Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: openvpn | Distribution: openSUSE:Leap:15.2:PowerPC / ports |
Version: 2.4.3 | Vendor: openSUSE |
Release: lp152.5.10 | Build date: Sat May 16 13:05:48 2020 |
Group: Productivity/Networking/Security | Build host: obs-power8-01 |
Size: 1699645 | Source RPM: openvpn-2.4.3-lp152.5.10.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: http://openvpn.net/ | |
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface |
OpenVPN is a full-featured SSL VPN solution which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. OpenVPN is not a web application proxy and does not operate through a web browser.
SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1
* Wed May 09 2018 max@suse.com - CVE-2018-9336, bsc#1090839: Fix potential double-free() in Interactive Service (openvpn-CVE-2018-9336.patch). * Thu Nov 23 2017 rbrown@suse.com - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) * Tue Oct 10 2017 ndas@suse.de - Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877). [+ 0002-Fix-bounds-check-in-read_key.patch] * Fri Aug 11 2017 sebix+novell.com@sebix.at - Do not package empty /usr/lib64/tmpfiles.d * Fri Jun 23 2017 ndas@suse.de - Update to 2.4.3 (bsc#1045489) - Ignore auth-nocache for auth-user-pass if auth-token is pushed - crypto: Enable SHA256 fingerprint checking in --verify-hash - copyright: Update GPLv2 license texts - auth-token with auth-nocache fix broke --disable-crypto builds - OpenSSL: don't use direct access to the internal of X509 - OpenSSL: don't use direct access to the internal of EVP_PKEY - OpenSSL: don't use direct access to the internal of RSA - OpenSSL: don't use direct access to the internal of DSA - OpenSSL: force meth->name as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) - Skip tls-crypt unit tests if required crypto mode not supported - openssl: fix overflow check for long --tls-cipher option - Add a DSA test key/cert pair to sample-keys - Fix mbedtls fingerprint calculation - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) - mbedtls: require C-string compatible types for --x509-username-field - Fix remote-triggerable memory leaks (CVE-2017-7521) - Restrict --x509-alt-username extension types - Fix potential double-free in --x509-alt-username (CVE-2017-7521) - Fix gateway detection with OpenBSD routing domains * Wed Jun 14 2017 ndas@suse.de - use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223) * Tue Jun 06 2017 ndas@suse.de - Update to 2.4.2 - auth-token: Ensure tokens are always wiped on de-auth - Make --cipher/--auth none more explicit on the risks - Use SHA256 for the internal digest, instead of MD5 - Deprecate --ns-cert-type - Deprecate --no-iv - Support --block-outside-dns on multiple tunnels - Limit --reneg-bytes to 64MB when using small block ciphers - Fix --tls-version-max in mbed TLS builds Details changelogs are avilable in https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 [*0001-preform-deferred-authentication-in-the-background.patch * openvpn-2.3.x-fixed-multiple-low-severity-issues.patch * openvpn-fips140-2.3.2.patch] - pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2 - cleanup the spec file * Fri Apr 21 2017 ndas@suse.de - Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch] - Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] - Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch] * Sun Jan 22 2017 mrueckert@suse.de - silence warning about %{_rundir}/openvpn - for non systemd case: just package the %{_rundir}/openvpn in the package - for systemd case: call systemd-tmpfiles and own the dir as %ghost in the filelist * Sun Jan 22 2017 mrueckert@suse.de - refreshed patches to apply cleanly again openvpn-2.3-plugin-man.dif openvpn-fips140-2.3.2.patch * Sun Jan 22 2017 mrueckert@suse.de - update to 2.3.14 - update year in copyright message - Document the --auth-token option - Repair topology subnet on FreeBSD 11 - Repair topology subnet on OpenBSD - Drop recursively routed packets - Support --block-outside-dns on multiple tunnels - When parsing '--setenv opt xx ..' make sure a third parameter is present - Map restart signals from event loop to SIGTERM during exit-notification wait - Correctly state the default dhcp server address in man page - Clean up format_hex_ex() - enabled pkcs11 support * Sat Dec 03 2016 