Merge ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish into ubuntu/+source/openvpn:debian/sid
- Git
- lp:~utkarsh/ubuntu/+source/openvpn
- merge-openvpn-impish
- Merge into debian/sid
Status: | Merged |
---|---|
Merge reported by: | Utkarsh Gupta |
Merged at revision: | 769fd64b627bdae3d18ca552a2b84988f290d33c |
Proposed branch: | ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish |
Merge into: | ubuntu/+source/openvpn:debian/sid |
Diff against target: |
1116 lines (+802/-5) 5 files modified
debian/changelog (+706/-1) debian/control (+4/-3) debian/openvpn@.service (+1/-1) debian/patches/openvpn-fips-2.4.patch (+90/-0) debian/patches/series (+1/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robie Basak | Approve | ||
Christian Ehrhardt (community) | Abstain | ||
Canonical Server | Pending | ||
Canonical Server packageset reviewers | Pending | ||
git-ubuntu developers | Pending | ||
Review via email:
|
Commit message
Description of the change
Hey,
Yet another merge -> bug fixes one though.
PPA at https:/
Build's good and autopkgtest passes:
```
autopkgtest [16:56:46]: @@@@@@@
server-
server-
```
Requesting you to please review and sponsor the upload. TIA! \o/
[Assigning review to Robie]

Robie Basak (racb) wrote : | # |
Looks good!
Although merge is correct, your logical tag is wrong. The tree of lp1917438/
Uploaded.

Utkarsh Gupta (utkarsh) wrote : | # |
Ooh yeah, I *did* drop the delta already and then tagged the logical tag. My bad. Thanks for the upload, though! \o/
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index f1c969f..a1eb824 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,16 @@ |
6 | +openvpn (2.5.1-3ubuntu1) impish; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - d/control: Demote easy-rsa to Suggests (universe package). |
10 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
11 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
12 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
13 | + * Dropped changes: |
14 | + - d/t/server-setup-*: adapt tests to output of v2.5.0 |
15 | + [Included in 2.5.1-3] |
16 | + |
17 | + -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Mon, 17 May 2021 14:38:17 +0530 |
18 | + |
19 | openvpn (2.5.1-3) unstable; urgency=medium |
20 | |
21 | * Fix autopkgtest (Closes: #983662) |
22 | @@ -7,6 +20,17 @@ openvpn (2.5.1-3) unstable; urgency=medium |
23 | |
24 | -- Bernhard Schmidt <berni@debian.org> Fri, 14 May 2021 09:40:04 +0200 |
25 | |
26 | +openvpn (2.5.1-2ubuntu1) impish; urgency=medium |
27 | + |
28 | + * Merge with Debian unstable. Remaining changes: |
29 | + - d/control: Demote easy-rsa to Suggests (universe package). |
30 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
31 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
32 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
33 | + - d/t/server-setup-*: adapt tests to output of v2.5.0 |
34 | + |
35 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 03 May 2021 17:56:39 -0300 |
36 | + |
37 | openvpn (2.5.1-2) unstable; urgency=high |
38 | |
39 | * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix |
40 | @@ -15,12 +39,47 @@ openvpn (2.5.1-2) unstable; urgency=high |
41 | |
42 | -- Bernhard Schmidt <berni@debian.org> Wed, 28 Apr 2021 14:41:58 +0200 |
43 | |
44 | +openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium |
45 | + |
46 | + * Merge with Debian unstable (LP: #1917438). Remaining changes: |
47 | + - d/control: Demote easy-rsa to Suggests (universe package). |
48 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
49 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
50 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
51 | + + d/t/server-setup-*: adapt tests to output of v2.5.0 |
52 | + |
53 | + -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Tue, 02 Mar 2021 16:35:37 +0530 |
54 | + |
55 | openvpn (2.5.1-1) unstable; urgency=medium |
56 | |
57 | * New upstream version 2.5.1 (bugfix release) |
58 | |
59 | -- Bernhard Schmidt <berni@debian.org> Wed, 24 Feb 2021 19:54:34 +0100 |
60 | |
61 | +openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium |
62 | + |
63 | + * Merge with Debian unstable. Remaining changes: |
64 | + - d/control: Demote easy-rsa to Suggests (universe package). |
65 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
66 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
67 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
68 | + [updated to match 2.5.0] |
69 | + * Dropped changes [in Debian since 2.5~beta3-1] |
70 | + - d/tests: add two DEP-8 test cases |
71 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
72 | + using a static key. |
73 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
74 | + CA built with easy-rsa. |
75 | + - d/openvpn*.service: Drop reload support from systemd unit files |
76 | + (LP #1868127). The current reload implementation (sending a SIGHUP |
77 | + signal to the process) fails, and the difference between reload and |
78 | + restart is not clear. Systemd does not require an implementation for |
79 | + reload. |
80 | + * Added Changes: |
81 | + - d/t/server-setup-*: adapt tests to output of v2.5.0 |
82 | + |
83 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 01 Dec 2020 16:15:12 +0100 |
84 | + |
85 | openvpn (2.5.0-1) unstable; urgency=medium |
86 | |
87 | * New upstream version 2.5.0 - final release |
88 | @@ -46,7 +105,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium |
89 | |
90 | [ Lucas Kanashiro ] |
91 | * Add two DEP-8 test cases for the server side |
92 | - * Drop reload support from systemd unit files (LP: #1868127) |
93 | + * Drop reload support from systemd unit files (LP 1868127) |
94 | |
95 | [ Bernhard Schmidt ] |
96 | * Revert "d/gbp.conf for experimental 2.5 branch" |
97 | @@ -76,6 +135,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium |
98 | |
99 | -- Bernhard Schmidt <berni@debian.org> Sat, 15 Aug 2020 21:32:49 +0200 |
100 | |
101 | +openvpn (2.4.9-3ubuntu1) groovy; urgency=medium |
102 | + |
103 | + * Merge with Debian unstable. Remaining changes: |
104 | + - d/control: Demote easy-rsa to Suggests (universe package). |
105 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
