Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

openvpn-2.5.8-2.1 RPM for s390x

From OpenSuSE Ports Tumbleweed for s390x

Name: openvpn Distribution: openSUSE:Factory:zSystems
Version: 2.5.8 Vendor: openSUSE
Release: 2.1 Build date: Tue Jan 10 15:13:03 2023
Group: Productivity/Networking/Security Build host: s390zp21
Size: 1529691 Source RPM: openvpn-2.5.8-2.1.src.rpm
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
OpenVPN is an SSL VPN solution which can accommodate a wide
range of configurations, including remote access, site-to-site VPNs,
WiFi security, and remote access solutions with load
balancing, failover, and fine-grained access-controls.

OpenVPN implements OSI layer 2 or 3 secure network extension using the
SSL/TLS protocol, supports flexible client
authentication methods based on certificates, smart cards, and/or
2-factor authentication, and allows user or group-specific access
control policies using firewall rules applied to the VPN virtual

OpenVPN is not a web application proxy and does not operate through a
web browser.




GPL-2.0-only WITH openvpn-openssl-exception


* Mon Jan 09 2023 Reinhard Max <>
  - bsc#1123557: --suppress-timestamps isn't needed by default.
* Fri Nov 18 2022 Dirk Müller <>
  - update to 2.5.8:
    * allow running a default configuration with TLS libraries without BF-CBC
      (even if TLS cipher negotiation would not actually use BF-CBC, the
      long-term compatibility "default cipher BF-CBC" would trigger an error
      on such TLS libraries)
    * ``--auth-nocache'' was not always correctly clearing username+password
      after a renegotiation
    * ensure that auth-token received from server is cleared if requested
      by the management interface ("forget password" or automatically
      via ``--management-forget-disconnect'')
    * in a setup without username+password, but with auth-token and
      auth-token-username pushed by the server, OpenVPN would start asking
      for username+password on token expiry.  Fix.
    * using ``--auth-token`` together with ``--management-client-auth``
      (on the server) would lead to TLS keys getting out of sync and client
      being disconnected.  Fix.
    * management interface would sometimes get stuck if client and server
      try to write something simultaneously.  Fix by allowing a limited
      level of recursion in virtual_output_callback()
    * fix management interface not returning ERROR:/SUCCESS: response
      on "signal SIGxxx" commands when in HOLD state
    * tls-crypt-v2: abort connection if client-key is too short
    * make man page agree with actual code on replay-window backtrag log message
    * remove useless empty line from CR_RESPONSE message
* Mon Sep 12 2022 Dirk Müller <>
  - build with enable-iproute2 again to have root-less mode working (bsc#1202792)
* Sun Jun 05 2022 Dirk Müller <>
  - update to 2.5.7:
    * Limited OpenSSL 3.0 support
    * print OpenSSL error stack if decoding PKCS12 file fails
    * fix omission of cipher-negotiation.rst in tarballs
    * fix errno handling on Windows (Windows has different classes of
      error codes, GetLastError() and C runtime errno, these should now
      be handled correctly)
    * fix PATH_MAX build failure in auth-pam.c
    * fix self-test leaving around stale "ovpn-dummy0" interface
    * fix overlong path names, leading to missing pkcs11-helper patch
      in tarball
* Wed Mar 23 2022 Reinhard Max <>
  - update to 2.5.6:
    * bsc#1197341, CVE-2022-0547: possible authentication bypass in
      external authentication plug-in
    * Fix "--mtu-disc maybe|yes" on Linux
    * Fix $common_name variable passed to scripts when
      username-as-common-name is in effect.
    * Fix potential memory leaks in add_route() and add_route_ipv6().
    * Apply connect-retry backoff only to one side of the connection
      in p2p mode.
    * repair "--inactive" handling with a 'bytes' parameter larger
      than 2 Gbytes.
    * new plugin (sample-plugin/defer/multi-auth.c) to help testing
      with multiple parallel plugins that succeed/fail in
      direct/deferred mode.
* Thu Feb 10 2022 Reinhard Max <>
  - Fix license tag in spec file.
* Wed Dec 15 2021 Dirk Müller <>
  - update to 2.5.5:
    * SWEET32/64bit cipher deprecation change was postponed to 2.7
    * improve "make check" to notice if "openvpn --show-cipher" crashes
    * improve argv unit tests
    * ensure unit tests work with mbedTLS builds without BF-CBC ciphers
    * include "--push-remove" in the output of "openvpn --help"
    * fix error in iptables syntax in example script
    * fix "resolvconf -p" invocation in example "up" script
    * fix "common_name" environment for script calls when
      "--username-as-common-name" is in effect (Trac #1434)
    * move "push-peer-info" documentation from "server options" to "client"
    * correct "foreign_option_{n}" typo in manpage
    * README.down-root: fix plugin module name
* Wed Dec 08 2021 Reinhard Max <>
  - Drop 0001-preform-deferred-authentication-in-the-background.patch
    Upstream has meanwhile solved this differently and the two
    implementations interfere (boo#1193017).
  - Obsoleted SLE patches up to this point:
    * openvpn-CVE-2020-15078.patch
    * openvpn-CVE-2020-11810.patch
    * openvpn-CVE-2018-7544.patch
    * openvpn-CVE-2018-9336.patch
* Sat Dec 04 2021 Jan Engelhardt <>
  - Avoid bashisms and use POSIX sh syntax.
  - Use more efficient find commands.
  - Trim marketing filler words from description.
* Sat Oct 16 2021 Dirk Müller <>
  - update to 2.5.4:
