Ubuntu
openvpn package

Merge ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish into ubuntu/+source/openvpn:debian/sid

  1. Git
  2. lp:~utkarsh/ubuntu/+source/openvpn
  3. merge-openvpn-impish
  4. Merge into debian/sid
Proposed by Utkarsh Gupta
Status: Merged
Merge reported by: Utkarsh Gupta
Merged at revision: 769fd64b627bdae3d18ca552a2b84988f290d33c
Proposed branch: ~utkarsh/ubuntu/+source/openvpn:merge-openvpn-impish
Merge into: ubuntu/+source/openvpn:debian/sid
Diff against target: 1116 lines (+802/-5)
5 files modified
debian/changelog (+706/-1)
debian/control (+4/-3)
debian/openvpn@.service (+1/-1)
debian/patches/openvpn-fips-2.4.patch (+90/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Christian Ehrhardt  (community) Abstain
Canonical Server Pending
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+402809@code.launchpad.net

Description of the change

Hey,

Yet another merge -> bug fixes one though.
PPA at https://launchpad.net/~utkarsh/+archive/ubuntu/experimental-dump.

Build's good and autopkgtest passes:
```
autopkgtest [16:56:46]: @@@@@@@@@@@@@@@@@@@@ summary
server-setup-with-ca PASS
server-setup-with-static-key PASS
```

Requesting you to please review and sponsor the upload. TIA! \o/

[Assigning review to Robie]

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Really not meant to be free for all, so I consumed the Team review slot with this update

review: Abstain
Revision history for this message
Robie Basak (racb) wrote :

Looks good!

Although merge is correct, your logical tag is wrong. The tree of lp1917438/logical/2.5.0-1ubuntu1 should be identical to pkg/import/2.5.0-1ubuntu1 except for debian/changelog and update-maintainer. The idea is that it should reflect the _previous_ Ubuntu delta precisely, but broken down. Instead, it looks like you either already dropped the delta you were going to drop for this merge, or tagged it late. It doesn't matter this time, but it helps with the workflow and assists review if it is correct.

Uploaded.

review: Approve
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Ooh yeah, I *did* drop the delta already and then tagged the logical tag. My bad. Thanks for the upload, though! \o/

