (LP #1454725)
107+ - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
108+ - d/tests: add two DEP-8 test cases
109+ + d/t/server-setup-with-static-key: test the OpenVPN server side setup
110+ using a static key.
111+ + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
112+ CA built with easy-rsa.
113+ - d/openvpn*.service: Drop reload support from systemd unit files
114+ (LP #1868127). The current reload implementation (sending a SIGHUP
115+ signal to the process) fails, and the difference between reload and
116+ restart is not clear. Systemd does not require an implementation for
117+ reload.
118+
119+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 18 Aug 2020 08:42:11 -0300
120+
121 openvpn (2.4.9-3) unstable; urgency=medium
122
123 [ Jörg Frings-Fürst ]
124@@ -94,6 +173,28 @@ openvpn (2.4.9-3) unstable; urgency=medium
125
126 -- Jörg Frings-Fürst <debian@jff.email> Sat, 02 May 2020 18:14:36 +0200
127
128+openvpn (2.4.9-2ubuntu2) groovy; urgency=medium
129+
130+ * Drop reload support from systemd unit files (LP: #1868127)
131+
132+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 26 May 2020 19:04:33 -0300
133+
134+openvpn (2.4.9-2ubuntu1) groovy; urgency=medium
135+
136+ * Merge with Debian unstable. Remaining changes:
137+ - d/control: Demote easy-rsa to Suggests (universe package).
138+ - debian/openvpn@.service: Add '--script-security 2' similar to what
139+ got added to debian/openvpn.init.d ages ago (LP 1454725)
140+ - Allow MD5 for PRF in FIPS mode openssl.
141+ * Added changes:
142+ - d/tests: add two DEP-8 test cases
143+ + d/t/server-setup-with-static-key: test the OpenVPN server side setup
144+ using a static key.
145+ + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
146+ CA built with easy-rsa.
147+
148+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 29 Apr 2020 15:35:56 -0300
149+
150 openvpn (2.4.9-2) unstable; urgency=medium
151
152 * Cherry-Pick upstream patch to fix ssl_do_config error with
153@@ -129,6 +230,28 @@ openvpn (2.4.9-1) unstable; urgency=medium
154
155 -- Bernhard Schmidt <berni@debian.org> Sun, 19 Apr 2020 15:52:57 +0200
156
157+openvpn (2.4.7-1ubuntu2) eoan; urgency=medium
158+
159+ * No-change upload with strops.h and sys/strops.h removed in glibc.
160+
161+ -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:05:25 +0000
162+
163+openvpn (2.4.7-1ubuntu1) eoan; urgency=medium
164+
165+ * Merge with Debian unstable (LP: #1828771). Remaining changes:
166+ - d/control: Demote easy-rsa to Suggests (universe package).
167+ - debian/openvpn@.service: Add '--script-security 2' similar to what got
168+ added to debian/openvpn.init.d ages ago (LP 1454725)
169+ - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
170+ (LP 1807439)
171+ * Dropped changes:
172+ - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
173+ scripts breaking due to sudo/pam being unable to audit the action.
174+ Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
175+ [in Debian now]
176+
177+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200
178+
179 openvpn (2.4.7-1) unstable; urgency=medium
180
181 [ Bernhard Schmidt ]
182@@ -148,6 +271,30 @@ openvpn (2.4.7-1) unstable; urgency=medium
183
184 -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100
185
186+openvpn (2.4.6-1ubuntu3) disco; urgency=medium
187+
188+ * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
189+ (LP: #1807439)
190+
191+ -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600
192+
193+openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium
194+
195+ * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
196+ scripts breaking due to sudo/pam being unable to audit the action.
197+ Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208)
198+
199+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200
200+
201+openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium
202+
203+ * Merge with Debian unstable. Remaining changes:
204+ - d/control: Demote easy-rsa to Suggests (universe package).
205+ - debian/openvpn@.service: Add '--script-security 2' similar to what got
206+ added to debian/openvpn.init.d ages ago (LP 1454725)
207+
208+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200
209+
210 openvpn (2.4.6-1) unstable; urgency=medium
211
212 [ Jörg Frings-Fürst ]
213@@ -191,6 +338,15 @@ openvpn (2.4.5-1) unstable; urgency=medium
214
215 -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100
216
217+openvpn (2.4.4-2ubuntu1) bionic; urgency=low
218+
219+ * Sync with Debian. Remaining changes:
220+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
221+ added to debian/openvpn.init.d ages ago (LP: #1454725)
222+ - Demote easy-rsa to Suggests (universe package).