106 | + got added to debian/openvpn.init.d ages ago (LP #1454725) |
107 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. |
108 | + - d/tests: add two DEP-8 test cases |
109 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
110 | + using a static key. |
111 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
112 | + CA built with easy-rsa. |
113 | + - d/openvpn*.service: Drop reload support from systemd unit files |
114 | + (LP #1868127). The current reload implementation (sending a SIGHUP |
115 | + signal to the process) fails, and the difference between reload and |
116 | + restart is not clear. Systemd does not require an implementation for |
117 | + reload. |
118 | + |
119 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 18 Aug 2020 08:42:11 -0300 |
120 | + |
121 | openvpn (2.4.9-3) unstable; urgency=medium |
122 | |
123 | [ Jörg Frings-Fürst ] |
124 | @@ -94,6 +173,28 @@ openvpn (2.4.9-3) unstable; urgency=medium |
125 | |
126 | -- Jörg Frings-Fürst <debian@jff.email> Sat, 02 May 2020 18:14:36 +0200 |
127 | |
128 | +openvpn (2.4.9-2ubuntu2) groovy; urgency=medium |
129 | + |
130 | + * Drop reload support from systemd unit files (LP: #1868127) |
131 | + |
132 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 26 May 2020 19:04:33 -0300 |
133 | + |
134 | +openvpn (2.4.9-2ubuntu1) groovy; urgency=medium |
135 | + |
136 | + * Merge with Debian unstable. Remaining changes: |
137 | + - d/control: Demote easy-rsa to Suggests (universe package). |
138 | + - debian/openvpn@.service: Add '--script-security 2' similar to what |
139 | + got added to debian/openvpn.init.d ages ago (LP 1454725) |
140 | + - Allow MD5 for PRF in FIPS mode openssl. |
141 | + * Added changes: |
142 | + - d/tests: add two DEP-8 test cases |
143 | + + d/t/server-setup-with-static-key: test the OpenVPN server side setup |
144 | + using a static key. |
145 | + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a |
146 | + CA built with easy-rsa. |
147 | + |
148 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 29 Apr 2020 15:35:56 -0300 |
149 | + |
150 | openvpn (2.4.9-2) unstable; urgency=medium |
151 | |
152 | * Cherry-Pick upstream patch to fix ssl_do_config error with |
153 | @@ -129,6 +230,28 @@ openvpn (2.4.9-1) unstable; urgency=medium |
154 | |
155 | -- Bernhard Schmidt <berni@debian.org> Sun, 19 Apr 2020 15:52:57 +0200 |
156 | |
157 | +openvpn (2.4.7-1ubuntu2) eoan; urgency=medium |
158 | + |
159 | + * No-change upload with strops.h and sys/strops.h removed in glibc. |
160 | + |
161 | + -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:05:25 +0000 |
162 | + |
163 | +openvpn (2.4.7-1ubuntu1) eoan; urgency=medium |
164 | + |
165 | + * Merge with Debian unstable (LP: #1828771). Remaining changes: |
166 | + - d/control: Demote easy-rsa to Suggests (universe package). |
167 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
168 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
169 | + - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
170 | + (LP 1807439) |
171 | + * Dropped changes: |
172 | + - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
173 | + scripts breaking due to sudo/pam being unable to audit the action. |
174 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208) |
175 | + [in Debian now] |
176 | + |
177 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200 |
178 | + |
179 | openvpn (2.4.7-1) unstable; urgency=medium |
180 | |
181 | [ Bernhard Schmidt ] |
182 | @@ -148,6 +271,30 @@ openvpn (2.4.7-1) unstable; urgency=medium |
183 | |
184 | -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100 |
185 | |
186 | +openvpn (2.4.6-1ubuntu3) disco; urgency=medium |
187 | + |
188 | + * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. |
189 | + (LP: #1807439) |
190 | + |
191 | + -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600 |
192 | + |
193 | +openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium |
194 | + |
195 | + * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout |
196 | + scripts breaking due to sudo/pam being unable to audit the action. |
197 | + Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208) |
198 | + |
199 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200 |
200 | + |
201 | +openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium |
202 | + |
203 | + * Merge with Debian unstable. Remaining changes: |
204 | + - d/control: Demote easy-rsa to Suggests (universe package). |
205 | + - debian/openvpn@.service: Add '--script-security 2' similar to what got |
206 | + added to debian/openvpn.init.d ages ago (LP 1454725) |
207 | + |
208 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200 |
209 | + |
210 | openvpn (2.4.6-1) unstable; urgency=medium |
211 | |
212 | [ Jörg Frings-Fürst ] |
213 | @@ -191,6 +338,15 @@ openvpn (2.4.5-1) unstable; urgency=medium |
214 | |
215 | -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100 |
216 | |
217 | +openvpn (2.4.4-2ubuntu1) bionic; urgency=low |
218 | + |
219 | + * Sync with Debian. Remaining changes: |
220 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
221 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
222 | + - Demote easy-rsa to Suggests (universe package). |
223 | + |
224 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000 |
225 | + |
226 | openvpn (2.4.4-2) unstable; urgency=medium |
227 | |
228 | * Build against OpenSSL 1.1.0 (Closes: #828477) |
229 | @@ -198,6 +354,15 @@ openvpn (2.4.4-2) unstable; urgency=medium |
230 | |
231 | -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100 |
232 | |
233 | +openvpn (2.4.4-1ubuntu1) bionic; urgency=medium |
234 | + |
235 | + * Sync with Debian. Remaining changes: |
236 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
237 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
238 | + - Demote easy-rsa to Suggests (universe package). |
239 | + |
240 | + -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400 |
241 | + |
242 | openvpn (2.4.4-1) unstable; urgency=medium |
243 | |
244 | [ Jörg Frings-Fürst ] |
245 | @@ -319,6 +484,65 @@ openvpn (2.4.0-5) unstable; urgency=high |
246 | |
247 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200 |
248 | |
249 | +openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium |
