Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

openvpn-devel-2.6.10-2.2 RPM for aarch64

From OpenSuSE Ports Tumbleweed for aarch64

Name: openvpn-devel Distribution: openSUSE Tumbleweed
Version: 2.6.10 Vendor: openSUSE
Release: 2.2 Build date: Thu Oct 10 10:13:54 2024
Group: Development/Libraries/C and C++ Build host: reproducible
Size: 31403 Source RPM: openvpn-2.6.10-2.2.src.rpm
Packager: http://bugs.opensuse.org
Url: https://openvpn.net/
Summary: OpenVPN plugin header
This package provides the header file to build external plugins.

Provides

Requires

License

GPL-2.0-only WITH openvpn-openssl-exception

Changelog

* Thu Oct 10 2024 Rahul Jain <rahul.jain@suse.com>
  - Fix multiple exit notifications from authenticated clients will
    extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
    Patchname:openvpn-CVE-2024-28882.patch
* Thu May 16 2024 Bernhard Wiedemann <bwiedemann@suse.com>
  - Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
    if libnl >= 3.4 is available
* Thu Mar 21 2024 Mohd Saquib <mohd.saquib@suse.com>
  - update to 2.6.10:
    * t_client.sh can now run pre-tests and skip a test block if needed
      (e.g. skip NTLM proxy tests if SSL library does not support MD4)
    * Compression: minor bugfix in checking option consistency vs.
      compiled-in algorithm support
    * systemd unit files: remove obsolete syslog.target
* Mon Feb 26 2024 Dominique Leuenberger <dimstar@opensuse.org>
  - Use %autosetup macro. Allows to eliminate the usage of deprecated
    PatchN.
* Mon Feb 12 2024 Mohd Saquib <mohd.saquib@suse.com>
  - update to 2.6.9:
    * Remove unused function prototype crypto_adjust_frame_parameters
    * Log SSL alerts more prominently
    * Document tls-exit option mainly as test option
    * Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
    * Fix check_session_buf_not_used using wrong index
    * Add missing check for nl_socket_alloc failure
    * Add check for nice in cmake config
    * Remove compat versionhelpers.h and remove cmake/configure check for it
    * Extend the error message when TLS 1.0 PRF fails
    * Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
    * Check PRF availability on initialisation and add --force-tls-key-material-export
    * Make it more explicit and visible when pkg-config is not found
    * Clarify that the tls-crypt-v2-verify has a very limited env set
    * Implement the --tls-export-cert feature
    * Remove conditional text for Apache2 linking exception
    * Remove --tls-export-cert
    * Remove superfluous x509_write_pem()
    * sample-keys: renew for the next 10 years
    * GHA: clean up libressl builds with newer libressl
    * configure.ac: Remove unused AC_TYPE_SIGNAL macro
    * documentation: remove reference to removed option --show-proxy-settings
    * unit_tests: remove includes for mock_msg.h
    * documentation: improve documentation of --x509-track
    * NTLM: add length check to add_security_buffer
    * NTLM: increase size of phase 2 response we can handle
    * proxy-options.rst: Add proper documentation for --http-proxy-user-pass
    * buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
    * --http-proxy-user-pass: allow to specify in either order with --http-proxy
    * README.cmake.md: Document minimum required CMake version for --preset
    * documentation: Update and fix documentation for --push-peer-info
    * documentation: Fixes for previous fixes to --push-peer-info
    * OpenBSD: repair --show-gateway
    * get_default_gateway() HWADDR overhaul
    * fix uncrustify complaints about previous patch
    * preparing release 2.6.9
    * dco-freebsd: dynamically re-allocate buffer if it's too small
    * tun.c: don't attempt to delete DNS and WINS servers if they're not set
    * vcpkg-ports/pkcs11-helper: bump to version 1.30
    * Add support for mbedtls 3.X.Y
    * Update README.mbedtls
    * Disable TLS 1.3 support with mbed TLS
    * Enable key export with mbed TLS 3.x.y
    * protocol_dump: tls-crypt support
    * Fix IPv6 route add/delete message log level
    * fix(ssl): init peer_id when init tls_multi
* Mon Nov 20 2023 Mohd Saquib <mohd.saquib@suse.com>
  - update to 2.6.8:
    * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF
      state - the new sanity check function introduced in 2.6.7 sometimes
      tried to use a NULL pointer after an unsuccessful TLS handshake
    * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
      use a send buffer after it has been free()d in some circumstances,
      causing some free()d memory to be sent to the peer. All configurations
      using TLS (e.g. not using --secret) are affected by this issue.
    * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
      restore --fragment configuration in some circumstances, leading to a