223+
224+ -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000
225+
226 openvpn (2.4.4-2) unstable; urgency=medium
227
228 * Build against OpenSSL 1.1.0 (Closes: #828477)
229@@ -198,6 +354,15 @@ openvpn (2.4.4-2) unstable; urgency=medium
230
231 -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100
232
233+openvpn (2.4.4-1ubuntu1) bionic; urgency=medium
234+
235+ * Sync with Debian. Remaining changes:
236+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
237+ added to debian/openvpn.init.d ages ago (LP: #1454725)
238+ - Demote easy-rsa to Suggests (universe package).
239+
240+ -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400
241+
242 openvpn (2.4.4-1) unstable; urgency=medium
243
244 [ Jörg Frings-Fürst ]
245@@ -319,6 +484,65 @@ openvpn (2.4.0-5) unstable; urgency=high
246
247 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200
248
249+openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium
250+
251+ * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
252+ - debian/patches/CVE-2017-7508.patch: remove assert in
253+ src/openvpn/mss.c.
254+ - CVE-2017-7508
255+ * SECURITY UPDATE: Remote-triggerable memory leaks
256+ - debian/patches/CVE-2017-7512.patch: fix leaks in
257+ src/openvpn/ssl_verify_openssl.c.
258+ - CVE-2017-7512
259+ * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
260+ for clients
261+ - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
262+ OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
263+ - CVE-2017-7520
264+ * SECURITY UPDATE: Potential double-free in --x509-alt-username and
265+ memory leaks
266+ - debian/patches/CVE-2017-7521.patch: fix double-free in
267+ src/openvpn/ssl_verify_openssl.c.
268+ - CVE-2017-7521
269+ * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
270+ - debian/patches/establish_http_proxy_passthru_dos.patch: fix
271+ null-pointer dereference in src/openvpn/proxy.c.
272+ - No CVE number
273+
274+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400
275+
276+openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium
277+
278+ * SECURITY UPDATE: pre-authentication denial-of-service vulnerability
279+ (both client and server) from a too-large control packet.
280+ - debian/patches/CVE-2017-7478.patch: Do not assert on too-large
281+ control packet
282+ - CVE-2017-7478
283+ * SECURITY UPDATE: authenticated remote DoS vulnerability due to
284+ packet ID rollover
285+ - debian/patches/CVE-2017-7479-prereq.patch: merge
286+ packet_id_alloc_outgoing() into packet_id_write()
287+ - debian/patches/CVE-2017-7478.patch: do not assert when packet ID
288+ rollover occurs
289+ - CVE-2017-7478
290+ * SECURITY UPDATE: auth tokens left in memory after de-auth
291+ - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token
292+ as soon as a TLS session is considered broken.
293+
294+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700
295+
296+openvpn (2.4.0-4ubuntu1) zesty; urgency=medium
297+
298+ * Merge with Debian unstable. Remaining Ubuntu changes:
299+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
300+ added to debian/openvpn.init.d ages ago (LP: #1454725)
301+ - Demote easy-rsa to Suggests (universe package).
302+ * Drop:
303+ - debian/control: Actually drop the initscripts dependency.
304+ (Closes: #804968). Already in Debian
305+
306+ -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600
307+
308 openvpn (2.4.0-4) unstable; urgency=medium
309
310 * Add NEWS entries on possible 2.4 migration issues.
311@@ -388,6 +612,24 @@ openvpn (2.3.11-2) unstable; urgency=medium
312
313 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200
314
315+openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium
316+
317+ * debian/control: Actually drop the initscripts dependency.
318+ (Closes: #804968)
319+
320+ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200
321+
322+openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium
323+
324+ * Merge with Debian unstable. Remaining Ubuntu changes:
325+ - debian/openvpn@.service: Add "--script-security 2" similar to what got
326+ added to debian/openvpn.init.d ages ago (see LP: #260291).
327+ - Demote easy-rsa to Suggests (universe package).
328+ * Drop intrusive changes (showing per-VPN result messages) from
329+ debian/openvpn.init.d. This isn't being used under systemd.
330+
331+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200
332+
333 openvpn (2.3.11-1) unstable; urgency=medium
334
335 * New upstream release.