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index f1c969f..a1eb824 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
1openvpn (2.5.1-3ubuntu1) impish; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - d/control: Demote easy-rsa to Suggests (universe package).
5 - debian/openvpn@.service: Add '--script-security 2' similar to what
6 got added to debian/openvpn.init.d ages ago (LP #1454725)
7 - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
8 * Dropped changes:
9 - d/t/server-setup-*: adapt tests to output of v2.5.0
10 [Included in 2.5.1-3]
11
12 -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Mon, 17 May 2021 14:38:17 +0530
13
1openvpn (2.5.1-3) unstable; urgency=medium14openvpn (2.5.1-3) unstable; urgency=medium
215
3 * Fix autopkgtest (Closes: #983662)16 * Fix autopkgtest (Closes: #983662)
@@ -7,6 +20,17 @@ openvpn (2.5.1-3) unstable; urgency=medium
720
8 -- Bernhard Schmidt <berni@debian.org> Fri, 14 May 2021 09:40:04 +020021 -- Bernhard Schmidt <berni@debian.org> Fri, 14 May 2021 09:40:04 +0200
922
23openvpn (2.5.1-2ubuntu1) impish; urgency=medium
24
25 * Merge with Debian unstable. Remaining changes:
26 - d/control: Demote easy-rsa to Suggests (universe package).
27 - debian/openvpn@.service: Add '--script-security 2' similar to what
28 got added to debian/openvpn.init.d ages ago (LP #1454725)
29 - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
30 - d/t/server-setup-*: adapt tests to output of v2.5.0
31
32 -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 03 May 2021 17:56:39 -0300
33
10openvpn (2.5.1-2) unstable; urgency=high34openvpn (2.5.1-2) unstable; urgency=high
1135
12 * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix36 * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix
@@ -15,12 +39,47 @@ openvpn (2.5.1-2) unstable; urgency=high
1539
16 -- Bernhard Schmidt <berni@debian.org> Wed, 28 Apr 2021 14:41:58 +020040 -- Bernhard Schmidt <berni@debian.org> Wed, 28 Apr 2021 14:41:58 +0200
1741
42openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium
43
44 * Merge with Debian unstable (LP: #1917438). Remaining changes:
45 - d/control: Demote easy-rsa to Suggests (universe package).
46 - debian/openvpn@.service: Add '--script-security 2' similar to what
47 got added to debian/openvpn.init.d ages ago (LP #1454725)
48 - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
49 + d/t/server-setup-*: adapt tests to output of v2.5.0
50
51 -- Utkarsh Gupta <utkarsh.gupta@canonical.com> Tue, 02 Mar 2021 16:35:37 +0530
52
18openvpn (2.5.1-1) unstable; urgency=medium53openvpn (2.5.1-1) unstable; urgency=medium
1954
20 * New upstream version 2.5.1 (bugfix release)55 * New upstream version 2.5.1 (bugfix release)
2156
22 -- Bernhard Schmidt <berni@debian.org> Wed, 24 Feb 2021 19:54:34 +010057 -- Bernhard Schmidt <berni@debian.org> Wed, 24 Feb 2021 19:54:34 +0100
2358
59openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium
60
61 * Merge with Debian unstable. Remaining changes:
62 - d/control: Demote easy-rsa to Suggests (universe package).
63 - debian/openvpn@.service: Add '--script-security 2' similar to what
64 got added to debian/openvpn.init.d ages ago (LP #1454725)
65 - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
66 [updated to match 2.5.0]
67 * Dropped changes [in Debian since 2.5~beta3-1]
68 - d/tests: add two DEP-8 test cases
69 + d/t/server-setup-with-static-key: test the OpenVPN server side setup
70 using a static key.
71 + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
72 CA built with easy-rsa.
73 - d/openvpn*.service: Drop reload support from systemd unit files
74 (LP #1868127). The current reload implementation (sending a SIGHUP
75 signal to the process) fails, and the difference between reload and
76 restart is not clear. Systemd does not require an implementation for
77 reload.
78 * Added Changes:
79 - d/t/server-setup-*: adapt tests to output of v2.5.0
80
81 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 01 Dec 2020 16:15:12 +0100
82
24openvpn (2.5.0-1) unstable; urgency=medium83openvpn (2.5.0-1) unstable; urgency=medium
2584
26 * New upstream version 2.5.0 - final release85 * New upstream version 2.5.0 - final release
@@ -46,7 +105,7 @@ openvpn (2.5~beta3-1) unstable; urgency=medium
46105
47 [ Lucas Kanashiro ]106 [ Lucas Kanashiro ]
48 * Add two DEP-8 test cases for the server side107 * Add two DEP-8 test cases for the server side
49 * Drop reload support from systemd unit files (LP: #1868127)108 * Drop reload support from systemd unit files (LP 1868127)
50109
51 [ Bernhard Schmidt ]110 [ Bernhard Schmidt ]
52 * Revert "d/gbp.conf for experimental 2.5 branch"111 * Revert "d/gbp.conf for experimental 2.5 branch"
@@ -76,6 +135,26 @@ openvpn (2.5~beta1-1) experimental; urgency=medium
76135
77 -- Bernhard Schmidt <berni@debian.org> Sat, 15 Aug 2020 21:32:49 +0200136 -- Bernhard Schmidt <berni@debian.org> Sat, 15 Aug 2020 21:32:49 +0200
78137
138openvpn (2.4.9-3ubuntu1) groovy; urgency=medium
139
140 * Merge with Debian unstable. Remaining changes:
141 - d/control: Demote easy-rsa to Suggests (universe package).
142 - debian/openvpn@.service: Add '--script-security 2' similar to what
143 got added to debian/openvpn.init.d ages ago (LP #1454725)
144 - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl.
145 - d/tests: add two DEP-8 test cases
146 + d/t/server-setup-with-static-key: test the OpenVPN server side setup
147 using a static key.
148 + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
149 CA built with easy-rsa.
150 - d/openvpn*.service: Drop reload support from systemd unit files
151 (LP #1868127). The current reload implementation (sending a SIGHUP
152 signal to the process) fails, and the difference between reload and
153 restart is not clear. Systemd does not require an implementation for
154 reload.
155
156 -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 18 Aug 2020 08:42:11 -0300
157
79openvpn (2.4.9-3) unstable; urgency=medium158openvpn (2.4.9-3) unstable; urgency=medium
80159
81 [ Jörg Frings-Fürst ]160 [ Jörg Frings-Fürst ]
@@ -94,6 +173,28 @@ openvpn (2.4.9-3) unstable; urgency=medium
94173
95 -- Jörg Frings-Fürst <debian@jff.email> Sat, 02 May 2020 18:14:36 +0200174 -- Jörg Frings-Fürst <debian@jff.email> Sat, 02 May 2020 18:14:36 +0200
96175
176openvpn (2.4.9-2ubuntu2) groovy; urgency=medium
177
178 * Drop reload support from systemd unit files (LP: #1868127)
179
180 -- Lucas Kanashiro <kanashiro@ubuntu.com> Tue, 26 May 2020 19:04:33 -0300
181
182openvpn (2.4.9-2ubuntu1) groovy; urgency=medium
183
184 * Merge with Debian unstable. Remaining changes:
185 - d/control: Demote easy-rsa to Suggests (universe package).
186 - debian/openvpn@.service: Add '--script-security 2' similar to what
187 got added to debian/openvpn.init.d ages ago (LP 1454725)
188 - Allow MD5 for PRF in FIPS mode openssl.
189 * Added changes:
190 - d/tests: add two DEP-8 test cases
191 + d/t/server-setup-with-static-key: test the OpenVPN server side setup
192 using a static key.
193 + d/t/server-setup-with-ca: test the OpenVPN server side setup using a
194 CA built with easy-rsa.
195
196 -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 29 Apr 2020 15:35:56 -0300
197
97openvpn (2.4.9-2) unstable; urgency=medium198openvpn (2.4.9-2) unstable; urgency=medium