      division by zero when --fragment is used. On platforms where division
      by zero is fatal, this will cause an OpenVPN crash.
    * DCO: warn if DATA_V1 packets are sent by the other side - this a hard
      incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4
      server, and the only fix is to use --disable-dco.
    * Remove OpenSSL Engine method for loading a key. This had to be removed
      because the original author did not agree to relicensing the code with
      the new linking exception added. This was a somewhat obsolete feature
      anyway as it only worked with OpenSSL 1.x, which is end-of-support.
    * add warning if p2p NCP client connects to a p2mp server - this is a
      combination that used to work without cipher negotiation (pre 2.6 on
      both ends), but would fail in non-obvious ways with 2.6 to 2.6.
    * add warning to --show-groups that not all supported groups are listed
      (this is due the internal enumeration in OpenSSL being a bit weird,
      omitting X448 and X25519 curves).
    * --dns: remove support for exclude-domains argument (this was a new 2.6
      option, with no backend support implemented yet on any platform, and it
      turns out that no platform supported it at all - so remove option again)
    * warn user if INFO control message too long, do not forward to management
      client (safeguard against protocol-violating server implementations)
    * DCO-WIN: get and log driver version (for easier debugging).
    * print "peer temporary key details" in TLS handshake
    * log OpenSSL errors on failure to set certificate, for example if the
      algorithms used are in acceptable to OpenSSL (misleading message would be
      printed in cryptoapi / pkcs11 scenarios)
    * add CMake build system for MinGW and MSVC builds
    * remove old MSVC build system
    * improve cmocka unit test building for Windows
* Wed Aug 16 2023 Mohd Saquib <mohd.saquib@suse.com>
  - update to 2.6.6:
    * configure.ac: fix typ0 in LIBCAPNG_CFALGS
    * Avoid unused function warning/error on FreeBSD (and potientially others)
    * fix warning with gcc 12.2.0 (compiler bug?)
    * Fix CR_RESPONSE mangaement message using wrong key_id
    * Print a more user-friendly error when tls-crypt-v2 client auth fails
    * Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
    * Revert commit 423ced962d
    * Implement using --peer-fingerprint without CA certificates
    * show extra info for OpenSSL errors
    * dist: add more missing files only used in the MSVC build
    * dist: Include all documentation in distribution
    * unit_tests: Add missing cert_data.h to source list for unit tests
    * test_tls_crypt: Improve mock() usage to be more portable
    * Remove old Travis CI related files
    * options: Do not hide variables from parent scope
    * pkcs11_openssl: Disable unused code
    * route: Fix overriding return value of add_route3
* Wed Jun 14 2023 Mohd Saquib <mohd.saquib@suse.com>
  - update to 2.6.5:
    * apctl (windows): generate driver-specific names (if using tapctl
      to create additional tap/wintun/dco devices, and not using
    - -name) (Github #337)
    * interactive service (windows): do not force target desktop for
      openvpn.exe - this has no impact for normal use, but enables
      running of OpenVPN in a scripted way when no user is logged on
      (for example, via task scheduler) (Github OpenVPN/openvpn-gui#626)
    * fix use-after-free with EVP_CIPHER_free
    * fix building with MSVC from release tarball (missing version.m4.in)
    * dco-win: repair use of --dev-node to select specific DCO drivers
      (Github #336)
    * fix missing malloc() return check in dco_freebsd.c
    * windows: correctly handle unicode names for "exit event"
    * fix memleak in client-connect example plugin
    * fix fortify build problem in keying-material-exporter-demo plugin
    * fix memleak in dco_linux.c/dco_get_peer_stats_multi() - this will
      leak a small amount of memory every 15s on DCO enabled servers,
      leading to noticeable memory waste for long-running processes.
    * dco_linux.c: properly close dco version file (fd leak)
* Fri May 12 2023 Paolo Stivanin <info@paolostivanin.com>
  - Update to 2.6.4:
    * DCO: support kernel-triggered key rotation (avoid IV reuse after
      2^32 packets). This is the userland side, accepting a message
      from kernel, and initiating a TLS renegotiation. As of release,
    * fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323)
    * fix compile error on TARGET_ANDROID
    * fix typo in help text
    * manpage updates (--topology)
    * encoding of non-ASCII windows error messages in log + management fixed
  - Update openvpn.keyring