    * fix prompting for password on windows console if stderr redirection
      is in use - this breaks 2.5.x on Win11/ARM, and might also break
      on Win11/adm64 when released.
    * fix setting MAC address on TAP adapters (--lladdr) to use sitnl
      (was overlooked, and still used "ifconfig" calls)
    * various improvements for man page building (rst2man/rst2html etc)
    * minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
      at least one platform strictly checking this)
    * fix minor memory leak under certain conditions in add_route() and
    * documentation improvements
    * copyright updates where needed
    * better error reporting when win32 console access fails
* Thu Aug 05 2021 Reinhard Max <>
  - Update to 2.5.3:
    * Removal of BF-CBC support in default configuration
      See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
    * Connections setup is now much faster
    * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
    * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
    * Client-specific tls-crypt keys (--tls-crypt-v2)
    * Improved Data channel cipher negotiation
    * HMAC based auth-token support for seamless reconnects to
      standalone servers or a group of servers
    * Asynchronous (deferred) authentication support for auth-pam
    * Asynchronous (deferred) support for client-connect scripts and
    * Support IPv4 configs with /31 netmasks
    * 802.1q VLAN support on TAP servers
    * Support IPv6-only tunnels
    * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
    * Support Virtual Routing and Forwarding (VRF)
    * Netlink integration (OpenVPN no longer needs to execute
      ifconfig/route or ip commands)
    * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
  - bsc#1062157: The fix for bsc#934237 causes problems with the
    crypto self-test of newer openvpn versions.
    Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
* Mon May 31 2021 Dirk Müller <>
  - update to 2.4.11 (bsc#1185279):
    * CVE-2020-15078 see
    * This bug allows - under very specific circumstances - to trick a server using
      delayed authentication (plugin or management) into returning a PUSH_REPLY
      before the AUTH_FAILED message, which can possibly be used to gather
      information about a VPN setup.
    * In combination with "--auth-gen-token" or an user-specific token auth
      solution it can be possible to get access to a VPN with an
      otherwise-invalid account.
    * Fix potential NULL ptr crash if compiled with DMALLOC
  - drop sysv init support, it hasn't build successfully in ages
    and is build-disabled in devel project
* Sun Apr 25 2021 Christian Boltz <>
  - update 'rcopenvpn' to work without /etc/rc.status (boo#1185273)
* Wed Jan 06 2021 Dirk Müller <>
  - update to 2.4.10:
    - OpenVPN client will now announce the acceptable ciphers to the server
    (IV_CIPHER=...), so NCP cipher negotiation works better
    - Parse static challenge response in auth-pam plugin
    - Accept empty password and/or response in auth-pam plugin
    - Log serial number of revoked certificate
    - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
    - Fix auth-token not being updated if auth-nocache is set
    (this should fix all remaining client-side bugs for the combination
    "auth-nocache in client-config" + "auth-token in use on the server")
    - Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
    - Fix error detection / abort in --inetd corner case (#350)
    - Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
    - Fix handling of 'route remote_host' for IPv6 transport case
    (#1247 and #1332)
    - Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
    - A number of documentation improvements / clarification fixes.
    - Fix line number reporting on config file errors after <inline> segments
    - Fix fatal error at switching remotes (#629)
    - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
    - Switch "ks->authenticated" assertion failure to returning false (#1270)
  - refresh 0001-preform-deferred-authentication-in-the-background.patch
    openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
* Fri Sep 11 2020 Dirk Mueller <>
  - update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
    * Allow unicode search string in --cryptoapicert option (Windows)
    * Skip expired certificates in Windows certificate store (Windows) (trac #966)
    * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
    * fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
    This can be used to disrupt service to a freshly connected client (no session
    keys negotiated yet). It can not be used to inject or steal VPN traffic.
    * fix combination of async push (deferred auth) and NCP (trac #1259)
    * Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
    * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
    * mbedTLS: Make sure TLS session survives move (trac #880)
    * Fix OpenSSL private key passphrase notices
    * Fix building with --enable-async-push in FreeBSD (trac #1256)
    * Fix broken fragmentation logic when using NCP (trac #1140)
* Wed Aug 26 2020 Franck Bui <>
  - Modernize openvpn.service
    * /var/run has been obsoleted since a long time.
    * on reload, send HUP signal directly rather than relying on
      killproc to look for the main process.
* Wed Aug 26 2020 Franck Bui <>
  - Explicitly requires sysvinit-tools as some of the tools shipped by
    this package are used in various places regardless of whether
    openvpn is built for systemd or non systemd systems.