98199
99 * Cherry-Pick upstream patch to fix ssl_do_config error with200 * Cherry-Pick upstream patch to fix ssl_do_config error with
@@ -129,6 +230,28 @@ openvpn (2.4.9-1) unstable; urgency=medium
129230
130 -- Bernhard Schmidt <berni@debian.org> Sun, 19 Apr 2020 15:52:57 +0200231 -- Bernhard Schmidt <berni@debian.org> Sun, 19 Apr 2020 15:52:57 +0200
131232
233openvpn (2.4.7-1ubuntu2) eoan; urgency=medium
234
235 * No-change upload with strops.h and sys/strops.h removed in glibc.
236
237 -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:05:25 +0000
238
239openvpn (2.4.7-1ubuntu1) eoan; urgency=medium
240
241 * Merge with Debian unstable (LP: #1828771). Remaining changes:
242 - d/control: Demote easy-rsa to Suggests (universe package).
243 - debian/openvpn@.service: Add '--script-security 2' similar to what got
244 added to debian/openvpn.init.d ages ago (LP 1454725)
245 - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
246 (LP 1807439)
247 * Dropped changes:
248 - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
249 scripts breaking due to sudo/pam being unable to audit the action.
250 Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
251 [in Debian now]
252
253 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 May 2019 15:55:22 +0200
254
132openvpn (2.4.7-1) unstable; urgency=medium255openvpn (2.4.7-1) unstable; urgency=medium
133256
134 [ Bernhard Schmidt ]257 [ Bernhard Schmidt ]
@@ -148,6 +271,30 @@ openvpn (2.4.7-1) unstable; urgency=medium
148271
149 -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100272 -- Bernhard Schmidt <berni@debian.org> Wed, 20 Feb 2019 14:50:03 +0100
150273
274openvpn (2.4.6-1ubuntu3) disco; urgency=medium
275
276 * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
277 (LP: #1807439)
278
279 -- Joy Latten <joy.latten@canonical.com> Wed, 09 Jan 2019 12:25:59 -0600
280
281openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium
282
283 * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
284 scripts breaking due to sudo/pam being unable to audit the action.
285 Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208)
286
287 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Sep 2018 10:57:35 +0200
288
289openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium
290
291 * Merge with Debian unstable. Remaining changes:
292 - d/control: Demote easy-rsa to Suggests (universe package).
293 - debian/openvpn@.service: Add '--script-security 2' similar to what got
294 added to debian/openvpn.init.d ages ago (LP 1454725)
295
296 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 13:30:20 +0200
297
151openvpn (2.4.6-1) unstable; urgency=medium298openvpn (2.4.6-1) unstable; urgency=medium
152299
153 [ Jörg Frings-Fürst ]300 [ Jörg Frings-Fürst ]
@@ -191,6 +338,15 @@ openvpn (2.4.5-1) unstable; urgency=medium
191338
192 -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100339 -- Bernhard Schmidt <berni@debian.org> Sun, 04 Mar 2018 22:23:47 +0100
193340
341openvpn (2.4.4-2ubuntu1) bionic; urgency=low
342
343 * Sync with Debian. Remaining changes:
344 - debian/openvpn@.service: Add "--script-security 2" similar to what got
345 added to debian/openvpn.init.d ages ago (LP: #1454725)
346 - Demote easy-rsa to Suggests (universe package).
347
348 -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 10 Feb 2018 20:27:56 +0000
349
194openvpn (2.4.4-2) unstable; urgency=medium350openvpn (2.4.4-2) unstable; urgency=medium
195351
196 * Build against OpenSSL 1.1.0 (Closes: #828477)352 * Build against OpenSSL 1.1.0 (Closes: #828477)
@@ -198,6 +354,15 @@ openvpn (2.4.4-2) unstable; urgency=medium
198354
199 -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100355 -- Bernhard Schmidt <berni@debian.org> Mon, 11 Dec 2017 00:22:11 +0100
200356
357openvpn (2.4.4-1ubuntu1) bionic; urgency=medium
358
359 * Sync with Debian. Remaining changes:
360 - debian/openvpn@.service: Add "--script-security 2" similar to what got
361 added to debian/openvpn.init.d ages ago (LP: #1454725)
362 - Demote easy-rsa to Suggests (universe package).
363
364 -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 28 Oct 2017 15:13:58 -0400
365
201openvpn (2.4.4-1) unstable; urgency=medium366openvpn (2.4.4-1) unstable; urgency=medium
202367
203 [ Jörg Frings-Fürst ]368 [ Jörg Frings-Fürst ]
@@ -319,6 +484,65 @@ openvpn (2.4.0-5) unstable; urgency=high
319484
320 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200485 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 May 2017 14:15:21 +0200
321486
487openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium
488
489 * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet
490 - debian/patches/CVE-2017-7508.patch: remove assert in
491 src/openvpn/mss.c.
492 - CVE-2017-7508
493 * SECURITY UPDATE: Remote-triggerable memory leaks
494 - debian/patches/CVE-2017-7512.patch: fix leaks in
495 src/openvpn/ssl_verify_openssl.c.
496 - CVE-2017-7512
497 * SECURITY UPDATE: Pre-authentication remote crash/information disclosure
498 for clients
499 - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer
500 OOB reads and a crash for invalid input data in src/openvpn/ntlm.c.
501 - CVE-2017-7520
502 * SECURITY UPDATE: Potential double-free in --x509-alt-username and
503 memory leaks
504 - debian/patches/CVE-2017-7521.patch: fix double-free in
505 src/openvpn/ssl_verify_openssl.c.
506 - CVE-2017-7521
507 * SECURITY UPDATE: DoS in establish_http_proxy_passthru()
508 - debian/patches/establish_http_proxy_passthru_dos.patch: fix
509 null-pointer dereference in src/openvpn/proxy.c.
510 - No CVE number
511
512 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 22 Jun 2017 08:37:49 -0400
513
514openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium
515
516 * SECURITY UPDATE: pre-authentication denial-of-service vulnerability
517 (both client and server) from a too-large control packet.
518 - debian/patches/CVE-2017-7478.patch: Do not assert on too-large
519 control packet
520 - CVE-2017-7478
521 * SECURITY UPDATE: authenticated remote DoS vulnerability due to
522 packet ID rollover
523 - debian/patches/CVE-2017-7479-prereq.patch: merge
524 packet_id_alloc_outgoing() into packet_id_write()
525 - debian/patches/CVE-2017-7478.patch: do not assert when packet ID
526 rollover occurs
527 - CVE-2017-7478
528 * SECURITY UPDATE: auth tokens left in memory after de-auth
529 - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token
530 as soon as a TLS session is considered broken.
531
532 -- Steve Beattie <sbeattie@ubuntu.com> Wed, 10 May 2017 15:21:05 -0700
533
534openvpn (2.4.0-4ubuntu1) zesty; urgency=medium
535
536 * Merge with Debian unstable. Remaining Ubuntu changes:
537 - debian/openvpn@.service: Add "--script-security 2" similar to what got
538 added to debian/openvpn.init.d ages ago (LP: #1454725)
539 - Demote easy-rsa to Suggests (universe package).
540 * Drop:
541 - debian/control: Actually drop the initscripts dependency.
542 (Closes: #804968). Already in Debian
543
544 -- Jon Grimm <jon.grimm@canonical.com> Fri, 10 Feb 2017 12:16:57 -0600
545
322openvpn (2.4.0-4) unstable; urgency=medium546openvpn (2.4.0-4) unstable; urgency=medium
323547
324 * Add NEWS entries on possible 2.4 migration issues.548 * Add NEWS entries on possible 2.4 migration issues.