250 | + |
251 | + * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet |
252 | + - debian/patches/CVE-2017-7508.patch: remove assert in |
253 | + src/openvpn/mss.c. |
254 | + - CVE-2017-7508 |
255 | + * SECURITY UPDATE: Remote-triggerable memory leaks |
256 | + - debian/patches/CVE-2017-7512.patch: fix leaks in |
257 | + src/openvpn/ssl_verify_openssl.c. |
258 | + - CVE-2017-7512 |
259 | + * SECURITY UPDATE: Pre-authentication remote crash/information disclosure |
260 | + for clients |
261 | + - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer |
262 | + OOB reads and a crash for invalid input data in src/openvpn/ntlm.c. |
263 | + - CVE-2017-7520 |
264 | + * SECURITY UPDATE: Potential double-free in --x509-alt-username and |
265 | + memory leaks |
266 | + - debian/patches/CVE-2017-7521.patch: fix double-free in |
267 | + src/openvpn/ssl_verify_openssl.c. |
268 | + - CVE-2017-7521 |
269 | + * SECURITY UPDATE: DoS in establish_http_proxy_passthru() |
270 | + - debian/patches/establish_http_proxy_passthru_dos.patch: fix |
271 | + null-pointer dereference in src/openvpn/proxy.c. |
272 | + - No CVE number |
273 | + |
274 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400 |
275 | + |
276 | +openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium |
277 | + |
278 | + * SECURITY UPDATE: pre-authentication denial-of-service vulnerability |
279 | + (both client and server) from a too-large control packet. |
280 | + - debian/patches/CVE-2017-7478.patch: Do not assert on too-large |
281 | + control packet |
282 | + - CVE-2017-7478 |
283 | + * SECURITY UPDATE: authenticated remote DoS vulnerability due to |
284 | + packet ID rollover |
285 | + - debian/patches/CVE-2017-7479-prereq.patch: merge |
286 | + packet_id_alloc_outgoing() into packet_id_write() |
287 | + - debian/patches/CVE-2017-7478.patch: do not assert when packet ID |
288 | + rollover occurs |
289 | + - CVE-2017-7478 |
290 | + * SECURITY UPDATE: auth tokens left in memory after de-auth |
291 | + - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token |
292 | + as soon as a TLS session is considered broken. |
293 | + |
294 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700 |
295 | + |
296 | +openvpn (2.4.0-4ubuntu1) zesty; urgency=medium |
297 | + |
298 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
299 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
300 | + added to debian/openvpn.init.d ages ago (LP: #1454725) |
301 | + - Demote easy-rsa to Suggests (universe package). |
302 | + * Drop: |
303 | + - debian/control: Actually drop the initscripts dependency. |
304 | + (Closes: #804968). Already in Debian |
305 | + |
306 | + -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600 |
307 | + |
308 | openvpn (2.4.0-4) unstable; urgency=medium |
309 | |
310 | * Add NEWS entries on possible 2.4 migration issues. |
311 | @@ -388,6 +612,24 @@ openvpn (2.3.11-2) unstable; urgency=medium |
312 | |
313 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200 |
314 | |
315 | +openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium |
316 | + |
317 | + * debian/control: Actually drop the initscripts dependency. |
318 | + (Closes: #804968) |
319 | + |
320 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200 |
321 | + |
322 | +openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium |
323 | + |
324 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
325 | + - debian/openvpn@.service: Add "--script-security 2" similar to what got |
326 | + added to debian/openvpn.init.d ages ago (see LP: #260291). |
327 | + - Demote easy-rsa to Suggests (universe package). |
328 | + * Drop intrusive changes (showing per-VPN result messages) from |
329 | + debian/openvpn.init.d. This isn't being used under systemd. |
330 | + |
331 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200 |
332 | + |
333 | openvpn (2.3.11-1) unstable; urgency=medium |
334 | |
335 | * New upstream release. |
336 | @@ -399,6 +641,25 @@ openvpn (2.3.11-1) unstable; urgency=medium |
337 | |
338 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200 |
339 | |
340 | +openvpn (2.3.10-1ubuntu2) xenial; urgency=medium |
341 | + |
342 | + * debian/openvpn@.service: Add --script-security similar to what got added |
343 | + to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725) |
344 | + |
345 | + -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100 |
346 | + |
347 | +openvpn (2.3.10-1ubuntu1) xenial; urgency=medium |
348 | + |
349 | + * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes: |
350 | + - debian/openvpn.init.d: |
351 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
352 | + + Show per-VPN result messages. |
353 | + + Add "--script-security 2" by default for backwards compatabliity. |
354 | + (LP #260291) |
355 | + - Demote easy-rsa to Suggests |
356 | + |
357 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100 |
358 | + |
359 | openvpn (2.3.10-1) unstable; urgency=medium |
360 | |
361 | * New upstream release. (Closes: #804368) |
362 | @@ -417,6 +678,21 @@ openvpn (2.3.10-1) unstable; urgency=medium |
363 | |
364 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100 |
365 | |
366 | +openvpn (2.3.8-1ubuntu1) xenial; urgency=medium |
367 | + |
368 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
369 | + - debian/openvpn.init.d: |
370 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
371 | + + Show per-VPN result messages. |
372 | + + Add "--script-security 2" by default for backwards compatabliity. |
373 | + - Demote easy-rsa to Suggests |
374 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
375 | + gettys and lightdm starting on top of possible password prompts. This |
376 | + provides the equivalent of the init.d script's X-Start-Before:. |
377 | + (Closes: #803032) |
378 | + |
379 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100 |
380 | + |
381 | openvpn (2.3.8-1) unstable; urgency=medium |
382 | |
383 | * New upstream release. Drop patch from 2.3.7-2. |
384 | @@ -430,6 +706,21 @@ openvpn (2.3.8-1) unstable; urgency=medium |
385 | |
386 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100 |
387 | |
388 | +openvpn (2.3.7-2ubuntu1) xenial; urgency=medium |
389 | + |