michael@stroeder.com - update to 2.3.13 - removed obsolete patch files openvpn-2.3.0-man-dot.diff and openvpn-fips140-AES-cipher-in-config-template.patch 2016.11.02 -- Version 2.3.13 Arne Schwabe (2): * Use AES ciphers in our sample configuration files and add a few modern 2.4 examples * Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer David Sommerseth (4): * t_client.sh: Make OpenVPN write PID file to avoid various sudo issues * t_client.sh: Add support for Kerberos/ksu * t_client.sh: Improve detection if the OpenVPN process did start during tests * t_client.sh: Add prepare/cleanup possibilties for each test case Gert Doering (5): * Do not abort t_client run if OpenVPN instance does not start. * Fix t_client runs on OpenSolaris * make t_client robust against sudoers misconfiguration * add POSTINIT_CMD_suf to t_client.sh and sample config * Fix --multihome for IPv6 on 64bit BSD systems. Ilya Shipitsin (1): * skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Lev Stipakov (2): * Exclude peer-id from pulled options digest * Fix compilation in pedantic mode Samuli Seppänen (1): * Automatically cache expected IPs for t_client.sh on the first run Steffan Karger (6): * Fix unittests for out-of-source builds * Make gnu89 support explicit * cleanup: remove code duplication in msg_test() * Update cipher-related man page text * Limit --reneg-bytes to 64MB when using small block ciphers * Add a revoked cert to the sample keys 2016.08.23 -- Version 2.3.12 Arne Schwabe (2): * Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. * Move ASSERT so external-key with OpenSSL works again David Sommerseth (3): * Only build and run cmocka unit tests if its submodule is initialized * Another fix related to unit test framework * Remove NOP function and callers Dorian Harmans (1): * Add CHACHA20-POLY1305 ciphersuite IANA name translations. Ivo Manca (1): * Plug memory leak in mbedTLS backend Jeffrey Cutter (1): * Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (2): * Add unit testing support via cmocka * Add a test for auth-pam searchandreplace Josh Cepek (1): * Push an IPv6 CIDR mask used by the server, not the pool's size Leon Klingele (1): * Add link to bug tracker Samuli Seppänen (2): * Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes * Clarify the fact that build instructions in README are for release tarballs Selva Nair (4): * Make error non-fatal while deleting address using netsh * Make block-outside-dns work with persist-tun * Ignore SIGUSR1/SIGHUP during exit notification * Promptly close the netcmd_semaphore handle after use Steffan Karger (4): * Fix polarssl / mbedtls builds * Don't limit max incoming message size based on c2->frame * Fix '--cipher none --cipher' crash * Discourage using 64-bit block ciphers * Mon Nov 28 2016 matwey.kornilov@gmail.com - Require iproute2 explicitly. openvpn uses /bin/ip from iproute2, so it should be installed * Thu Sep 08 2016 astieger@suse.com - Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration files. Fixes bsc#988522 adding openvpn-fips140-AES-cipher-in-config-template.patch - remove gpg-offline signature verification, now a source service * Tue May 10 2016 idonmez@suse.com - Update to version 2.3.11 * Fixed port-share bug with DoS potential * Fix buffer overflow by user supplied data * Fix undefined signed shift overflow * Ensure input read using systemd-ask-password is null terminated * Support reading the challenge-response from console * hardening: add safe FD_SET() wrapper openvpn_fd_set() * Restrict default TLS cipher list - Add BuildRequires on xz for SLE11 * Mon Jan 04 2016 idonmez@suse.com - Update to version 2.3.10 * Warn user if their certificate has expired * Fix regression in setups without a client certificate * Wed Dec 16 2015 idonmez@suse.com - Update to version 2.3.9 * Show extra-certs in current parameters. * Do not set the buffer size by default but rely on the operation system default. * Remove --enable-password-save option * Detect config lines that are too long and give a warning/error * Log serial number of revoked certificate * Avoid partial authentication state when using --disabled in CCD configs * Replace unaligned 16bit access to TCP MSS value with bytewise access * Fix possible heap overflow on read accessing getaddrinfo() result. * Fix isatty() check for good. (obsoletes