* Tue Apr 25 2023 Mohd Saquib <mohd.saquib@suse.com>
  - update to 2.6.3:
    * For full changelog please refer to:
      https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
    * implement byte counter statistics for DCO Linux (p2mp server
      and client)
    * implement byte counter statistics for DCO Windows (client only)
    * '--dns server <n> address ...' now permits up to 8 v4 or v6
      addresses
    * fix a few cases of possibly undefined behaviour detected by ASAN
    * add more unit tests for Windows cryptoapi interface
    * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
      will dynamically create a tls-crypt key that is used for
      renegotiation. This ensure that only the previously authenticated
      peer can do trigger renegotiation and complete renegotiations.
    * Keying Material Exporters (RFC 5705) based key generation
    * As part of the cipher negotiation OpenVPN will automatically prefer
      the RFC5705 based key material generation to the current custom
      OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
    * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
      has been made to check or implement all the requirements/
      recommendation of FIPS 140-2. This just allows OpenVPN to be run on
      a system that be configured OpenSSL in FIPS mode.
    * mlock will now check if enough memlock-able memory has been reserved,
      and if less than 100MB RAM are available, use setrlimit() to upgrade
      the limit. See Trac #1390. Not available on OpenSolaris.
    * The --peer-fingerprint option has been introduced to give users an
      easy to use alternative to the tls-verify for matching the fingerprint
      of the peer. The option takes use a number of allowed SHA256
      certificate fingerprints.
    * When --peer-fingerprint is used, the --ca and --capath option become
      optional. This allows for small OpenVPN setups without setting up a
      PKI with Easy-RSA or similar software.
    * The --auth-user-pass-verify script supports now deferred authentication.
    * Both auth plugin and script can now signal pending authentication to
      the client when using deferred authentication. The new client-crresponse
      script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can
      be used to parse a client response to a CR_TEXT two factor challenge.
    * The modernisation of defaults can impact the compatibility of OpenVPN
      2.6.0 with older peers. The options --compat-mode allows UIs to provide
      users with an easy way to still connect to older servers.
    * OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user
      visible but improve general compatibility with OpenSSL 3.0.
    - -tls-cert-profile insecure has been added to allow selecting the lowest
      OpenSSL security level (not recommended, use only if you must). OpenSSL
      3.0 no longer supports the Blowfish (and other deprecated) algorithm by
      default and the new option --providers allows loading the legacy provider
      to renable these algorithms.
    * Ciphers in --data-ciphers can now be prefixed with a ? to mark those as
      optional and only use them if the SSL library supports them.
    * The --mssfix and --fragment options now allow an optional mtu parameter to
      specify that different overhead for IPv4/IPv6 should taken into account
      and the resulting size is specified as the total size of the VPN packets
      including IP and UDP headers.
    * Instead of allocating a connection for each client on the initial packet
      OpenVPN server will now use an HMAC based cookie as its session id. This way
      the server can verify it on completing the handshake without keeping state.
      This eliminates the amplification and resource exhaustion attacks.
      For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because
      the client needs to resend its client key on completing the hand shake.
      The tls-crypt-v2 option allows controlling if older clients are accepted.
  - Removed openvpn-fips140-2.3.2.patch
* Thu Mar 02 2023 Mohd Saquib <mohd.saquib@suse.com>
  - update to 2.5.9:
    * Optional ciphers in --data-ciphers Ciphers in --data-ciphers
      can now be prefixed with a ? to mark those as optional and only
      use them if the SSL library supports them.
    * when compiling from a git checkout, put proper branch names into
      windows builds
    * do not include auth-token in pulled-option digest (interferes
      with persist-tun when auth-token is in use, GH #200).
    * fix corner case that might lead to leaked file descriptor
    * fix parser bug (parse_line()) that can lead to buffer overflows
      on malformed command line or server ccd file handling.
      Not exploitable.