390 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
391 | + - debian/openvpn.init.d: |
392 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
393 | + + Show per-VPN result messages. |
394 | + + Add "--script-security 2" by default for backwards compatabliity. |
395 | + - Demote easy-rsa to Suggests |
396 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
397 | + gettys and lightdm starting on top of possible password prompts. This |
398 | + provides the equivalent of the init.d script's X-Start-Before:. |
399 | + (Closes: #803032) |
400 | + |
401 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100 |
402 | + |
403 | openvpn (2.3.7-2) unstable; urgency=medium |
404 | |
405 | * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev. |
406 | @@ -440,6 +731,20 @@ openvpn (2.3.7-2) unstable; urgency=medium |
407 | |
408 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000 |
409 | |
410 | +openvpn (2.3.7-1ubuntu1) wily; urgency=medium |
411 | + |
412 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
413 | + - debian/openvpn.init.d: |
414 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
415 | + + Show per-VPN result messages. |
416 | + + Add "--script-security 2" by default for backwards compatabliity. |
417 | + - Demote easy-rsa to Suggests |
418 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
419 | + gettys and lightdm starting on top of possible password prompts. This |
420 | + provides the equivalent of the init.d script's X-Start-Before:. |
421 | + |
422 | + -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200 |
423 | + |
424 | openvpn (2.3.7-1) unstable; urgency=medium |
425 | |
426 | * New upstream version |
427 | @@ -461,6 +766,20 @@ openvpn (2.3.5-1) unstable; urgency=medium |
428 | |
429 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100 |
430 | |
431 | +openvpn (2.3.4-5ubuntu1) wily; urgency=medium |
432 | + |
433 | + * Merge with Debian unstable. Remaining Ubuntu changes: |
434 | + - debian/openvpn.init.d: |
435 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
436 | + + Show per-VPN result messages. |
437 | + + Add "--script-security 2" by default for backwards compatabliity. |
438 | + - Demote easy-rsa to Suggests |
439 | + - Run openvpn@.service before systemd-user-sessions.service to avoid |
440 | + gettys and lightdm starting on top of possible password prompts. This |
441 | + provides the equivalent of the init.d script's X-Start-Before:. |
442 | + |
443 | + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200 |
444 | + |
445 | openvpn (2.3.4-5) unstable; urgency=high |
446 | |
447 | * Apply upstream patch that fixes possible DoS by authenticated |
448 | @@ -519,6 +838,52 @@ openvpn (2.3.3-1) experimental; urgency=medium |
449 | |
450 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100 |
451 | |
452 | +openvpn (2.3.2-9ubuntu4) vivid; urgency=medium |
453 | + |
454 | + * Run openvpn@.service before systemd-user-sessions.service to avoid gettys |
455 | + and lightdm starting on top of possible password prompts. This provides |
456 | + the equivalent of the init.d script's X-Start-Before:. |
457 | + |
458 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500 |
459 | + |
460 | +openvpn (2.3.2-9ubuntu3) vivid; urgency=medium |
461 | + |
462 | + * Add better_systemd_detection.patch to avoid calling systemd-ask-password |
463 | + under upstart. Backported from upstream. (Closes: #747265) |
464 | + * Add systemd unit and generator from current Debian package. This avoids |
465 | + using the init.d script, which unnecessarily blocks lightdm startup on the |
466 | + network becoming online even if there are no auto-start connections |
467 | + (LP: #1443489). |
468 | + |
469 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500 |
470 | + |
471 | +openvpn (2.3.2-9ubuntu2) vivid; urgency=medium |
472 | + |
473 | + * SECURITY UPDATE: server denial of service via too-short control channel |
474 | + packets |
475 | + - debian/patches/CVE-2014-8104.patch: drop too-short control channel |
476 | + packets instead of asserting out in src/openvpn/ssl.c. |
477 | + - CVE-2014-8104 |
478 | + * debian/patches/update_certs.patch: update test certs to fix FTBFS. |
479 | + |
480 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500 |
481 | + |
482 | +openvpn (2.3.2-9ubuntu1) utopic; urgency=medium |
483 | + |
484 | + * Merge from Debian unstable. Remaining changes: |
485 | + - debian/openvpn.init.d: |
486 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
487 | + + Show per-VPN result messages. |
488 | + + Add "--script-security 2" by default for backwards compatabliity. |
489 | + - Demote easy-rsa to Suggests |
490 | + - Patch libtool.m4 and configure to support ppc64el. |
491 | + - Refresh delta with debian/openvpn.init.d: |
492 | + + Make stop action reliable by killing if needed |
493 | + (LP: #1274254, LP: #1200519) |
494 | + + Use new path for status file (LP: #1261088) |
495 | + |
496 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400 |
497 | + |
498 | openvpn (2.3.2-9) unstable; urgency=medium |
499 | |
500 | * Create /run/openvpn in init script even if no VPN is |
501 | @@ -534,6 +899,33 @@ openvpn (2.3.2-8) unstable; urgency=medium |
502 | |
503 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100 |
504 | |
505 | +openvpn (2.3.2-7ubuntu3) trusty; urgency=medium |
506 | + |
507 | + [ Simon Deziel ] |
508 | + * Refresh delta with debian/openvpn.init.d: |
509 | + - Make stop action reliable by killing if needed |
510 | + (LP: #1274254, LP: #1200519) |
511 | + - Use new path for status file (LP: #1261088) |
512 | + |
513 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500 |
514 | + |
515 | +openvpn (2.3.2-7ubuntu2) trusty; urgency=medium |
516 | + |
517 | + * Patch libtool.m4 and configure to support ppc64el. |
518 | + |
519 | + -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100 |
520 | + |
521 | +openvpn (2.3.2-7ubuntu1) trusty; urgency=low |
522 | + |
523 | + * Merge from Debian unstable. Remaining changes: |
524 | + - debian/openvpn.init.d: |
525 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
526 | + + Show per-VPN result messages. |
527 | + + Add "--script-security 2" by default for backwards compatabliity. |
