From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] openvpn: Update to version 2.5.6 Date: Thu, 14 Apr 2022 10:21:12 +0200 Message-ID: <20220414082112.4096021-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4134145840286162538==" List-Id: --===============4134145840286162538== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Update from version 2.5.4 to 2.5.6 - Update of rootfile not required - No changes related to ciphers or options - Source tarball changed from .xz to .gz as for version 2.5.6 the xz options = was not available. Raised on Openvpn forum but response was that they also didn't = know why xz option was not available but they thought it was not a big deal as the gz = version is only slightly larger. - Changelog Overview of changes in 2.5.6 User-visible Changes update copyright year to 2022 New features new plugin (sample-plugin/defer/multi-auth.c) to help testing with multi= ple parallel plugins that succeed/fail in direct/deferred mode various build improvements (github actions etc) upgrade pkcs11-helper to release 1.28.4 Bugfixes CVE-2022-0547 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements If openvpn is configured with multiple authentication plugins and more= than one plugin tries to do deferred authentication, the result is = not well-defined - creating a possible authentication bypass. In this situation the server process will now abort itself with a clea= r log message. Only one plugin is allowed to do deferred authenticat= ion. Fix "--mtu-disc maybe|yes" on Linux Due to configure/syshead.h/#ifdef confusion, the code in question was not compiled-in since a long time. Fixed. Trac: #1452 Fix $common_name variable passed to scripts when username-as-common-name= is in effect. This was not consistently set - sometimes, OpenVPN exported the userna= me, sometimes the common name from the client cert. Fixed. Trac: #= 1434 Fix potential memory leaks in add_route() and add_route_ipv6(). Apply connect-retry backoff only to one side of the connection in p2p mo= de. Without that fix/enhancement, two sides could end up only sendin= g packets when the other end is not ready. Trac: #1010, #1384 remove unused sitnl.h file clean up msvc build files, remove unused MSVC build .bat files repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbyt= es due to integer overflow, this ended up being "0" on Linux, but on Windo= ws with MSVC it ends up being "always 2 Gbyte", both not doing wha= t is requested. Trac: #1448 repair handling of EC certificates on Windows with pkcs11-helper (wrong compile-time defines for OpenSSL 1.1.1) Documentation documentation improvements related to DynDNS. Trac: #1417 clean up documentation for --proto and related options rebuild rst docs if input files change (proper dependency handling) Overview of changes in 2.5.5 User-visible Changes SWEET32/64bit cipher deprecation change was postponed to 2.7 Windows: use network address for emulated DHCP server as default this enables use of a /30 subnet, which is needed when connecting to = OpenVPN Cloud. require EC support in windows builds (this means it's no longer possible= to build a Windows OpenVPN binary with an OpenSSL lib without EC su= pport) New features Windows build: use CFG and Spectre mitigations on MSVC builds bring back OpenSSL config loading to Windows builds. OpenSSL config is loaded from %installdir%\ssl\openssl.cnf (typically: c:\program files\openvpn\ssl\openssl.cnf) if it exists. This is important for some hardware tokens which need special OpenSSL config for correct operation. Trac #1296 Bugfixes Windows build: enable EKM Windows build: improve various vcpkg related build issues Windows build: fix regression related to non-writeable status files (Trac #1430) Windows build: fix regression that broke OpenSSL EC support Windows build: fix "product version" display (2.5..4 -> 2.5.4) Windows build: fix regression preventing use of PKCS12 files improve "make check" to notice if "openvpn --show-cipher" crashes improve argv unit tests ensure unit tests work with mbedTLS builds without BF-CBC ciphers include "--push-remove" in the output of "openvpn --help" fix error in iptables syntax in example firewall.sh script fix "resolvconf -p" invocation in example "up" script fix "common_name" environment for script calls when "--username-as-common-name" is in effect (Trac #1434) Documentation move "push-peer-info" documentation from "server options" to "client" (where it belongs) correct "foreign_option_{n}" typo in manpage update IRC information in CONTRIBUTING.rst (libera.chat) README.down-root: fix plugin module name Signed-off-by: Adolf Belka --- lfs/openvpn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/openvpn b/lfs/openvpn index 9b2e7853c..27a052ae1 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,10 +24,10 @@ =20 include Config =20 -VER =3D 2.5.4 +VER =3D 2.5.6 =20 THISAPP =3D openvpn-$(VER) -DL_FILE =3D $(THISAPP).tar.xz +DL_FILE =3D $(THISAPP).tar.gz DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_BLAKE2 =3D ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c401d= 59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301 +$(DL_FILE)_BLAKE2 =3D d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3ef7= 8b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2 =20 install : $(TARGET) =20 @@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) : =20 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=3D/usr \ --sysconfdir=3D/var/ipfire/ovpn \ --=20 2.35.1 --===============4134145840286162538==--