    * pull-filter: ignore leading spaces in option names (work around
      server side bug with erroneous extra spaces)
    * push: do not add leading spaces to "out of renegotiations" pushed
      auth-token fix NULL pointer crash on "openvpn --show-tls" with
      mbedtls
* Mon Feb 13 2023 Thorsten Kukuk <kukuk@suse.com>
  - Remove migration from openvpn.service to openvpn@.service and
    depending requires, this is from pre SLE12 times and not supported
    anymore.
* Mon Jan 09 2023 Reinhard Max <max@suse.com>
  - bsc#1123557: --suppress-timestamps isn't needed by default.
* Fri Nov 18 2022 Dirk Müller <dmueller@suse.com>
  - update to 2.5.8:
    * allow running a default configuration with TLS libraries without BF-CBC
      (even if TLS cipher negotiation would not actually use BF-CBC, the
      long-term compatibility "default cipher BF-CBC" would trigger an error
      on such TLS libraries)
    * ``--auth-nocache'' was not always correctly clearing username+password
      after a renegotiation
    * ensure that auth-token received from server is cleared if requested
      by the management interface ("forget password" or automatically
      via ``--management-forget-disconnect'')
    * in a setup without username+password, but with auth-token and
      auth-token-username pushed by the server, OpenVPN would start asking
      for username+password on token expiry.  Fix.
    * using ``--auth-token`` together with ``--management-client-auth``
      (on the server) would lead to TLS keys getting out of sync and client
      being disconnected.  Fix.
    * management interface would sometimes get stuck if client and server
      try to write something simultaneously.  Fix by allowing a limited
      level of recursion in virtual_output_callback()
    * fix management interface not returning ERROR:/SUCCESS: response
      on "signal SIGxxx" commands when in HOLD state
    * tls-crypt-v2: abort connection if client-key is too short
    * make man page agree with actual code on replay-window backtrag log message
    * remove useless empty line from CR_RESPONSE message
* Mon Sep 12 2022 Dirk Müller <dmueller@suse.com>
  - build with enable-iproute2 again to have root-less mode working (bsc#1202792)
* Sun Jun 05 2022 Dirk Müller <dmueller@suse.com>
  - update to 2.5.7:
    * Limited OpenSSL 3.0 support
    * print OpenSSL error stack if decoding PKCS12 file fails
    * fix omission of cipher-negotiation.rst in tarballs
    * fix errno handling on Windows (Windows has different classes of
      error codes, GetLastError() and C runtime errno, these should now
      be handled correctly)
    * fix PATH_MAX build failure in auth-pam.c
    * fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
    * fix overlong path names, leading to missing pkcs11-helper patch
      in tarball
* Wed Mar 23 2022 Reinhard Max <max@suse.com>
  - update to 2.5.6:
    * bsc#1197341, CVE-2022-0547: possible authentication bypass in
      external authentication plug-in
    * Fix "--mtu-disc maybe|yes" on Linux
    * Fix $common_name variable passed to scripts when
      username-as-common-name is in effect.
    * Fix potential memory leaks in add_route() and add_route_ipv6().
    * Apply connect-retry backoff only to one side of the connection
      in p2p mode.
    * repair "--inactive" handling with a 'bytes' parameter larger
      than 2 Gbytes.
    * new plugin (sample-plugin/defer/multi-auth.c) to help testing
      with multiple parallel plugins that succeed/fail in
      direct/deferred mode.
* Thu Feb 10 2022 Reinhard Max <max@suse.com>
  - Fix license tag in spec file.
* Wed Dec 15 2021 Dirk Müller <dmueller@suse.com>
  - update to 2.5.5:
    * SWEET32/64bit cipher deprecation change was postponed to 2.7
    * improve "make check" to notice if "openvpn --show-cipher" crashes
    * improve argv unit tests
    * ensure unit tests work with mbedTLS builds without BF-CBC ciphers
    * include "--push-remove" in the output of "openvpn --help"
    * fix error in iptables syntax in example firewall.sh script
    * fix "resolvconf -p" invocation in example "up" script
    * fix "common_name" environment for script calls when
      "--username-as-common-name" is in effect (Trac #1434)
    * move "push-peer-info" documentation from "server options" to "client"
    * correct "foreign_option_{n}" typo in manpage
    * README.down-root: fix plugin module name
* Wed Dec 08 2021 Reinhard Max <max@suse.com>
  - Drop 0001-preform-deferred-authentication-in-the-background.patch
    Upstream has meanwhile solved this differently and the two
    implementations interfere (boo#1193017).
  - Obsoleted SLE patches up to this point:
    * openvpn-CVE-2020-15078.patch
    * openvpn-CVE-2020-11810.patch
    * openvpn-CVE-2018-7544.patch
    * openvpn-CVE-2018-9336.patch