528 | + - Demote easy-rsa to Suggests |
529 | + |
530 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500 |
531 | + |
532 | openvpn (2.3.2-7) unstable; urgency=low |
533 | |
534 | * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/. |
535 | @@ -550,6 +942,17 @@ openvpn (2.3.2-6) unstable; urgency=low |
536 | |
537 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100 |
538 | |
539 | +openvpn (2.3.2-5ubuntu1) trusty; urgency=low |
540 | + |
541 | + * Merge from Debian unstable. Remaining changes: |
542 | + - debian/openvpn.init.d: |
543 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
544 | + + Show per-VPN result messages. |
545 | + + Add "--script-security 2" by default for backwards compatabliity. |
546 | + - Demote easy-rsa to Suggests |
547 | + |
548 | + -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400 |
549 | + |
550 | openvpn (2.3.2-5) unstable; urgency=low |
551 | |
552 | * Patch init script to fix race conditions on restarts. |
553 | @@ -559,6 +962,16 @@ openvpn (2.3.2-5) unstable; urgency=low |
554 | |
555 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200 |
556 | |
557 | +openvpn (2.3.2-4ubuntu1) saucy; urgency=low |
558 | + |
559 | + * Merge from Debian unstable. Remaining changes: |
560 | + - debian/openvpn.init.d: |
561 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
562 | + + Show per-VPN result messages. |
563 | + + Add "--script-security 2" by default for backwards compatabliity. |
564 | + |
565 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400 |
566 | + |
567 | openvpn (2.3.2-4) unstable; urgency=low |
568 | |
569 | * Fix depends on iproute to iproute2. |
570 | @@ -591,6 +1004,23 @@ openvpn (2.3.2-1) unstable; urgency=low |
571 | |
572 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200 |
573 | |
574 | +openvpn (2.3.1-2ubuntu2) saucy; urgency=low |
575 | + |
576 | + * Move easy-rsa from Recommends to Suggests as it's not in main and isn't |
577 | + actually required to operate an openvpn server. |
578 | + |
579 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400 |
580 | + |
581 | +openvpn (2.3.1-2ubuntu1) saucy; urgency=low |
582 | + |
583 | + * Merge from Debian unstable. Remaining changes: |
584 | + - debian/openvpn.init.d: |
585 | + + Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
586 | + + Show per-VPN result messages. |
587 | + + Add "--script-security 2" by default for backwards compatabliity. |
588 | + |
589 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400 |
590 | + |
591 | openvpn (2.3.1-2) unstable; urgency=low |
592 | |
593 | * Add net-tools to Build-Depends. (Closes: #709108) |
594 | @@ -618,6 +1048,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low |
595 | |
596 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100 |
597 | |
598 | +openvpn (2.2.1-8ubuntu3) raring; urgency=low |
599 | + |
600 | + [ Marc Gariépy ] |
601 | + * Add --script-security to the init.d script (was generated but not passed |
602 | + to openvpn). (LP: #1124398) |
603 | + |
604 | + -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500 |
605 | + |
606 | +openvpn (2.2.1-8ubuntu2) quantal; urgency=low |
607 | + |
608 | + * Rebuild for new armel compiler default of ARMv5t. |
609 | + |
610 | + -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100 |
611 | + |
612 | +openvpn (2.2.1-8ubuntu1) precise; urgency=low |
613 | + |
614 | + * Merge at Simon Deziel's request to build with PIE. |
615 | + * Merge from Debian unstable. Remaining changes: |
616 | + + debian/openvpn.init.d: |
617 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
618 | + - Show per-VPN result messages. |
619 | + - Add "--script-security 2" by default for backwards compatabliity. |
620 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
621 | + |
622 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400 |
623 | + |
624 | openvpn (2.2.1-8) unstable; urgency=low |
625 | |
626 | * Enable "PIE" and "BINDOW" hardening flags. |
627 | @@ -642,6 +1098,17 @@ openvpn (2.2.1-6) unstable; urgency=low |
628 | |
629 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100 |
630 | |
631 | +openvpn (2.2.1-5ubuntu1) precise; urgency=low |
632 | + |
633 | + * Merge from Debian unstable. Remaining changes: (LP: #907828) |
634 | + + debian/openvpn.init.d: |
635 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
636 | + - Show per-VPN result messages. |
637 | + - Add "--script-security 2" by default for backwards compatabliity. |
638 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
639 | + |
640 | + -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500 |
641 | + |
642 | openvpn (2.2.1-5) unstable; urgency=low |
643 | |
644 | * Avoid sending ICMP redirects when using tun devices and "subnet" |
645 | @@ -664,6 +1131,20 @@ openvpn (2.2.1-4) unstable; urgency=low |
646 | |
647 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100 |
648 | |
649 | +openvpn (2.2.1-3ubuntu1) precise; urgency=low |
650 | + |
651 | + * Merge from Debian testing. Remaining changes: |
652 | + + debian/openvpn.init.d: |
653 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
654 | + - Show per-VPN result messages. |
655 | + - Add "--script-security 2" by default for backwards compatabliity. |
656 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
657 | + + debian/update-resolv-conf: Support multiple domains. |
658 | + + fix bug where '--script-security 2' would be passed for all |
659 | + daemons after the first. (LP: #794916) |
660 | + |
661 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000 |
662 | + |
663 | openvpn (2.2.1-3) unstable; urgency=low |
664 | |
665 | * The iproute fiasco release. |
666 | @@ -692,6 +1173,20 @@ openvpn (2.2.1-1) unstable; urgency=low |
667 | |
668 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100 |
669 | |
670 | +openvpn (2.2.0-2ubuntu1) oneiric; urgency=low |
671 | + |
672 | + * Merge from debian unstable. Remaining changes: |
673 | + + debian/openvpn.init.d: |
674 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
675 | + - Show per-VPN result messages. |
676 | + - Add "--script-security 2" by default for backwards compatabliity. |
677 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