@@ -388,6 +612,24 @@ openvpn (2.3.11-2) unstable; urgency=medium
388612
389 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200613 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 23 May 2016 09:55:30 +0200
390614
615openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium
616
617 * debian/control: Actually drop the initscripts dependency.
618 (Closes: #804968)
619
620 -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 22 Jun 2016 16:54:51 +0200
621
622openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium
623
624 * Merge with Debian unstable. Remaining Ubuntu changes:
625 - debian/openvpn@.service: Add "--script-security 2" similar to what got
626 added to debian/openvpn.init.d ages ago (see LP: #260291).
627 - Demote easy-rsa to Suggests (universe package).
628 * Drop intrusive changes (showing per-VPN result messages) from
629 debian/openvpn.init.d. This isn't being used under systemd.
630
631 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 20 May 2016 17:30:27 +0200
632
391openvpn (2.3.11-1) unstable; urgency=medium633openvpn (2.3.11-1) unstable; urgency=medium
392634
393 * New upstream release.635 * New upstream release.
@@ -399,6 +641,25 @@ openvpn (2.3.11-1) unstable; urgency=medium
399641
400 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200642 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 10 May 2016 17:41:53 +0200
401643
644openvpn (2.3.10-1ubuntu2) xenial; urgency=medium
645
646 * debian/openvpn@.service: Add --script-security similar to what got added
647 to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)
648
649 -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 02 Feb 2016 13:33:39 +0100
650
651openvpn (2.3.10-1ubuntu1) xenial; urgency=medium
652
653 * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes:
654 - debian/openvpn.init.d:
655 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
656 + Show per-VPN result messages.
657 + Add "--script-security 2" by default for backwards compatabliity.
658 (LP #260291)
659 - Demote easy-rsa to Suggests
660
661 -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 21 Jan 2016 11:37:08 +0100
662
402openvpn (2.3.10-1) unstable; urgency=medium663openvpn (2.3.10-1) unstable; urgency=medium
403664
404 * New upstream release. (Closes: #804368)665 * New upstream release. (Closes: #804368)
@@ -417,6 +678,21 @@ openvpn (2.3.10-1) unstable; urgency=medium
417678
418 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100679 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 20 Jan 2016 12:01:36 +0100
419680
681openvpn (2.3.8-1ubuntu1) xenial; urgency=medium
682
683 * Merge with Debian unstable. Remaining Ubuntu changes:
684 - debian/openvpn.init.d:
685 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
686 + Show per-VPN result messages.
687 + Add "--script-security 2" by default for backwards compatabliity.
688 - Demote easy-rsa to Suggests
689 - Run openvpn@.service before systemd-user-sessions.service to avoid
690 gettys and lightdm starting on top of possible password prompts. This
691 provides the equivalent of the init.d script's X-Start-Before:.
692 (Closes: #803032)
693
694 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 04 Jan 2016 11:48:31 +0100
695
420openvpn (2.3.8-1) unstable; urgency=medium696openvpn (2.3.8-1) unstable; urgency=medium
421697
422 * New upstream release. Drop patch from 2.3.7-2.698 * New upstream release. Drop patch from 2.3.7-2.
@@ -430,6 +706,21 @@ openvpn (2.3.8-1) unstable; urgency=medium
430706
431 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100707 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 28 Oct 2015 17:34:26 +0100
432708
709openvpn (2.3.7-2ubuntu1) xenial; urgency=medium
710
711 * Merge with Debian unstable. Remaining Ubuntu changes:
712 - debian/openvpn.init.d:
713 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
714 + Show per-VPN result messages.
715 + Add "--script-security 2" by default for backwards compatabliity.
716 - Demote easy-rsa to Suggests
717 - Run openvpn@.service before systemd-user-sessions.service to avoid
718 gettys and lightdm starting on top of possible password prompts. This
719 provides the equivalent of the init.d script's X-Start-Before:.
720 (Closes: #803032)
721
722 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 26 Oct 2015 09:32:31 +0100
723
433openvpn (2.3.7-2) unstable; urgency=medium724openvpn (2.3.7-2) unstable; urgency=medium
434725
435 * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.726 * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev.
@@ -440,6 +731,20 @@ openvpn (2.3.7-2) unstable; urgency=medium
440731
441 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000732 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 08 Sep 2015 08:23:19 +0000
442733
734openvpn (2.3.7-1ubuntu1) wily; urgency=medium
735
736 * Merge with Debian unstable. Remaining Ubuntu changes:
737 - debian/openvpn.init.d:
738 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
739 + Show per-VPN result messages.
740 + Add "--script-security 2" by default for backwards compatabliity.
741 - Demote easy-rsa to Suggests
742 - Run openvpn@.service before systemd-user-sessions.service to avoid
743 gettys and lightdm starting on top of possible password prompts. This
744 provides the equivalent of the init.d script's X-Start-Before:.
745
746 -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 08 Jul 2015 12:28:54 +0200
747
443openvpn (2.3.7-1) unstable; urgency=medium748openvpn (2.3.7-1) unstable; urgency=medium
444749
445 * New upstream version750 * New upstream version
@@ -461,6 +766,20 @@ openvpn (2.3.5-1) unstable; urgency=medium
461766
462 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100767 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100
463768
769openvpn (2.3.4-5ubuntu1) wily; urgency=medium
770
771 * Merge with Debian unstable. Remaining Ubuntu changes:
772 - debian/openvpn.init.d:
773 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
774 + Show per-VPN result messages.
775 + Add "--script-security 2" by default for backwards compatabliity.
776 - Demote easy-rsa to Suggests
777 - Run openvpn@.service before systemd-user-sessions.service to avoid
778 gettys and lightdm starting on top of possible password prompts. This
779 provides the equivalent of the init.d script's X-Start-Before:.
780
781 -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 07 May 2015 15:35:52 +0200
782
464openvpn (2.3.4-5) unstable; urgency=high783openvpn (2.3.4-5) unstable; urgency=high
465784
466 * Apply upstream patch that fixes possible DoS by authenticated785 * Apply upstream patch that fixes possible DoS by authenticated
@@ -519,6 +838,52 @@ openvpn (2.3.3-1) experimental; urgency=medium
519838
520 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100839 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 17 Mar 2014 19:40:12 +0100
521840
841openvpn (2.3.2-9ubuntu4) vivid; urgency=medium
842
843 * Run openvpn@.service before systemd-user-sessions.service to avoid gettys
844 and lightdm starting on top of possible password prompts. This provides
845 the equivalent of the init.d script's X-Start-Before:.
846
847 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 16:09:01 -0500
848
849openvpn (2.3.2-9ubuntu3) vivid; urgency=medium