336@@ -399,6 +641,25 @@ openvpn (2.3.11-1) unstable; urgency=medium
337
338 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200
339
340+openvpn (2.3.10-1ubuntu2) xenial; urgency=medium
341+
342+ * debian/openvpn@.service: Add --script-security similar to what got added
343+ to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)
344+
345+ -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100
346+
347+openvpn (2.3.10-1ubuntu1) xenial; urgency=medium
348+
349+ * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes:
350+ - debian/openvpn.init.d:
351+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
352+ + Show per-VPN result messages.
353+ + Add "--script-security 2" by default for backwards compatabliity.
354+ (LP #260291)
355+ - Demote easy-rsa to Suggests
356+
357+ -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100
358+
359 openvpn (2.3.10-1) unstable; urgency=medium
360
361 * New upstream release. (Closes: #804368)
362@@ -417,6 +678,21 @@ openvpn (2.3.10-1) unstable; urgency=medium
363
364 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100
365
366+openvpn (2.3.8-1ubuntu1) xenial; urgency=medium
367+
368+ * Merge with Debian unstable. Remaining Ubuntu changes:
369+ - debian/openvpn.init.d:
370+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
371+ + Show per-VPN result messages.
372+ + Add "--script-security 2" by default for backwards compatabliity.
373+ - Demote easy-rsa to Suggests
374+ - Run openvpn@.service before systemd-user-sessions.service to avoid
375+ gettys and lightdm starting on top of possible password prompts. This
376+ provides the equivalent of the init.d script's X-Start-Before:.
377+ (Closes: #803032)
378+
379+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100
380+
381 openvpn (2.3.8-1) unstable; urgency=medium
382
383 * New upstream release. Drop patch from 2.3.7-2.
384@@ -430,6 +706,21 @@ openvpn (2.3.8-1) unstable; urgency=medium
385
386 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100
387
388+openvpn (2.3.7-2ubuntu1) xenial; urgency=medium
389+
390+ * Merge with Debian unstable. Remaining Ubuntu changes:
391+ - debian/openvpn.init.d:
392+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
393+ + Show per-VPN result messages.
394+ + Add "--script-security 2" by default for backwards compatabliity.
395+ - Demote easy-rsa to Suggests
396+ - Run openvpn@.service before systemd-user-sessions.service to avoid
397+ gettys and lightdm starting on top of possible password prompts. This
398+ provides the equivalent of the init.d script's X-Start-Before:.
399+ (Closes: #803032)
400+
401+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100
402+
403 openvpn (2.3.7-2) unstable; urgency=medium
404
405 * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
406@@ -440,6 +731,20 @@ openvpn (2.3.7-2) unstable; urgency=medium
407
408 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000
409
410+openvpn (2.3.7-1ubuntu1) wily; urgency=medium
411+
412+ * Merge with Debian unstable. Remaining Ubuntu changes:
413+ - debian/openvpn.init.d:
414+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
415+ + Show per-VPN result messages.
416+ + Add "--script-security 2" by default for backwards compatabliity.
417+ - Demote easy-rsa to Suggests
418+ - Run openvpn@.service before systemd-user-sessions.service to avoid
419+ gettys and lightdm starting on top of possible password prompts. This
420+ provides the equivalent of the init.d script's X-Start-Before:.
421+
422+ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200
423+
424 openvpn (2.3.7-1) unstable; urgency=medium
425
426 * New upstream version
427@@ -461,6 +766,20 @@ openvpn (2.3.5-1) unstable; urgency=medium
428
429 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100
430
431+openvpn (2.3.4-5ubuntu1) wily; urgency=medium
432+
433+ * Merge with Debian unstable. Remaining Ubuntu changes:
434+ - debian/openvpn.init.d:
435+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
436+ + Show per-VPN result messages.
437+ + Add "--script-security 2" by default for backwards compatabliity.
438+ - Demote easy-rsa to Suggests
439+ - Run openvpn@.service before systemd-user-sessions.service to avoid
440+ gettys and lightdm starting on top of possible password prompts. This
441+ provides the equivalent of the init.d script's X-Start-Before:.
442+
443+ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200
444+
445 openvpn (2.3.4-5) unstable; urgency=high
446
447 * Apply upstream patch that fixes possible DoS by authenticated
448@@ -519,6 +838,52 @@ openvpn (2.3.3-1) experimental; urgency=medium
449
450 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100
451
452+openvpn (2.3.2-9ubuntu4) vivid; urgency=medium
453+
454+ * Run openvpn@.service before systemd-user-sessions.service to avoid gettys
455+ and lightdm starting on top of possible password prompts. This provides
456+ the equivalent of the init.d script's X-Start-Before:.