678 | + + debian/update-resolv-conf: Support multiple domains. |
679 | + + fix bug where '--script-security 2' would be passed for all |
680 | + daemons after the first. (LP: #794916 |
681 | + |
682 | + -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100 |
683 | + |
684 | openvpn (2.2.0-2) unstable; urgency=low |
685 | |
686 | * Upload to unstable |
687 | @@ -726,6 +1221,45 @@ openvpn (2.1.3-5) experimental; urgency=low |
688 | |
689 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100 |
690 | |
691 | +openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low |
692 | + |
693 | + [Alexander Zielke] |
694 | + * fix bug where '--script-security 2' would be passed for all |
695 | + daemons after the first. (LP: #794916) |
696 | + |
697 | + -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400 |
698 | + |
699 | +openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low |
700 | + |
701 | + * Merge from debian unstable. Remaining changes: |
702 | + + debian/openvpn.init.d: |
703 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
704 | + - Show per-VPN result messages. |
705 | + - Add "--script-security 2" by default for backwards compatabliity. |
706 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
707 | + + debian/update-resolv-conf: Support multiple domains. |
708 | + |
709 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100 |
710 | + |
711 | +openvpn (2.1.3-4.1) unstable; urgency=low |
712 | + |
713 | + * Non-maintainer upload. |
714 | + * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503) |
715 | + |
716 | + -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200 |
717 | + |
718 | +openvpn (2.1.3-4ubuntu1) oneiric; urgency=low |
719 | + |
720 | + * Merge from debian unstable. Remaining changes: |
721 | + + debian/openvpn.init.d: |
722 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
723 | + - Show per-VPN result messages. |
724 | + - Add "--script-security 2" by default for backwards compatabliity. |
725 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
726 | + + debian/update-resolv-conf: Support multiple domains. |
727 | + |
728 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000 |
729 | + |
730 | openvpn (2.1.3-4) unstable; urgency=low |
731 | |
732 | * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd. |
733 | @@ -748,6 +1282,31 @@ openvpn (2.1.3-3) unstable; urgency=low |
734 | |
735 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100 |
736 | |
737 | +openvpn (2.1.3-2ubuntu3) natty; urgency=low |
738 | + |
739 | + * update-resolv-conf: Correctly handle multiple dns search domains, |
740 | + using the same logic as nameservers. Patch courtesy of Jeremy |
741 | + Zawodny. (LP: #662847) |
742 | + |
743 | + -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000 |
744 | + |
745 | +openvpn (2.1.3-2ubuntu2) natty; urgency=low |
746 | + |
747 | + * update-resolv-conf: Support mulitple domains (LP: #714358) |
748 | + |
749 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500 |
750 | + |
751 | +openvpn (2.1.3-2ubuntu1) natty; urgency=low |
752 | + |
753 | + * Merge from debian unstable. Remaining changes: |
754 | + + debian/openvpn.init.d: |
755 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
756 | + - Show per-VPN result messages. |
757 | + - Add "--script-security 2" by default for backwards compatabliity. |
758 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
759 | + |
760 | + -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100 |
761 | + |
762 | openvpn (2.1.3-2) unstable; urgency=low |
763 | |
764 | * Applied upstream patch to solve random routes added when using |
765 | @@ -755,6 +1314,24 @@ openvpn (2.1.3-2) unstable; urgency=low |
766 | |
767 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200 |
768 | |
769 | +openvpn (2.1.3-1ubuntu2) natty; urgency=low |
770 | + |
771 | + * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in |
772 | + corner cases where ! host && addr (LP: #627973) |
773 | + |
774 | + -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200 |
775 | + |
776 | +openvpn (2.1.3-1ubuntu1) natty; urgency=low |
777 | + |
778 | + * Merge from debian unstable. Remaining changes: |
779 | + + debian/openvpn.init.d: |
780 | + - Do not use start-stop-daemon and </dev/null to avoid blocking boot. |
781 | + - Show per-VPN result messages. |
782 | + - Add "--script-security 2" by default for backwards compatablitiy |
783 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
784 | + |
785 | + -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100 |
786 | + |
787 | openvpn (2.1.3-1) unstable; urgency=low |
788 | |
789 | * New upstream release (Closes: #595684) |
790 | @@ -766,6 +1343,17 @@ openvpn (2.1.3-1) unstable; urgency=low |
791 | |
792 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200 |
793 | |
794 | +openvpn (2.1.0-3ubuntu1) maverick; urgency=low |
795 | + |
796 | + * Merge from debian unstable. Remaining changes: |
797 | + + debian/openvpn.init.d: |
798 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
799 | + - Show per-VPN result messages |
800 | + - Add "--script-security 2" by default for backwards compatablitiy |
801 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
802 | + |
803 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400 |
804 | + |
805 | openvpn (2.1.0-3) unstable; urgency=low |
806 | |
807 | * The 'happy birthday to me' release |
808 | @@ -775,6 +1363,24 @@ openvpn (2.1.0-3) unstable; urgency=low |
809 | |
810 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200 |
811 | |
812 | +openvpn (2.1.0-2ubuntu2) maverick; urgency=low |
813 | + |
814 | + * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging |
815 | + on PUSH_REQUEST when server does not push any option (LP: #579737) |
816 | + |
817 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200 |
818 | + |
819 | +openvpn (2.1.0-2ubuntu1) maverick; urgency=low |
820 | + |
821 | + * Merge from debian unstable. Remaining changes: |
822 | + + debian/openvpn.init.d: |
823 | + - Do not use start-stop-daemon and use </dev/null to avoid blocking boot |
824 | + - Show per-VPN result messages |
825 | + - Add "--script-security 2" by default for backwards compatablitiy |
826 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