850
851 * Add better_systemd_detection.patch to avoid calling systemd-ask-password
852 under upstart. Backported from upstream. (Closes: #747265)
853 * Add systemd unit and generator from current Debian package. This avoids
854 using the init.d script, which unnecessarily blocks lightdm startup on the
855 network becoming online even if there are no auto-start connections
856 (LP: #1443489).
857
858 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 13 Apr 2015 11:22:56 -0500
859
860openvpn (2.3.2-9ubuntu2) vivid; urgency=medium
861
862 * SECURITY UPDATE: server denial of service via too-short control channel
863 packets
864 - debian/patches/CVE-2014-8104.patch: drop too-short control channel
865 packets instead of asserting out in src/openvpn/ssl.c.
866 - CVE-2014-8104
867 * debian/patches/update_certs.patch: update test certs to fix FTBFS.
868
869 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Dec 2014 15:26:58 -0500
870
871openvpn (2.3.2-9ubuntu1) utopic; urgency=medium
872
873 * Merge from Debian unstable. Remaining changes:
874 - debian/openvpn.init.d:
875 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
876 + Show per-VPN result messages.
877 + Add "--script-security 2" by default for backwards compatabliity.
878 - Demote easy-rsa to Suggests
879 - Patch libtool.m4 and configure to support ppc64el.
880 - Refresh delta with debian/openvpn.init.d:
881 + Make stop action reliable by killing if needed
882 (LP: #1274254, LP: #1200519)
883 + Use new path for status file (LP: #1261088)
884
885 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 02 May 2014 16:00:55 -0400
886
522openvpn (2.3.2-9) unstable; urgency=medium887openvpn (2.3.2-9) unstable; urgency=medium
523888
524 * Create /run/openvpn in init script even if no VPN is889 * Create /run/openvpn in init script even if no VPN is
@@ -534,6 +899,33 @@ openvpn (2.3.2-8) unstable; urgency=medium
534899
535 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100900 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 14 Mar 2014 12:59:57 +0100
536901
902openvpn (2.3.2-7ubuntu3) trusty; urgency=medium
903
904 [ Simon Deziel ]
905 * Refresh delta with debian/openvpn.init.d:
906 - Make stop action reliable by killing if needed
907 (LP: #1274254, LP: #1200519)
908 - Use new path for status file (LP: #1261088)
909
910 -- Stéphane Graber <stgraber@ubuntu.com> Tue, 04 Feb 2014 09:31:39 -0500
911
912openvpn (2.3.2-7ubuntu2) trusty; urgency=medium
913
914 * Patch libtool.m4 and configure to support ppc64el.
915
916 -- Matthias Klose <doko@ubuntu.com> Mon, 30 Dec 2013 12:32:35 +0100
917
918openvpn (2.3.2-7ubuntu1) trusty; urgency=low
919
920 * Merge from Debian unstable. Remaining changes:
921 - debian/openvpn.init.d:
922 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
923 + Show per-VPN result messages.
924 + Add "--script-security 2" by default for backwards compatabliity.
925 - Demote easy-rsa to Suggests
926
927 -- Stéphane Graber <stgraber@ubuntu.com> Mon, 02 Dec 2013 18:14:42 -0500
928
537openvpn (2.3.2-7) unstable; urgency=low929openvpn (2.3.2-7) unstable; urgency=low
538930
539 * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.931 * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/.
@@ -550,6 +942,17 @@ openvpn (2.3.2-6) unstable; urgency=low
550942
551 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100943 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 27 Nov 2013 13:58:33 +0100
552944
945openvpn (2.3.2-5ubuntu1) trusty; urgency=low
946
947 * Merge from Debian unstable. Remaining changes:
948 - debian/openvpn.init.d:
949 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
950 + Show per-VPN result messages.
951 + Add "--script-security 2" by default for backwards compatabliity.
952 - Demote easy-rsa to Suggests
953
954 -- Stéphane Graber <stgraber@ubuntu.com> Mon, 21 Oct 2013 13:07:37 -0400
955
553openvpn (2.3.2-5) unstable; urgency=low956openvpn (2.3.2-5) unstable; urgency=low
554957
555 * Patch init script to fix race conditions on restarts.958 * Patch init script to fix race conditions on restarts.
@@ -559,6 +962,16 @@ openvpn (2.3.2-5) unstable; urgency=low
559962
560 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200963 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 15 Jul 2013 16:10:59 +0200
561964
965openvpn (2.3.2-4ubuntu1) saucy; urgency=low
966
967 * Merge from Debian unstable. Remaining changes:
968 - debian/openvpn.init.d:
969 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
970 + Show per-VPN result messages.
971 + Add "--script-security 2" by default for backwards compatabliity.
972
973 -- Stéphane Graber <stgraber@ubuntu.com> Tue, 09 Jul 2013 17:20:31 -0400
974
562openvpn (2.3.2-4) unstable; urgency=low975openvpn (2.3.2-4) unstable; urgency=low
563976
564 * Fix depends on iproute to iproute2.977 * Fix depends on iproute to iproute2.
@@ -591,6 +1004,23 @@ openvpn (2.3.2-1) unstable; urgency=low
5911004
592 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +02001005 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 03 Jun 2013 18:48:44 +0200
5931006
1007openvpn (2.3.1-2ubuntu2) saucy; urgency=low
1008
1009 * Move easy-rsa from Recommends to Suggests as it's not in main and isn't
1010 actually required to operate an openvpn server.
1011
1012 -- Stéphane Graber <stgraber@ubuntu.com> Wed, 19 Jun 2013 14:37:54 -0400
1013
1014openvpn (2.3.1-2ubuntu1) saucy; urgency=low
1015
1016 * Merge from Debian unstable. Remaining changes:
1017 - debian/openvpn.init.d:
1018 + Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1019 + Show per-VPN result messages.
1020 + Add "--script-security 2" by default for backwards compatabliity.
1021
1022 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 24 May 2013 17:42:45 -0400
1023
594openvpn (2.3.1-2) unstable; urgency=low1024openvpn (2.3.1-2) unstable; urgency=low
5951025
596 * Add net-tools to Build-Depends. (Closes: #709108)1026 * Add net-tools to Build-Depends. (Closes: #709108)
@@ -618,6 +1048,32 @@ openvpn (2.3~rc1-1) experimental; urgency=low
6181048
619 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +01001049 -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 05 Nov 2012 16:31:15 +0100
6201050
1051openvpn (2.2.1-8ubuntu3) raring; urgency=low
1052
1053 [ Marc Gariépy ]
1054 * Add --script-security to the init.d script (was generated but not passed
1055 to openvpn). (LP: #1124398)
1056
1057 -- Stéphane Graber <stgraber@ubuntu.com> Wed, 13 Feb 2013 16:10:48 -0500
1058
1059openvpn (2.2.1-8ubuntu2) quantal; urgency=low
1060
1061 * Rebuild for new armel compiler default of ARMv5t.
1062
1063 -- Colin Watson <cjwatson@ubuntu.com> Mon, 08 Oct 2012 08:36:47 +0100
1064
1065openvpn (2.2.1-8ubuntu1) precise; urgency=low
1066
1067 * Merge at Simon Deziel's request to build with PIE.
1068 * Merge from Debian unstable. Remaining changes:
1069 + debian/openvpn.init.d:
1070 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1071 - Show per-VPN result messages.
1072 - Add "--script-security 2" by default for backwards compatabliity.
1073 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1074
1075 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 30 Mar 2012 13:19:09 -0400
1076
621openvpn (2.2.1-8) unstable; urgency=low1077openvpn (2.2.1-8) unstable; urgency=low