457+
458+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500
459+
460+openvpn (2.3.2-9ubuntu3) vivid; urgency=medium
461+
462+ * Add better_systemd_detection.patch to avoid calling systemd-ask-password
463+ under upstart. Backported from upstream. (Closes: #747265)
464+ * Add systemd unit and generator from current Debian package. This avoids
465+ using the init.d script, which unnecessarily blocks lightdm startup on the
466+ network becoming online even if there are no auto-start connections
467+ (LP: #1443489).
468+
469+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500
470+
471+openvpn (2.3.2-9ubuntu2) vivid; urgency=medium
472+
473+ * SECURITY UPDATE: server denial of service via too-short control channel
474+ packets
475+ - debian/patches/CVE-2014-8104.patch: drop too-short control channel
476+ packets instead of asserting out in src/openvpn/ssl.c.
477+ - CVE-2014-8104
478+ * debian/patches/update_certs.patch: update test certs to fix FTBFS.
479+
480+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500
481+
482+openvpn (2.3.2-9ubuntu1) utopic; urgency=medium
483+
484+ * Merge from Debian unstable. Remaining changes:
485+ - debian/openvpn.init.d:
486+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
487+ + Show per-VPN result messages.
488+ + Add "--script-security 2" by default for backwards compatabliity.
489+ - Demote easy-rsa to Suggests
490+ - Patch libtool.m4 and configure to support ppc64el.
491+ - Refresh delta with debian/openvpn.init.d:
492+ + Make stop action reliable by killing if needed
493+ (LP: #1274254, LP: #1200519)
494+ + Use new path for status file (LP: #1261088)
495+
496+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400
497+
498 openvpn (2.3.2-9) unstable; urgency=medium
499
500 * Create /run/openvpn in init script even if no VPN is
501@@ -534,6 +899,33 @@ openvpn (2.3.2-8) unstable; urgency=medium
502
503 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100
504
505+openvpn (2.3.2-7ubuntu3) trusty; urgency=medium
506+
507+ [ Simon Deziel ]
508+ * Refresh delta with debian/openvpn.init.d:
509+ - Make stop action reliable by killing if needed
510+ (LP: #1274254, LP: #1200519)
511+ - Use new path for status file (LP: #1261088)
512+
513+ -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500
514+
515+openvpn (2.3.2-7ubuntu2) trusty; urgency=medium
516+
517+ * Patch libtool.m4 and configure to support ppc64el.
518+
519+ -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100
520+
521+openvpn (2.3.2-7ubuntu1) trusty; urgency=low
522+
523+ * Merge from Debian unstable. Remaining changes:
524+ - debian/openvpn.init.d:
525+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
526+ + Show per-VPN result messages.
527+ + Add "--script-security 2" by default for backwards compatabliity.
528+ - Demote easy-rsa to Suggests
529+
530+ -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500
531+
532 openvpn (2.3.2-7) unstable; urgency=low
533
534 * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.
535@@ -550,6 +942,17 @@ openvpn (2.3.2-6) unstable; urgency=low
536
537 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100
538
539+openvpn (2.3.2-5ubuntu1) trusty; urgency=low
540+
541+ * Merge from Debian unstable. Remaining changes:
542+ - debian/openvpn.init.d:
543+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
544+ + Show per-VPN result messages.
545+ + Add "--script-security 2" by default for backwards compatabliity.
546+ - Demote easy-rsa to Suggests
547+
548+ -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400
549+
550 openvpn (2.3.2-5) unstable; urgency=low
551
552 * Patch init script to fix race conditions on restarts.
553@@ -559,6 +962,16 @@ openvpn (2.3.2-5) unstable; urgency=low
554
555 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200
556
557+openvpn (2.3.2-4ubuntu1) saucy; urgency=low
558+
559+ * Merge from Debian unstable. Remaining changes:
560+ - debian/openvpn.init.d:
561+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
562+ + Show per-VPN result messages.
563+ + Add "--script-security 2" by default for backwards compatabliity.
564+
565+ -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400
566+
567 openvpn (2.3.2-4) unstable; urgency=low
568
569 * Fix depends on iproute to iproute2.
570@@ -591,6 +1004,23 @@ openvpn (2.3.2-1) unstable; urgency=low
571
572 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200
573
574+openvpn (2.3.1-2ubuntu2) saucy; urgency=low
575+
576+ * Move easy-rsa from Recommends to Suggests as it's not in main and isn't
577+ actually required to operate an openvpn server.