827 | + |
828 | + -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100 |
829 | + |
830 | openvpn (2.1.0-2) unstable; urgency=low |
831 | |
832 | * Patched ssl.[ch] to fix integer overflow. (Closes: #576827) |
833 | @@ -787,6 +1393,17 @@ openvpn (2.1.0-2) unstable; urgency=low |
834 | |
835 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200 |
836 | |
837 | +openvpn (2.1.0-1ubuntu1) lucid; urgency=low |
838 | + |
839 | + * Merge from debian testing (LP: #509078), remaining changes: |
840 | + + debian/openvpn.init.d: |
841 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
842 | + - Show per-VPN result messages |
843 | + - Add "--script-security 2" by default for backwards compatibility |
844 | + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() |
845 | + |
846 | + -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100 |
847 | + |
848 | openvpn (2.1.0-1) unstable; urgency=low |
849 | |
850 | * New upstream release |
851 | @@ -824,6 +1441,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low |
852 | |
853 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100 |
854 | |
855 | +openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low |
856 | + |
857 | + * Merge from debian testing, remaining changes: |
858 | + + debian/openvpn.init.d: |
859 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking |
860 | + boot. |
861 | + - show per-VPN result messages |
862 | + - add "--script-security 2" by default for backwards compatibility |
863 | + - Add lab-base >= 3.2-14 to allow status_of_proc() |
864 | + + Dropped debian/patches/redirect-gateway.patch: Already applied |
865 | + upstream. |
866 | + |
867 | + -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000 |
868 | + |
869 | openvpn (2.1~rc20-2) unstable; urgency=low |
870 | |
871 | * init.d script: Added X-Interactive header. (Closes: #549424) |
872 | @@ -848,6 +1479,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low |
873 | |
874 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200 |
875 | |
876 | +openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low |
877 | + |
878 | + * debian/patches/redirect-gateway.patch: Fix regression introduced in |
879 | + 2.1rc17 that makes redirect-gateway (without options) to be ignored. |
880 | + Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695 |
881 | + |
882 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200 |
883 | + |
884 | +openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low |
885 | + |
886 | + * Merge from debian unstable (LP: #404099), remaining changes: |
887 | + - debian/openvpn.init.d: |
888 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
889 | + - show per-VPN result messages |
890 | + - add "--script-security 2" by default for backwards compatibility |
891 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
892 | + |
893 | + -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530 |
894 | + |
895 | openvpn (2.1~rc19-1) unstable; urgency=low |
896 | |
897 | * New upstream version |
898 | @@ -857,6 +1507,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low |
899 | |
900 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200 |
901 | |
902 | +openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low |
903 | + |
904 | + * Merge from debian unstable (LP: #372358), remaining changes: |
905 | + - debian/openvpn.init.d: |
906 | + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot |
907 | + - show per-VPN result messages |
908 | + - add "--script-security 2" by default for backwards compatibility |
909 | + - Added lsb-base>=3.2-14 depend to allow status_of_proc() |
910 | + |
911 | + -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500 |
912 | + |
913 | openvpn (2.1~rc15-1) unstable; urgency=low |
914 | |
915 | * New upstream version (Closes: #515575) |
916 | @@ -876,6 +1537,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low |
917 | |
918 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200 |
919 | |
920 | +openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low |
921 | + |
922 | + * debian/openvpn.init.d: |
923 | + - Fix unexpected operator on startup (LP: #340120) |
924 | + |
925 | + -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400 |
926 | + |
927 | +openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low |
928 | + |
929 | + * debian/openvpn.init.d: |
930 | + - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent |
931 | + openvpn prompts from blocking the boot (LP: #280428) |
932 | + - Fix VPNs always reported started [ OK ] |
933 | + |
934 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200 |
935 | + |
936 | +openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low |
937 | + |
938 | + * Merge with Debian (LP: #279655), remaining diffs: |
939 | + - debian/openvpn.init.d: Added 'status' action to init script, show |
940 | + per-VPN result messages and add "--script-security 2" by default for |
941 | + backwards compatibility |
942 | + - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
943 | + * Fixes regression when calling commands with arguments (LP: #277447) |
944 | + |
945 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200 |
946 | + |
947 | openvpn (2.1~rc11-1) unstable; urgency=low |
948 | |
949 | * New upstream version |
950 | @@ -896,6 +1584,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low |
951 | |
952 | -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200 |
953 | |
954 | +openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low |
955 | + |
956 | + * debian/openvpn.init.d: |
957 | + - Added 'status' action to init script (LP: #251641) |
958 | + - Restored per-VPN result messages by using log_action_begin_msg and |
959 | + one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966) |
960 | + * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() |
961 | + |
962 | + -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200 |
963 | + |
964 | +openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low |
965 | + |
966 | + * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility |
967 | + (LP: #260291) |
968 | + |
969 | + -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400 |
970 | + |
971 | openvpn (2.1~rc9-3) unstable; urgency=low |