    For the context: sysvinit-tools was pulled in by systemd since 2014
    but it's no longer the case so better to be safe than sorry.
* Wed Mar 04 2020 Fabian Vogt <>
  - Fix inconsistency in openvpn.service:
    * It uses the unescape instance name as config file basename,
      so use that in the description as well
* Fri Jan 24 2020 Dominique Leuenberger <>
  - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
    shortcut through the -mini flavors.
  - Use %systemd_ordering instead of systemd_requires: in fact,
    systemd is not a hard requirement for openvpn. But in case a
    system is being installed with systemd, we want systemd to be
    there before  openvpn is being installed.
* Tue Jan 07 2020 Bjørn Lie <>
  - Update to version 2.4.8:
    * mbedtls: fix segfault by calling mbedtls_cipher_free() in
    * cleanup: Remove RPM openvpn.spec build approach
    * docs: Update INSTALL
    * build: Package missing mock_msg.h
    * Increase listen() backlog queue to 32
    * Force combinationation of --socks-proxy and --proto UDP to use
    * Wrong FILETYPE in .rc files
    * Do not set pkcs11-helper 'safe fork mode'
    * tests/ Switch sed(1) to POSIX-compatible regex.
    * Fix various compiler warnings
    * Fix regression, reinstate LibreSSL support.
    * man: correct the description of --capath and --crl-verify
      regarding CRLs
    * Fix typo in NTLM proxy debug message
    * Ignore --pull-filter for --mode server
    * openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
    * Better error message when script fails due to script-security
    * Correct the return value of cryptoapi RSA signature callbacks
    * Handle PSS padding in cryptoapicert
    * cmocka: use relative paths
    * Fix documentation of tls-verify script argument
* Thu Dec 19 2019 Dominique Leuenberger <>
  - BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
    Allow OBS to shortcut through the -mini flavors.
* Wed Sep 18 2019 Michal Hrusecky <>
  - Add p11kit build time dependency for pkcs providers autodetection
* Mon Jul 29 2019 Reinhard Max <>
  - Clarify in the service file that the reload action doesn't work
    when dropping root privileges (boo#1142830).
* Tue Jun 25 2019 Michael Ströder <>
  - Updated openvpn.keyring with public key downloaded from
* Thu Feb 21 2019 Franck Bui <>
  - Drop use of $FIRST_ARG in openvpn.spec
    The use of $FIRST_ARG was probably required because of the
    %service_* rpm macros were playing tricks with the shell positional
    parameters. This is bad practice and error prones so let's assume
    that no macros should do that anymore and hence it's safe to assume
    that positional parameters remains unchanged after any rpm macro
* Wed Feb 20 2019 Michael Ströder <>
  - Update to 2.4.7:
    Adam Ciarcin?ski (1):
    * Fix subnet topology on NetBSD (2.4).
    Antonio Quartulli (3):
    * add support for %lu in argv_printf and prevent ASSERT
    * buffer_list: add functions documentation
    * ifconfig-ipv6(-push): allow using hostnames
    Arne Schwabe (7):
    * Properly free tuntap struct on android when emulating persist-tun
    * Add OpenSSL compat definition for RSA_meth_set_sign
    * Add support for tls-ciphersuites for TLS 1.3
    * Add better support for showing TLS 1.3 ciphersuites in --show-tls
    * Use right function to set TLS1.3 restrictions in show-tls
    * Add message explaining early TLS client hello failure
    * Fallback to password authentication when auth-token fails
    Christian Ehrhardt (1):
    * systemd: extend CapabilityBoundingSet for auth_pam
    David Sommerseth (1):
    * plugin: Export base64 encode and decode functions
    Gert Doering (3):
    * Add %d, %u and %lu tests to test_argv unit tests.
    * Fix combination of --dev tap and --topology subnet across multiple platforms.
    * Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
    Gert van Dijk (1):
    * Minor reliability layer documentation fixes
    James Bekkema (1):
    * Resolves small IV_GUI_VER typo in the documentation.
    Jonathan K. Bullard (1):
    * Clarify and expand management interface documentation
    Lev Stipakov (5):
    * Refactor NCP-negotiable options handling
    * init.c: refine functions names and description
    * interactive.c: fix usage of potentially uninitialized variable
    * options.c: fix broken unary minus usage
    * Remove extra token after #endif
    Richard van den Berg via Openvpn-devel (1):
    * Fix error message when using RHEL init script
    Samy Mahmoudi (1):
    * man: correct a --redirection-gateway option flag
    Selva Nair (7):
    * Replace M_DEBUG with D_LOW as the former is too verbose
    * Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
    * Bump version of openvpn plugin argument structs to 5
    * Move get system directory to a separate function
    * Enable dhcp on tap adapter using interactive service
    * Pass the hash without the DigestInfo header to NCryptSignHash()
    * White-list pull-filter and script-security in interactive service
    Simon Rozman (2):
    * Add Interactive Service developer documentation
    * Detect TAP interfaces with root-enumerated hardware ID
    Steffan Karger (7):
    * man: add security considerations to --compress section
    * mbedtls: print warning if random personalisation fails
    * Fix memory leak after sighup
    * travis: add OpenSSL 1.1 Windows build
    * Fix --disable-crypto build
    * Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
    * buffer_list_aggregate_separator(): simplify code



Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Feb 3 00:14:55 2023