578+
579+ -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400
580+
581+openvpn (2.3.1-2ubuntu1) saucy; urgency=low
582+
583+ * Merge from Debian unstable. Remaining changes:
584+ - debian/openvpn.init.d:
585+ + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
586+ + Show per-VPN result messages.
587+ + Add "--script-security 2" by default for backwards compatabliity.
588+
589+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400
590+
591 openvpn (2.3.1-2) unstable; urgency=low
592
593 * Add net-tools to Build-Depends. (Closes: #709108)
594@@ -618,6 +1048,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low
595
596 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100
597
598+openvpn (2.2.1-8ubuntu3) raring; urgency=low
599+
600+ [ Marc Gariépy ]
601+ * Add --script-security to the init.d script (was generated but not passed
602+ to openvpn). (LP: #1124398)
603+
604+ -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500
605+
606+openvpn (2.2.1-8ubuntu2) quantal; urgency=low
607+
608+ * Rebuild for new armel compiler default of ARMv5t.
609+
610+ -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100
611+
612+openvpn (2.2.1-8ubuntu1) precise; urgency=low
613+
614+ * Merge at Simon Deziel's request to build with PIE.
615+ * Merge from Debian unstable. Remaining changes:
616+ + debian/openvpn.init.d:
617+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
618+ - Show per-VPN result messages.
619+ - Add "--script-security 2" by default for backwards compatabliity.
620+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
621+
622+ -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400
623+
624 openvpn (2.2.1-8) unstable; urgency=low
625
626 * Enable "PIE" and "BINDOW" hardening flags.
627@@ -642,6 +1098,17 @@ openvpn (2.2.1-6) unstable; urgency=low
628
629 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100
630
631+openvpn (2.2.1-5ubuntu1) precise; urgency=low
632+
633+ * Merge from Debian unstable. Remaining changes: (LP: #907828)
634+ + debian/openvpn.init.d:
635+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
636+ - Show per-VPN result messages.
637+ - Add "--script-security 2" by default for backwards compatabliity.
638+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
639+
640+ -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500
641+
642 openvpn (2.2.1-5) unstable; urgency=low
643
644 * Avoid sending ICMP redirects when using tun devices and "subnet"
645@@ -664,6 +1131,20 @@ openvpn (2.2.1-4) unstable; urgency=low
646
647 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100
648
649+openvpn (2.2.1-3ubuntu1) precise; urgency=low
650+
651+ * Merge from Debian testing. Remaining changes:
652+ + debian/openvpn.init.d:
653+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
654+ - Show per-VPN result messages.
655+ - Add "--script-security 2" by default for backwards compatabliity.
656+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
657+ + debian/update-resolv-conf: Support multiple domains.
658+ + fix bug where '--script-security 2' would be passed for all
659+ daemons after the first. (LP: #794916)
660+
661+ -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000
662+
663 openvpn (2.2.1-3) unstable; urgency=low
664
665 * The iproute fiasco release.
666@@ -692,6 +1173,20 @@ openvpn (2.2.1-1) unstable; urgency=low
667
668 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100
669
670+openvpn (2.2.0-2ubuntu1) oneiric; urgency=low
671+
672+ * Merge from debian unstable. Remaining changes:
673+ + debian/openvpn.init.d:
674+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
675+ - Show per-VPN result messages.
676+ - Add "--script-security 2" by default for backwards compatabliity.
677+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
678+ + debian/update-resolv-conf: Support multiple domains.
679+ + fix bug where '--script-security 2' would be passed for all
680+ daemons after the first. (LP: #794916
681+
682+ -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100
683+
684 openvpn (2.2.0-2) unstable; urgency=low
685
686 * Upload to unstable
687@@ -726,6 +1221,45 @@ openvpn (2.1.3-5) experimental; urgency=low
688
689 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100
690
691+openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low
692+
693+ [Alexander Zielke]
694+ * fix bug where '--script-security 2' would be passed for all
695+ daemons after the first. (LP: #794916)
696+
697+ -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400
698+
699+openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low
700+
701+ * Merge from debian unstable. Remaining changes:
702+ + debian/openvpn.init.d:
703+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
704+ - Show per-VPN result messages.
705+ - Add "--script-security 2" by default for backwards compatabliity.
706+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
707+ + debian/update-resolv-conf: Support multiple domains.