972 | |
973 | * debian/rules: run ./configure with path to 'route', for |
974 | diff --git a/debian/control b/debian/control |
975 | index 63a8262..40ed491 100644 |
976 | --- a/debian/control |
977 | +++ b/debian/control |
978 | @@ -1,7 +1,8 @@ |
979 | Source: openvpn |
980 | Section: net |
981 | Priority: optional |
982 | -Maintainer: Bernhard Schmidt <berni@debian.org> |
983 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
984 | +XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org> |
985 | Uploaders: Jörg Frings-Fürst <debian@jff.email> |
986 | Build-Depends: |
987 | debhelper-compat (= 12), |
988 | @@ -39,8 +40,8 @@ Depends: |
989 | Suggests: |
990 | openssl, |
991 | resolvconf, |
992 | - openvpn-systemd-resolved |
993 | -Recommends: easy-rsa |
994 | + openvpn-systemd-resolved, |
995 | + easy-rsa |
996 | Description: virtual private network daemon |
997 | OpenVPN is an application to securely tunnel IP networks over a |
998 | single UDP or TCP port. It can be used to access remote sites, make |
999 | diff --git a/debian/openvpn@.service b/debian/openvpn@.service |
1000 | index 945874b..6d59b13 100644 |
1001 | --- a/debian/openvpn@.service |
1002 | +++ b/debian/openvpn@.service |
1003 | @@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO |
1004 | Type=notify |
1005 | PrivateTmp=true |
1006 | WorkingDirectory=/etc/openvpn |
1007 | -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
1008 | +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid |
1009 | PIDFile=/run/openvpn/%i.pid |
1010 | KillMode=process |
1011 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE |
1012 | diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch |
1013 | new file mode 100644 |
1014 | index 0000000..1c4f068 |
1015 | --- /dev/null |
1016 | +++ b/debian/patches/openvpn-fips-2.4.patch |
1017 | @@ -0,0 +1,90 @@ |
1018 | +Description: Use openssl FIPS flag to indicate MD5 use for PRF. |
1019 | + MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs |
1020 | + to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl |
1021 | + for PRF to indicate the exception. |
1022 | +Bug: https://community.openvpn.net/openvpn/ticket/725 |
1023 | +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439 |
1024 | +Author: Stephan Mueller <stephan.mueller@atsec.com> |
1025 | + |
1026 | +--- a/src/openvpn/crypto.c |
1027 | ++++ b/src/openvpn/crypto.c |
1028 | +@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const |
1029 | + if (kt->digest && kt->hmac_length > 0) |
1030 | + { |
1031 | + ctx->hmac = hmac_ctx_new(); |
1032 | +- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); |
1033 | ++ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); |
1034 | + |
1035 | + msg(D_HANDSHAKE, |
1036 | + "%s: Using %d bit message hash '%s' for HMAC authentication", |
1037 | +--- a/src/openvpn/crypto_backend.h |
1038 | ++++ b/src/openvpn/crypto_backend.h |
1039 | +@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); |
1040 | + * @param key The key to use for the HMAC |
1041 | + * @param key_len The key length to use |
1042 | + * @param kt Static message digest parameters |
1043 | ++ * @param prf_use Intended use for PRF in TLS protocol |
1044 | + * |
1045 | + */ |
1046 | + void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, |
1047 | +- const md_kt_t *kt); |
1048 | ++ const md_kt_t *kt, bool prf_use); |
1049 | + |
1050 | + /* |
1051 | + * Free the given HMAC context. |
1052 | +--- a/src/openvpn/crypto_mbedtls.c |
1053 | ++++ b/src/openvpn/crypto_mbedtls.c |
1054 | +@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx) |
1055 | + |
1056 | + void |
1057 | + hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, |
1058 | +- const mbedtls_md_info_t *kt) |
1059 | ++ const mbedtls_md_info_t *kt, bool prf_use) |
1060 | + { |
1061 | + ASSERT(NULL != kt && NULL != ctx); |
1062 | + |
1063 | +--- a/src/openvpn/crypto_openssl.c |
1064 | ++++ b/src/openvpn/crypto_openssl.c |
1065 | +@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx) |
1066 | + |
1067 | + void |
1068 | + hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, |
1069 | +- const EVP_MD *kt) |
1070 | ++ const EVP_MD *kt, bool prf_use) |
1071 | + { |
1072 | + ASSERT(NULL != kt && NULL != ctx); |
1073 | + |
1074 | + HMAC_CTX_reset(ctx); |
1075 | ++ |
1076 | ++ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not |
1077 | ++ * to be used anywhere else */ |
1078 | ++ if(kt == EVP_md5() && prf_use) |
1079 | ++ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
1080 | ++ |
1081 | + HMAC_Init_ex(ctx, key, key_len, kt, NULL); |
1082 | + |
1083 | + /* make sure we used a big enough key */ |
1084 | +--- a/src/openvpn/ntlm.c |
1085 | ++++ b/src/openvpn/ntlm.c |
1086 | +@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da |
1087 | + const md_kt_t *md5_kt = md_kt_get("MD5"); |
1088 | + hmac_ctx_t *hmac_ctx = hmac_ctx_new(); |
1089 | + |
1090 | +- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); |
1091 | ++ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0); |
1092 | + hmac_ctx_update(hmac_ctx, data, data_len); |
1093 | + hmac_ctx_final(hmac_ctx, result); |
1094 | + hmac_ctx_cleanup(hmac_ctx); |
1095 | +--- a/src/openvpn/ssl.c |
1096 | ++++ b/src/openvpn/ssl.c |
1097 | +@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt, |
1098 | + int chunk = md_kt_size(md_kt); |
1099 | + unsigned int A1_len = md_kt_size(md_kt); |
1100 | + |
1101 | +- hmac_ctx_init(ctx, sec, sec_len, md_kt); |
1102 | +- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); |
1103 | ++ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1); |
1104 | ++ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1); |
1105 | + |
1106 | + hmac_ctx_update(ctx,seed,seed_len); |
1107 | + hmac_ctx_final(ctx, A1); |
1108 | diff --git a/debian/patches/series b/debian/patches/series |
1109 | index 6bb0685..3d2c83a 100644 |
1110 | --- a/debian/patches/series |
1111 | +++ b/debian/patches/series |
1112 | @@ -10,3 +10,4 @@ CVE-2020-15078-1.patch |
1113 | CVE-2020-15078-2.patch |
1114 | CVE-2020-15078-3.patch |
1115 | Fix-condition-to-generate-session-keys.patch |
1116 | +openvpn-fips-2.4.patch |
Really not meant to be free for all, so I consumed the Team review slot with this update