6221078
623 * Enable "PIE" and "BINDOW" hardening flags.1079 * Enable "PIE" and "BINDOW" hardening flags.
@@ -642,6 +1098,17 @@ openvpn (2.2.1-6) unstable; urgency=low
6421098
643 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +01001099 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Mar 2012 13:44:50 +0100
6441100
1101openvpn (2.2.1-5ubuntu1) precise; urgency=low
1102
1103 * Merge from Debian unstable. Remaining changes: (LP: #907828)
1104 + debian/openvpn.init.d:
1105 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1106 - Show per-VPN result messages.
1107 - Add "--script-security 2" by default for backwards compatabliity.
1108 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1109
1110 -- Stéphane Graber <stgraber@ubuntu.com> Sat, 25 Feb 2012 21:08:48 -0500
1111
645openvpn (2.2.1-5) unstable; urgency=low1112openvpn (2.2.1-5) unstable; urgency=low
6461113
647 * Avoid sending ICMP redirects when using tun devices and "subnet"1114 * Avoid sending ICMP redirects when using tun devices and "subnet"
@@ -664,6 +1131,20 @@ openvpn (2.2.1-4) unstable; urgency=low
6641131
665 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +01001132 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 08 Feb 2012 16:31:32 +0100
6661133
1134openvpn (2.2.1-3ubuntu1) precise; urgency=low
1135
1136 * Merge from Debian testing. Remaining changes:
1137 + debian/openvpn.init.d:
1138 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1139 - Show per-VPN result messages.
1140 - Add "--script-security 2" by default for backwards compatabliity.
1141 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1142 + debian/update-resolv-conf: Support multiple domains.
1143 + fix bug where '--script-security 2' would be passed for all
1144 daemons after the first. (LP: #794916)
1145
1146 -- Chuck Short <zulcss@ubuntu.com> Sat, 31 Dec 2011 04:55:56 +0000
1147
667openvpn (2.2.1-3) unstable; urgency=low1148openvpn (2.2.1-3) unstable; urgency=low
6681149
669 * The iproute fiasco release.1150 * The iproute fiasco release.
@@ -692,6 +1173,20 @@ openvpn (2.2.1-1) unstable; urgency=low
6921173
693 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +01001174 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 13 Dec 2011 11:04:22 +0100
6941175
1176openvpn (2.2.0-2ubuntu1) oneiric; urgency=low
1177
1178 * Merge from debian unstable. Remaining changes:
1179 + debian/openvpn.init.d:
1180 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1181 - Show per-VPN result messages.
1182 - Add "--script-security 2" by default for backwards compatabliity.
1183 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1184 + debian/update-resolv-conf: Support multiple domains.
1185 + fix bug where '--script-security 2' would be passed for all
1186 daemons after the first. (LP: #794916
1187
1188 -- Chuck Short <zulcss@ubuntu.com> Thu, 16 Jun 2011 18:33:37 +0100
1189
695openvpn (2.2.0-2) unstable; urgency=low1190openvpn (2.2.0-2) unstable; urgency=low
6961191
697 * Upload to unstable1192 * Upload to unstable
@@ -726,6 +1221,45 @@ openvpn (2.1.3-5) experimental; urgency=low
7261221
727 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +01001222 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 22 Mar 2011 10:57:18 +0100
7281223
1224openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low
1225
1226 [Alexander Zielke]
1227 * fix bug where '--script-security 2' would be passed for all
1228 daemons after the first. (LP: #794916)
1229
1230 -- Scott Moser <smoser@ubuntu.com> Thu, 09 Jun 2011 13:59:08 -0400
1231
1232openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low
1233
1234 * Merge from debian unstable. Remaining changes:
1235 + debian/openvpn.init.d:
1236 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1237 - Show per-VPN result messages.
1238 - Add "--script-security 2" by default for backwards compatabliity.
1239 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1240 + debian/update-resolv-conf: Support multiple domains.
1241
1242 -- Chuck Short <zulcss@ubuntu.com> Tue, 17 May 2011 02:14:39 +0100
1243
1244openvpn (2.1.3-4.1) unstable; urgency=low
1245
1246 * Non-maintainer upload.
1247 * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503)
1248
1249 -- Philipp Kern <pkern@debian.org> Mon, 09 May 2011 23:20:03 +0200
1250
1251openvpn (2.1.3-4ubuntu1) oneiric; urgency=low
1252
1253 * Merge from debian unstable. Remaining changes:
1254 + debian/openvpn.init.d:
1255 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1256 - Show per-VPN result messages.
1257 - Add "--script-security 2" by default for backwards compatabliity.
1258 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1259 + debian/update-resolv-conf: Support multiple domains.
1260
1261 -- Chuck Short <zulcss@ubuntu.com> Tue, 22 Mar 2011 23:28:26 +0000
1262
729openvpn (2.1.3-4) unstable; urgency=low1263openvpn (2.1.3-4) unstable; urgency=low
7301264
731 * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.1265 * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd.
@@ -748,6 +1282,31 @@ openvpn (2.1.3-3) unstable; urgency=low
7481282
749 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +01001283 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 11 Mar 2011 13:08:12 +0100
7501284
1285openvpn (2.1.3-2ubuntu3) natty; urgency=low
1286
1287 * update-resolv-conf: Correctly handle multiple dns search domains,
1288 using the same logic as nameservers. Patch courtesy of Jeremy
1289 Zawodny. (LP: #662847)
1290
1291 -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Fri, 11 Mar 2011 00:23:59 +0000
1292
1293openvpn (2.1.3-2ubuntu2) natty; urgency=low
1294
1295 * update-resolv-conf: Support mulitple domains (LP: #714358)
1296
1297 -- Chuck Short <zulcss@ubuntu.com> Mon, 14 Feb 2011 15:21:46 -0500
1298
1299openvpn (2.1.3-2ubuntu1) natty; urgency=low
1300
1301 * Merge from debian unstable. Remaining changes:
1302 + debian/openvpn.init.d:
1303 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1304 - Show per-VPN result messages.
1305 - Add "--script-security 2" by default for backwards compatabliity.
1306 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1307
1308 -- Chuck Short <zulcss@ubuntu.com> Sat, 23 Oct 2010 01:59:28 +0100
1309
751openvpn (2.1.3-2) unstable; urgency=low1310openvpn (2.1.3-2) unstable; urgency=low
7521311
753 * Applied upstream patch to solve random routes added when using1312 * Applied upstream patch to solve random routes added when using
@@ -755,6 +1314,24 @@ openvpn (2.1.3-2) unstable; urgency=low
7551314
756 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +02001315 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 21 Oct 2010 12:21:33 +0200
7571316
1317openvpn (2.1.3-1ubuntu2) natty; urgency=low
1318
1319 * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
1320 corner cases where ! host && addr (LP: #627973)
1321
1322 -- Thierry Carrez (ttx) <thierry.carrez@ubuntu.com> Wed, 20 Oct 2010 16:22:25 +0200
1323
1324openvpn (2.1.3-1ubuntu1) natty; urgency=low
1325
1326 * Merge from debian unstable. Remaining changes:
1327 + debian/openvpn.init.d:
1328 - Do not use start-stop-daemon and </dev/null to avoid blocking boot.
1329 - Show per-VPN result messages.
1330 - Add "--script-security 2" by default for backwards compatablitiy