708+
709+ -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100
710+
711+openvpn (2.1.3-4.1) unstable; urgency=low
712+
713+ * Non-maintainer upload.
714+ * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503)
715+
716+ -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200
717+
718+openvpn (2.1.3-4ubuntu1) oneiric; urgency=low
719+
720+ * Merge from debian unstable. Remaining changes:
721+ + debian/openvpn.init.d:
722+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
723+ - Show per-VPN result messages.
724+ - Add "--script-security 2" by default for backwards compatabliity.
725+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
726+ + debian/update-resolv-conf: Support multiple domains.
727+
728+ -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000
729+
730 openvpn (2.1.3-4) unstable; urgency=low
731
732 * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.
733@@ -748,6 +1282,31 @@ openvpn (2.1.3-3) unstable; urgency=low
734
735 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100
736
737+openvpn (2.1.3-2ubuntu3) natty; urgency=low
738+
739+ * update-resolv-conf: Correctly handle multiple dns search domains,
740+ using the same logic as nameservers. Patch courtesy of Jeremy
741+ Zawodny. (LP: #662847)
742+
743+ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000
744+
745+openvpn (2.1.3-2ubuntu2) natty; urgency=low
746+
747+ * update-resolv-conf: Support mulitple domains (LP: #714358)
748+
749+ -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500
750+
751+openvpn (2.1.3-2ubuntu1) natty; urgency=low
752+
753+ * Merge from debian unstable. Remaining changes:
754+ + debian/openvpn.init.d:
755+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
756+ - Show per-VPN result messages.
757+ - Add "--script-security 2" by default for backwards compatabliity.
758+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
759+
760+ -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100
761+
762 openvpn (2.1.3-2) unstable; urgency=low
763
764 * Applied upstream patch to solve random routes added when using
765@@ -755,6 +1314,24 @@ openvpn (2.1.3-2) unstable; urgency=low
766
767 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200
768
769+openvpn (2.1.3-1ubuntu2) natty; urgency=low
770+
771+ * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
772+ corner cases where ! host && addr (LP: #627973)
773+
774+ -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200
775+
776+openvpn (2.1.3-1ubuntu1) natty; urgency=low
777+
778+ * Merge from debian unstable. Remaining changes:
779+ + debian/openvpn.init.d:
780+ - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
781+ - Show per-VPN result messages.
782+ - Add "--script-security 2" by default for backwards compatablitiy
783+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
784+
785+ -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100
786+
787 openvpn (2.1.3-1) unstable; urgency=low
788
789 * New upstream release (Closes: #595684)
790@@ -766,6 +1343,17 @@ openvpn (2.1.3-1) unstable; urgency=low
791
792 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200
793
794+openvpn (2.1.0-3ubuntu1) maverick; urgency=low
795+
796+ * Merge from debian unstable. Remaining changes:
797+ + debian/openvpn.init.d:
798+ - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
799+ - Show per-VPN result messages
800+ - Add "--script-security 2" by default for backwards compatablitiy
801+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
802+
803+ -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400
804+
805 openvpn (2.1.0-3) unstable; urgency=low
806
807 * The 'happy birthday to me' release
808@@ -775,6 +1363,24 @@ openvpn (2.1.0-3) unstable; urgency=low
809
810 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200
811
812+openvpn (2.1.0-2ubuntu2) maverick; urgency=low
813+
814+ * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
815+ on PUSH_REQUEST when server does not push any option (LP: #579737)
816+
817+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200
818+
819+openvpn (2.1.0-2ubuntu1) maverick; urgency=low
820+
821+ * Merge from debian unstable. Remaining changes:
822+ + debian/openvpn.init.d:
823+ - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
824+ - Show per-VPN result messages
825+ - Add "--script-security 2" by default for backwards compatablitiy
826+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
827+
828+ -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100
829+
830 openvpn (2.1.0-2) unstable; urgency=low
831
832 * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)
833@@ -787,6 +1393,17 @@ openvpn (2.1.0-2) unstable; urgency=low
834
835 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200
836
837+openvpn (2.1.0-1ubuntu1) lucid; urgency=low
838+
839+ * Merge from debian testing (LP: #509078), remaining changes:
840+ + debian/openvpn.init.d:
841+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
842+ - Show per-VPN result messages
843+ - Add "--script-security 2" by default for backwards compatibility
844+ + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
845+
846+ -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100
847+
848 openvpn (2.1.0-1) unstable; urgency=low
849
850 * New upstream release
851@@ -824,6 +1441,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low
852
853 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100
854
855+openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low
856+
857+ * Merge from debian testing, remaining changes:
858+ + debian/openvpn.init.d:
859+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking
860+ boot.