revert-daemonize.patch) * Client-side part for server restart notification * Fix privilege drop if first connection attempt fails * Support for username-only auth file. * Increase control channel packet size for faster handshakes * hardening: add insurance to exit on a failed ASSERT() * Fix memory leak in auth-pam plugin * Fix (potential) memory leak in init_route_list() * Fix unintialized variable in plugin_vlog() * Add macro to ensure we exit on fatal errors * Fix memory leak in add_option() by simplifying get_ipv6_addr * openssl: properly check return value of RAND_bytes() * Fix rand_bytes return value checking * Fix "White space before end tags can break the config parser" * Thu Dec 03 2015 mt@suse.com - Adjust /var/run to _rundir macro value in openvpn@.service too. * Thu Aug 20 2015 mt@suse.com - Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS. - Moved openvpn-plugin.h into a devel package, removed .gitignore * Thu Aug 13 2015 idonmez@suse.com - Add revert-daemonize.patch, looks like under systemd the stdin and stdout are not TTYs by default. This reverts to previous behaviour fixing bsc#941569 * Wed Aug 05 2015 idonmez@suse.com - Update to version 2.3.8 * Report missing endtags of inline files as warnings * Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit * Produce a meaningful error message if --daemon gets in the way of asking for passwords. * Document --daemon changes and consequences (--askpass, --auth-nocache) * Del ipv6 addr on close of linux tun interface * Fix --askpass not allowing for password input via stdin * Write pid file immediately after daemonizing * Fix regression: query password before becoming daemon * Fix using management interface to get passwords * Fix overflow check in openvpn_decrypt() * Tue Jun 09 2015 idonmez@suse.com - Update to version 2.3.7 * down-root plugin: Replaced system() calls with execve() * sockets: Remove the limitation of --tcp-nodelay to be server-only * pkcs11: Load p11-kit-proxy.so module by default * New approach to handle peer-id related changes to link-mtu * Fix incorrect use of get_ipv6_addr() for iroute options * Print helpful error message on --mktun/--rmtun if not available * Explain effect of --topology subnet on --ifconfig * Add note about file permissions and --crl-verify to manpage * Repair --dev null breakage caused by db950be85d37 * Correct note about DNS randomization in openvpn.8 * Disallow usage of --server-poll-timeout in --secret key mode * Slightly enhance documentation about --cipher * On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo() * Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo() * Fix --redirect-private in --dev tap mode * Updated manpage for --rport and --lport * Properly escape dashes on the man-page * Improve documentation in --script-security section of the man-page * Really fix '--cipher none' regression * Set tls-version-max to 1.1 if cryptoapicert is used * Account for peer-id in frame size calculation * Disable SSL compression * Fix frame size calculation for non-CBC modes. * Allow for CN/username of 64 characters (fixes off-by-one) * Re-enable TLS version negotiation by default * Remove size limit for files inlined in config * Improve --tls-cipher and --show-tls man page description * Re-read auth-user-pass file on (re)connect if required * Clarify --capath option in manpage * Call daemon() before initializing crypto library * Mon Mar 02 2015 mt@suse.de - Fixed to use correct sha digest data length and in fips mode, use aes instead of the disallowed blowfish crypto (boo#914166). - Fixed to provide actual plugin/doc dirs in openvpn(8) man page. * Mon Dec 01 2014 mt@suse.de - Update to version 2.3.6 fixing a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT (bnc#907764,CVE-2014-8104). See ChangeLog file for a complete list of changes. * Thu Oct 30 2014 idonmez@suse.com - Update to version 2.3.5 * See included changelog - Depend on systemd-devel for the daemon check functionality