1331 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1332
1333 -- Chuck Short <zulcss@ubuntu.com> Tue, 05 Oct 2010 06:21:14 +0100
1334
758openvpn (2.1.3-1) unstable; urgency=low1335openvpn (2.1.3-1) unstable; urgency=low
7591336
760 * New upstream release (Closes: #595684)1337 * New upstream release (Closes: #595684)
@@ -766,6 +1343,17 @@ openvpn (2.1.3-1) unstable; urgency=low
7661343
767 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +02001344 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Sep 2010 13:07:37 +0200
7681345
1346openvpn (2.1.0-3ubuntu1) maverick; urgency=low
1347
1348 * Merge from debian unstable. Remaining changes:
1349 + debian/openvpn.init.d:
1350 - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
1351 - Show per-VPN result messages
1352 - Add "--script-security 2" by default for backwards compatablitiy
1353 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1354
1355 -- Chuck Short <zulcss@ubuntu.com> Mon, 12 Jul 2010 09:39:43 -0400
1356
769openvpn (2.1.0-3) unstable; urgency=low1357openvpn (2.1.0-3) unstable; urgency=low
7701358
771 * The 'happy birthday to me' release1359 * The 'happy birthday to me' release
@@ -775,6 +1363,24 @@ openvpn (2.1.0-3) unstable; urgency=low
7751363
776 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +02001364 -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 09 Jul 2010 12:22:09 +0200
7771365
1366openvpn (2.1.0-2ubuntu2) maverick; urgency=low
1367
1368 * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
1369 on PUSH_REQUEST when server does not push any option (LP: #579737)
1370
1371 -- Thierry Carrez <thierry.carrez@ubuntu.com> Mon, 28 Jun 2010 10:45:23 +0200
1372
1373openvpn (2.1.0-2ubuntu1) maverick; urgency=low
1374
1375 * Merge from debian unstable. Remaining changes:
1376 + debian/openvpn.init.d:
1377 - Do not use start-stop-daemon and use </dev/null to avoid blocking boot
1378 - Show per-VPN result messages
1379 - Add "--script-security 2" by default for backwards compatablitiy
1380 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1381
1382 -- Chuck Short <zulcss@ubuntu.com> Wed, 05 May 2010 03:06:19 +0100
1383
778openvpn (2.1.0-2) unstable; urgency=low1384openvpn (2.1.0-2) unstable; urgency=low
7791385
780 * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)1386 * Patched ssl.[ch] to fix integer overflow. (Closes: #576827)
@@ -787,6 +1393,17 @@ openvpn (2.1.0-2) unstable; urgency=low
7871393
788 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +02001394 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 10 Apr 2010 17:26:42 +0200
7891395
1396openvpn (2.1.0-1ubuntu1) lucid; urgency=low
1397
1398 * Merge from debian testing (LP: #509078), remaining changes:
1399 + debian/openvpn.init.d:
1400 - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
1401 - Show per-VPN result messages
1402 - Add "--script-security 2" by default for backwards compatibility
1403 + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
1404
1405 -- Jan Brinkmann <lucky@the-luckyduck.de> Fri, 22 Jan 2010 00:47:33 +0100
1406
790openvpn (2.1.0-1) unstable; urgency=low1407openvpn (2.1.0-1) unstable; urgency=low
7911408
792 * New upstream release1409 * New upstream release
@@ -824,6 +1441,20 @@ openvpn (2.1~rc20-3) unstable; urgency=low
8241441
825 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +01001442 -- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 04 Nov 2009 17:18:03 +0100
8261443
1444openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low
1445
1446 * Merge from debian testing, remaining changes:
1447 + debian/openvpn.init.d:
1448 - Do not use start-stop-daemon and use < /dev/null to avoid blocking
1449 boot.
1450 - show per-VPN result messages
1451 - add "--script-security 2" by default for backwards compatibility
1452 - Add lab-base >= 3.2-14 to allow status_of_proc()
1453 + Dropped debian/patches/redirect-gateway.patch: Already applied
1454 upstream.
1455
1456 -- Chuck Short <zulcss@ubuntu.com> Fri, 06 Nov 2009 01:36:35 +0000
1457
827openvpn (2.1~rc20-2) unstable; urgency=low1458openvpn (2.1~rc20-2) unstable; urgency=low
8281459
829 * init.d script: Added X-Interactive header. (Closes: #549424)1460 * init.d script: Added X-Interactive header. (Closes: #549424)
@@ -848,6 +1479,25 @@ openvpn (2.1~rc19-2) unstable; urgency=low
8481479
849 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +02001480 -- Alberto Gonzalez Iniesta <agi@inittab.org> Sun, 30 Aug 2009 20:20:11 +0200
8501481
1482openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low
1483
1484 * debian/patches/redirect-gateway.patch: Fix regression introduced in
1485 2.1rc17 that makes redirect-gateway (without options) to be ignored.
1486 Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695
1487
1488 -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 13 Oct 2009 09:31:20 +0200
1489
1490openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low
1491
1492 * Merge from debian unstable (LP: #404099), remaining changes:
1493 - debian/openvpn.init.d:
1494 - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
1495 - show per-VPN result messages
1496 - add "--script-security 2" by default for backwards compatibility
1497 - Added lsb-base>=3.2-14 depend to allow status_of_proc()
1498
1499 -- Bhavani Shankar <right2bhavi@gmail.com> Fri, 24 Jul 2009 19:22:13 +0530
1500
851openvpn (2.1~rc19-1) unstable; urgency=low1501openvpn (2.1~rc19-1) unstable; urgency=low
8521502
853 * New upstream version1503 * New upstream version
@@ -857,6 +1507,17 @@ openvpn (2.1~rc19-1) unstable; urgency=low
8571507
858 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +02001508 -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 21 Jul 2009 17:00:56 +0200
8591509
1510openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low
1511
1512 * Merge from debian unstable (LP: #372358), remaining changes:
1513 - debian/openvpn.init.d:
1514 - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot
1515 - show per-VPN result messages
1516 - add "--script-security 2" by default for backwards compatibility
1517 - Added lsb-base>=3.2-14 depend to allow status_of_proc()
1518
1519 -- Andres Rodriguez <andreserl@ubuntu.com> Tue, 05 May 2009 14:25:37 -0500
1520
860openvpn (2.1~rc15-1) unstable; urgency=low1521openvpn (2.1~rc15-1) unstable; urgency=low
8611522
862 * New upstream version (Closes: #515575)1523 * New upstream version (Closes: #515575)
@@ -876,6 +1537,33 @@ openvpn (2.1~rc15-1) unstable; urgency=low
8761537
877 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +02001538 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200
8781539
1540openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low
1541
1542 * debian/openvpn.init.d:
1543 - Fix unexpected operator on startup (LP: #340120)
1544
1545 -- Michael Jeanson <mjeanson@revolutionlinux.com> Mon, 09 Mar 2009 16:02:50 -0400
1546
1547openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low
1548
1549 * debian/openvpn.init.d:
1550 - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent
1551 openvpn prompts from blocking the boot (LP: #280428)
1552 - Fix VPNs always reported started [ OK ]
1553
1554 -- Thierry Carrez <thierry.carrez@ubuntu.com> Wed, 15 Oct 2008 17:12:54 +0200
1555
1556openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low