* Sat Dec 04 2021 Jan Engelhardt <jengelh@inai.de>
  - Avoid bashisms and use POSIX sh syntax.
  - Use more efficient find commands.
  - Trim marketing filler words from description.
* Sat Oct 16 2021 Dirk Müller <dmueller@suse.com>
  - update to 2.5.4:
    * fix prompting for password on windows console if stderr redirection
      is in use - this breaks 2.5.x on Win11/ARM, and might also break
      on Win11/adm64 when released.
    * fix setting MAC address on TAP adapters (--lladdr) to use sitnl
      (was overlooked, and still used "ifconfig" calls)
    * various improvements for man page building (rst2man/rst2html etc)
    * minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
      at least one platform strictly checking this)
    * fix minor memory leak under certain conditions in add_route() and
      add_route_ipv6()
    * documentation improvements
    * copyright updates where needed
    * better error reporting when win32 console access fails
* Thu Aug 05 2021 Reinhard Max <max@suse.com>
  - Update to 2.5.3:
    * Removal of BF-CBC support in default configuration
    * ** POSSIBLE INCOMPATIBILITY ***
      See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
    * Connections setup is now much faster
    * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
    * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
    * Client-specific tls-crypt keys (--tls-crypt-v2)
    * Improved Data channel cipher negotiation
    * HMAC based auth-token support for seamless reconnects to
      standalone servers or a group of servers
    * Asynchronous (deferred) authentication support for auth-pam
      plugin
    * Asynchronous (deferred) support for client-connect scripts and
      plugins
    * Support IPv4 configs with /31 netmasks
    * 802.1q VLAN support on TAP servers
    * Support IPv6-only tunnels
    * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
    * Support Virtual Routing and Forwarding (VRF)
    * Netlink integration (OpenVPN no longer needs to execute
      ifconfig/route or ip commands)
    * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
  - bsc#1062157: The fix for bsc#934237 causes problems with the
    crypto self-test of newer openvpn versions.
    Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
* Mon May 31 2021 Dirk Müller <dmueller@suse.com>
  - update to 2.4.11 (bsc#1185279):
    * CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
    * This bug allows - under very specific circumstances - to trick a server using
      delayed authentication (plugin or management) into returning a PUSH_REPLY
      before the AUTH_FAILED message, which can possibly be used to gather
      information about a VPN setup.
    * In combination with "--auth-gen-token" or an user-specific token auth
      solution it can be possible to get access to a VPN with an
      otherwise-invalid account.
    * Fix potential NULL ptr crash if compiled with DMALLOC
  - drop sysv init support, it hasn't build successfully in ages
    and is build-disabled in devel project
* Sun Apr 25 2021 Christian Boltz <suse-beta@cboltz.de>
  - update 'rcopenvpn' to work without /etc/rc.status (boo#1185273)
* Wed Jan 06 2021 Dirk Müller <dmueller@suse.com>
  - update to 2.4.10:
    - OpenVPN client will now announce the acceptable ciphers to the server
    (IV_CIPHER=...), so NCP cipher negotiation works better
    - Parse static challenge response in auth-pam plugin
    - Accept empty password and/or response in auth-pam plugin
    - Log serial number of revoked certificate
    - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
    - Fix auth-token not being updated if auth-nocache is set
    (this should fix all remaining client-side bugs for the combination
    "auth-nocache in client-config" + "auth-token in use on the server")
    - Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
    - Fix error detection / abort in --inetd corner case (#350)
    - Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
    - Fix handling of 'route remote_host' for IPv6 transport case
    (#1247 and #1332)
    - Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
    - A number of documentation improvements / clarification fixes.
    - Fix line number reporting on config file errors after <inline> segments
    - Fix fatal error at switching remotes (#629)
    - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
    - Switch "ks->authenticated" assertion failure to returning false (#1270)
  - refresh 0001-preform-deferred-authentication-in-the-background.patch
    openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10

Files

/usr/include/openvpn-msg.h
/usr/include/openvpn-plugin.h


Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Dec 21 00:31:52 2024