861+ - show per-VPN result messages
862+ - add "--script-security 2" by default for backwards compatibility
863+ - Add lab-base >= 3.2-14 to allow status_of_proc()
864+ + Dropped debian/patches/redirect-gateway.patch: Already applied
865+ upstream.
866+
867+ -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000
868+
869 openvpn (2.1~rc20-2) unstable; urgency=low
870
871 * init.d script: Added X-Interactive header. (Closes: #549424)
872@@ -848,6 +1479,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low
873
874 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200
875
876+openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low
877+
878+ * debian/patches/redirect-gateway.patch: Fix regression introduced in
879+ 2.1rc17 that makes redirect-gateway (without options) to be ignored.
880+ Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695
881+
882+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200
883+
884+openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low
885+
886+ * Merge from debian unstable (LP: #404099), remaining changes:
887+ - debian/openvpn.init.d:
888+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
889+ - show per-VPN result messages
890+ - add "--script-security 2" by default for backwards compatibility
891+ - Added lsb-base>=3.2-14 depend to allow status_of_proc()
892+
893+ -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530
894+
895 openvpn (2.1~rc19-1) unstable; urgency=low
896
897 * New upstream version
898@@ -857,6 +1507,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low
899
900 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200
901
902+openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low
903+
904+ * Merge from debian unstable (LP: #372358), remaining changes:
905+ - debian/openvpn.init.d:
906+ - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
907+ - show per-VPN result messages
908+ - add "--script-security 2" by default for backwards compatibility
909+ - Added lsb-base>=3.2-14 depend to allow status_of_proc()
910+
911+ -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500
912+
913 openvpn (2.1~rc15-1) unstable; urgency=low
914
915 * New upstream version (Closes: #515575)
916@@ -876,6 +1537,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low
917
918 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200
919
920+openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low
921+
922+ * debian/openvpn.init.d:
923+ - Fix unexpected operator on startup (LP: #340120)
924+
925+ -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400
926+
927+openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low
928+
929+ * debian/openvpn.init.d:
930+ - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent
931+ openvpn prompts from blocking the boot (LP: #280428)
932+ - Fix VPNs always reported started [ OK ]
933+
934+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200
935+
936+openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low
937+
938+ * Merge with Debian (LP: #279655), remaining diffs:
939+ - debian/openvpn.init.d: Added 'status' action to init script, show
940+ per-VPN result messages and add "--script-security 2" by default for
941+ backwards compatibility
942+ - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
943+ * Fixes regression when calling commands with arguments (LP: #277447)
944+
945+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200
946+
947 openvpn (2.1~rc11-1) unstable; urgency=low
948
949 * New upstream version
950@@ -896,6 +1584,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low
951
952 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200
953
954+openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low
955+
956+ * debian/openvpn.init.d:
957+ - Added 'status' action to init script (LP: #251641)
958+ - Restored per-VPN result messages by using log_action_begin_msg and
959+ one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966)
960+ * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
961+
962+ -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200
963+
964+openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low
965+
966+ * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
967+ (LP: #260291)
968+
969+ -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400
970+
971 openvpn (2.1~rc9-3) unstable; urgency=low
972
973 * debian/rules: run ./configure with path to 'route', for
974diff --git a/debian/control b/debian/control
975index 63a8262..40ed491 100644
976--- a/debian/control
977+++ b/debian/control
978@@ -1,7 +1,8 @@
979 Source: openvpn
980 Section: net
981 Priority: optional
982-Maintainer: Bernhard Schmidt <berni@debian.org>
983+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
984+XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
985 Uploaders: Jörg Frings-Fürst <debian@jff.email>
986 Build-Depends:
987 debhelper-compat (= 12),
988@@ -39,8 +40,8 @@ Depends:
989 Suggests:
990 openssl,
991 resolvconf,
992- openvpn-systemd-resolved
993-Recommends: easy-rsa
994+ openvpn-systemd-resolved,
995+ easy-rsa
996 Description: virtual private network daemon
997 OpenVPN is an application to securely tunnel IP networks over a
998 single UDP or TCP port. It can be used to access remote sites, make
999diff --git a/debian/openvpn@.service b/debian/openvpn@.service
1000index 945874b..6d59b13 100644
1001--- a/debian/openvpn@.service
1002+++ b/debian/openvpn@.service
1003@@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
1004 Type=notify
1005 PrivateTmp=true
1006 WorkingDirectory=/etc/openvpn
1007-ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
1008+ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
1009 PIDFile=/run/openvpn/%i.pid
1010 KillMode=process
1011 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
1012diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch
1013new file mode 100644
1014index 0000000..1c4f068
1015--- /dev/null
1016+++ b/debian/patches/openvpn-fips-2.4.patch
1017@@ -0,0 +1,90 @@
1018+Description: Use openssl FIPS flag to indicate MD5 use for PRF.