/etc/openvpn /run/openvpn /usr/lib/systemd/system/openvpn.target /usr/lib/systemd/system/openvpn@.service /usr/lib/tmpfiles.d /usr/lib/tmpfiles.d/openvpn.conf /usr/sbin/openvpn /usr/sbin/rcopenvpn /usr/share/doc/packages/openvpn /usr/share/doc/packages/openvpn/AUTHORS /usr/share/doc/packages/openvpn/COPYING /usr/share/doc/packages/openvpn/COPYRIGHT.GPL /usr/share/doc/packages/openvpn/ChangeLog /usr/share/doc/packages/openvpn/PORTS /usr/share/doc/packages/openvpn/README /usr/share/doc/packages/openvpn/README.IPv6 /usr/share/doc/packages/openvpn/README.SUSE /usr/share/doc/packages/openvpn/README.auth-pam /usr/share/doc/packages/openvpn/README.down-root /usr/share/doc/packages/openvpn/README.polarssl /usr/share/doc/packages/openvpn/contrib /usr/share/doc/packages/openvpn/contrib/OCSP_check /usr/share/doc/packages/openvpn/contrib/OCSP_check/OCSP_check.sh /usr/share/doc/packages/openvpn/contrib/README /usr/share/doc/packages/openvpn/contrib/keychain-mcd /usr/share/doc/packages/openvpn/contrib/keychain-mcd/Makefile /usr/share/doc/packages/openvpn/contrib/keychain-mcd/cert_data.c /usr/share/doc/packages/openvpn/contrib/keychain-mcd/cert_data.h /usr/share/doc/packages/openvpn/contrib/keychain-mcd/common_osx.c /usr/share/doc/packages/openvpn/contrib/keychain-mcd/common_osx.h /usr/share/doc/packages/openvpn/contrib/keychain-mcd/crypto_osx.c /usr/share/doc/packages/openvpn/contrib/keychain-mcd/crypto_osx.h /usr/share/doc/packages/openvpn/contrib/keychain-mcd/keychain-mcd.8 /usr/share/doc/packages/openvpn/contrib/keychain-mcd/main.c /usr/share/doc/packages/openvpn/contrib/multilevel-init.patch /usr/share/doc/packages/openvpn/contrib/openvpn-fwmarkroute-1.00 /usr/share/doc/packages/openvpn/contrib/openvpn-fwmarkroute-1.00/README /usr/share/doc/packages/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down /usr/share/doc/packages/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/client.down /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/client.up /usr/share/doc/packages/openvpn/management-notes.txt /usr/share/doc/packages/openvpn/sample-config-files /usr/share/doc/packages/openvpn/sample-config-files/README /usr/share/doc/packages/openvpn/sample-config-files/client.conf /usr/share/doc/packages/openvpn/sample-config-files/firewall.sh /usr/share/doc/packages/openvpn/sample-config-files/home.up /usr/share/doc/packages/openvpn/sample-config-files/loopback-client /usr/share/doc/packages/openvpn/sample-config-files/loopback-server /usr/share/doc/packages/openvpn/sample-config-files/office.up /usr/share/doc/packages/openvpn/sample-config-files/openvpn-shutdown.sh /usr/share/doc/packages/openvpn/sample-config-files/openvpn-startup.sh /usr/share/doc/packages/openvpn/sample-config-files/server.conf /usr/share/doc/packages/openvpn/sample-config-files/static-home.conf /usr/share/doc/packages/openvpn/sample-config-files/static-office.conf /usr/share/doc/packages/openvpn/sample-config-files/tls-home.conf /usr/share/doc/packages/openvpn/sample-config-files/tls-office.conf /usr/share/doc/packages/openvpn/sample-config-files/xinetd-client-config /usr/share/doc/packages/openvpn/sample-config-files/xinetd-server-config /usr/share/doc/packages/openvpn/sample-keys /usr/share/doc/packages/openvpn/sample-keys/README /usr/share/doc/packages/openvpn/sample-keys/ca.crt /usr/share/doc/packages/openvpn/sample-keys/ca.key /usr/share/doc/packages/openvpn/sample-keys/client-ec.crt /usr/share/doc/packages/openvpn/sample-keys/client-ec.key /usr/share/doc/packages/openvpn/sample-keys/client-pass.key /usr/share/doc/packages/openvpn/sample-keys/client.crt /usr/share/doc/packages/openvpn/sample-keys/client.key /usr/share/doc/packages/openvpn/sample-keys/client.p12 /usr/share/doc/packages/openvpn/sample-keys/dh2048.pem /usr/share/doc/packages/openvpn/sample-keys/gen-sample-keys.sh /usr/share/doc/packages/openvpn/sample-keys/openssl.cnf /usr/share/doc/packages/openvpn/sample-keys/server-ec.crt /usr/share/doc/packages/openvpn/sample-keys/server-ec.key /usr/share/doc/packages/openvpn/sample-keys/server.crt /usr/share/doc/packages/openvpn/sample-keys/server.key /usr/share/doc/packages/openvpn/sample-keys/ta.key /usr/share/doc/packages/openvpn/sample-scripts /usr/share/doc/packages/openvpn/sample-scripts/auth-pam.pl /usr/share/doc/packages/openvpn/sample-scripts/bridge-start /usr/share/doc/packages/openvpn/sample-scripts/bridge-stop /usr/share/doc/packages/openvpn/sample-scripts/client-netconfig.down /usr/share/doc/packages/openvpn/sample-scripts/client-netconfig.up /usr/share/doc/packages/openvpn/sample-scripts/ucn.pl /usr/share/doc/packages/openvpn/sample-scripts/verify-cn /usr/share/man/man8/openvpn.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jul 9 11:51:01 2024