1557
1558 * Merge with Debian (LP: #279655), remaining diffs:
1559 - debian/openvpn.init.d: Added 'status' action to init script, show
1560 per-VPN result messages and add "--script-security 2" by default for
1561 backwards compatibility
1562 - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
1563 * Fixes regression when calling commands with arguments (LP: #277447)
1564
1565 -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 07 Oct 2008 16:30:44 +0200
1566
879openvpn (2.1~rc11-1) unstable; urgency=low1567openvpn (2.1~rc11-1) unstable; urgency=low
8801568
881 * New upstream version1569 * New upstream version
@@ -896,6 +1584,23 @@ openvpn (2.1~rc10-1) unstable; urgency=low
8961584
897 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +02001585 -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 11 Sep 2008 16:58:37 +0200
8981586
1587openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low
1588
1589 * debian/openvpn.init.d:
1590 - Added 'status' action to init script (LP: #251641)
1591 - Restored per-VPN result messages by using log_action_begin_msg and
1592 one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966)
1593 * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
1594
1595 -- Thierry Carrez <thierry.carrez@ubuntu.com> Tue, 09 Sep 2008 10:45:45 +0200
1596
1597openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low
1598
1599 * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
1600 (LP: #260291)
1601
1602 -- Chuck Short <zulcss@ubuntu.com> Mon, 25 Aug 2008 10:20:31 -0400
1603
899openvpn (2.1~rc9-3) unstable; urgency=low1604openvpn (2.1~rc9-3) unstable; urgency=low
9001605
901 * debian/rules: run ./configure with path to 'route', for1606 * debian/rules: run ./configure with path to 'route', for
diff --git a/debian/control b/debian/control
index 63a8262..40ed491 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: openvpn1Source: openvpn
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: Bernhard Schmidt <berni@debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
5Uploaders: Jörg Frings-Fürst <debian@jff.email>6Uploaders: Jörg Frings-Fürst <debian@jff.email>
6Build-Depends:7Build-Depends:
7 debhelper-compat (= 12),8 debhelper-compat (= 12),
@@ -39,8 +40,8 @@ Depends:
39Suggests:40Suggests:
40 openssl,41 openssl,
41 resolvconf,42 resolvconf,
42 openvpn-systemd-resolved43 openvpn-systemd-resolved,
43Recommends: easy-rsa44 easy-rsa
44Description: virtual private network daemon45Description: virtual private network daemon
45 OpenVPN is an application to securely tunnel IP networks over a46 OpenVPN is an application to securely tunnel IP networks over a
46 single UDP or TCP port. It can be used to access remote sites, make47 single UDP or TCP port. It can be used to access remote sites, make
diff --git a/debian/openvpn@.service b/debian/openvpn@.service
index 945874b..6d59b13 100644
--- a/debian/openvpn@.service
+++ b/debian/openvpn@.service
@@ -12,7 +12,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
12Type=notify12Type=notify
13PrivateTmp=true13PrivateTmp=true
14WorkingDirectory=/etc/openvpn14WorkingDirectory=/etc/openvpn
15ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid15ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
16PIDFile=/run/openvpn/%i.pid16PIDFile=/run/openvpn/%i.pid
17KillMode=process17KillMode=process
18CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE18CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
diff --git a/debian/patches/openvpn-fips-2.4.patch b/debian/patches/openvpn-fips-2.4.patch
19new file mode 10064419new file mode 100644
index 0000000..1c4f068
--- /dev/null
+++ b/debian/patches/openvpn-fips-2.4.patch
@@ -0,0 +1,90 @@
1Description: Use openssl FIPS flag to indicate MD5 use for PRF.
2 MD5 is not allowed in FIPS 140-2 except for PRF. OpenVPN needs
3 to send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to FIPS mode openssl
4 for PRF to indicate the exception.
5Bug: https://community.openvpn.net/openvpn/ticket/725
6Bug-Ubuntu: https://bugs.launchpad.net/bugs/1807439
7Author: Stephan Mueller <stephan.mueller@atsec.com>
8
9--- a/src/openvpn/crypto.c
10+++ b/src/openvpn/crypto.c
11@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
12 if (kt->digest && kt->hmac_length > 0)
13 {
14 ctx->hmac = hmac_ctx_new();
15- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
16+ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
17
18 msg(D_HANDSHAKE,
19 "%s: Using %d bit message hash '%s' for HMAC authentication",
20--- a/src/openvpn/crypto_backend.h
21+++ b/src/openvpn/crypto_backend.h
22@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
23 * @param key The key to use for the HMAC
24 * @param key_len The key length to use
25 * @param kt Static message digest parameters
26+ * @param prf_use Intended use for PRF in TLS protocol
27 *
28 */
29 void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
30- const md_kt_t *kt);
31+ const md_kt_t *kt, bool prf_use);
32
33 /*
34 * Free the given HMAC context.
35--- a/src/openvpn/crypto_mbedtls.c
36+++ b/src/openvpn/crypto_mbedtls.c
37@@ -919,7 +919,7 @@ hmac_ctx_free(mbedtls_md_context_t *ctx)
38
39 void
40 hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
41- const mbedtls_md_info_t *kt)
42+ const mbedtls_md_info_t *kt, bool prf_use)
43 {
44 ASSERT(NULL != kt && NULL != ctx);
45
46--- a/src/openvpn/crypto_openssl.c
47+++ b/src/openvpn/crypto_openssl.c
48@@ -1006,11 +1006,17 @@ hmac_ctx_free(HMAC_CTX *ctx)
49
50 void
51 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
52- const EVP_MD *kt)
53+ const EVP_MD *kt, bool prf_use)
54 {
55 ASSERT(NULL != kt && NULL != ctx);
56
57 HMAC_CTX_reset(ctx);
58+
59+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
60+ * to be used anywhere else */
61+ if(kt == EVP_md5() && prf_use)
62+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
63+
64 HMAC_Init_ex(ctx, key, key_len, kt, NULL);
65
66 /* make sure we used a big enough key */
67--- a/src/openvpn/ntlm.c
68+++ b/src/openvpn/ntlm.c
69@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
70 const md_kt_t *md5_kt = md_kt_get("MD5");
71 hmac_ctx_t *hmac_ctx = hmac_ctx_new();
72
73- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
74+ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
75 hmac_ctx_update(hmac_ctx, data, data_len);
76 hmac_ctx_final(hmac_ctx, result);
77 hmac_ctx_cleanup(hmac_ctx);
78--- a/src/openvpn/ssl.c
79+++ b/src/openvpn/ssl.c
80@@ -1632,8 +1632,8 @@ tls1_P_hash(const md_kt_t *md_kt,
81 int chunk = md_kt_size(md_kt);
82 unsigned int A1_len = md_kt_size(md_kt);
83
84- hmac_ctx_init(ctx, sec, sec_len, md_kt);
85- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
86+ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
87+ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
88
89 hmac_ctx_update(ctx,seed,seed_len);
90 hmac_ctx_final(ctx, A1);
diff --git a/debian/patches/series b/debian/patches/series
index 6bb0685..3d2c83a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ CVE-2020-15078-1.patch
10CVE-2020-15078-2.patch10CVE-2020-15078-2.patch
11CVE-2020-15078-3.patch11CVE-2020-15078-3.patch
12Fix-condition-to-generate-session-keys.patch12Fix-condition-to-generate-session-keys.patch
13openvpn-fips-2.4.patch

Subscribers

People subscribed via source and target branches