1019+ MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs
1020+ to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl
1021+ for PRF to indicate the exception.
1022+Bug: https://community.openvpn.net/openvpn/ticket/725
1023+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439
1024+Author: Stephan Mueller <stephan.mueller@atsec.com>
1025+
1026+--- a/src/openvpn/crypto.c
1027++++ b/src/openvpn/crypto.c
1028+@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
1029+ if (kt->digest && kt->hmac_length > 0)
1030+ {
1031+ ctx->hmac = hmac_ctx_new();
1032+- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
1033++ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
1034+
1035+ msg(D_HANDSHAKE,
1036+ "%s: Using %d bit message hash '%s' for HMAC authentication",
1037+--- a/src/openvpn/crypto_backend.h
1038++++ b/src/openvpn/crypto_backend.h
1039+@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
1040+ * @param key The key to use for the HMAC
1041+ * @param key_len The key length to use
1042+ * @param kt Static message digest parameters
1043++ * @param prf_use Intended use for PRF in TLS protocol
1044+ *
1045+ */
1046+ void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
1047+- const md_kt_t *kt);
1048++ const md_kt_t *kt, bool prf_use);
1049+
1050+ /*
1051+ * Free the given HMAC context.
1052+--- a/src/openvpn/crypto_mbedtls.c
1053++++ b/src/openvpn/crypto_mbedtls.c
1054+@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx)
1055+
1056+ void
1057+ hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
1058+- const mbedtls_md_info_t *kt)
1059++ const mbedtls_md_info_t *kt, bool prf_use)
1060+ {
1061+ ASSERT(NULL != kt && NULL != ctx);
1062+
1063+--- a/src/openvpn/crypto_openssl.c
1064++++ b/src/openvpn/crypto_openssl.c
1065+@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx)
1066+
1067+ void
1068+ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
1069+- const EVP_MD *kt)
1070++ const EVP_MD *kt, bool prf_use)
1071+ {
1072+ ASSERT(NULL != kt && NULL != ctx);
1073+
1074+ HMAC_CTX_reset(ctx);
1075++
1076++ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
1077++ * to be used anywhere else */
1078++ if(kt == EVP_md5() && prf_use)
1079++ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1080++
1081+ HMAC_Init_ex(ctx, key, key_len, kt, NULL);
1082+
1083+ /* make sure we used a big enough key */
1084+--- a/src/openvpn/ntlm.c
1085++++ b/src/openvpn/ntlm.c
1086+@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
1087+ const md_kt_t *md5_kt = md_kt_get("MD5");
1088+ hmac_ctx_t *hmac_ctx = hmac_ctx_new();
1089+
1090+- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
1091++ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
1092+ hmac_ctx_update(hmac_ctx, data, data_len);
1093+ hmac_ctx_final(hmac_ctx, result);
1094+ hmac_ctx_cleanup(hmac_ctx);
1095+--- a/src/openvpn/ssl.c
1096++++ b/src/openvpn/ssl.c
1097+@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt,
1098+ int chunk = md_kt_size(md_kt);
1099+ unsigned int A1_len = md_kt_size(md_kt);
1100+
1101+- hmac_ctx_init(ctx, sec, sec_len, md_kt);
1102+- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
1103++ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
1104++ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
1105+
1106+ hmac_ctx_update(ctx,seed,seed_len);
1107+ hmac_ctx_final(ctx, A1);
1108diff --git a/debian/patches/series b/debian/patches/series
1109index 6bb0685..3d2c83a 100644
1110--- a/debian/patches/series
1111+++ b/debian/patches/series
1112@@ -10,3 +10,4 @@ CVE-2020-15078-1.patch
1113 CVE-2020-15078-2.patch
1114 CVE-2020-15078-3.patch
1115 Fix-condition-to-generate-session-keys.patch
1116+openvpn-fips-2.4.patch

Subscribers

People subscribed via source and target branches