Re: [PATCH] openvpn: Update to version 2.5.6

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] openvpn: Update to version 2.5.6
Date: Mon, 18 Apr 2022 21:00:15 +0000	[thread overview]
Message-ID: <652c7c37-f7d6-2c32-30ad-989737fbc37e@ipfire.org> (raw)
In-Reply-To: <20220414082112.4096021-1-adolf.belka@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 6529 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> - Update from version 2.5.4 to 2.5.6
> - Update of rootfile not required
> - No changes related to ciphers or options
> - Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not
>    available. Raised on Openvpn forum but response was that they also didn't know why xz
>    option was not available but they thought it was not a big deal as the gz version is
>    only slightly larger.

Thank you for taking care about this.

> - Changelog
>    Overview of changes in 2.5.6
> 	User-visible Changes
> 	    update copyright year to 2022
> 	New features
> 	    new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple
>              parallel plugins that succeed/fail in direct/deferred mode
> 	    various build improvements (github actions etc)
> 	    upgrade pkcs11-helper to release 1.28.4
> 	Bugfixes
> 	    CVE-2022-0547 see
>              https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
> 	      If openvpn is configured with multiple authentication plugins and more than
>                one plugin tries to do deferred authentication, the result is not
>                well-defined - creating a possible authentication bypass.
> 	      In this situation the server process will now abort itself with a clear log
>                message. Only one plugin is allowed to do deferred authentication.
> 	    Fix "--mtu-disc maybe|yes" on Linux
> 	    Due to configure/syshead.h/#ifdef confusion, the code in question was not
>              compiled-in since a long time. Fixed. Trac: #1452
> 	    Fix $common_name variable passed to scripts when username-as-common-name is
>              in effect.
> 	      This was not consistently set - sometimes, OpenVPN exported the username,
>                sometimes the common name from the client cert. Fixed. Trac: #1434
> 	    Fix potential memory leaks in add_route() and add_route_ipv6().
> 	    Apply connect-retry backoff only to one side of the connection in p2p mode.
>              Without that fix/enhancement, two sides could end up only sending packets
>               when the other end is not ready. Trac: #1010, #1384
> 	    remove unused sitnl.h file
> 	    clean up msvc build files, remove unused MSVC build .bat files
> 	    repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
> 	     due to integer overflow, this ended up being "0" on Linux, but on Windows
>               with MSVC it ends up being "always 2 Gbyte", both not doing what is
>               requested. Trac: #1448
> 	    repair handling of EC certificates on Windows with pkcs11-helper
> 	    (wrong compile-time defines for OpenSSL 1.1.1)
> 	Documentation
> 	    documentation improvements related to DynDNS. Trac: #1417
> 	    clean up documentation for --proto and related options
> 	    rebuild rst docs if input files change (proper dependency handling)
>    Overview of changes in 2.5.5
> 	User-visible Changes
> 	    SWEET32/64bit cipher deprecation change was postponed to 2.7
> 	    Windows: use network address for emulated DHCP server as default this
>              enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud.
> 	    require EC support in windows builds (this means it's no longer possible to
>              build a Windows OpenVPN binary with an OpenSSL lib without EC support)
> 	New features
> 	    Windows build: use CFG and Spectre mitigations on MSVC builds
> 	    bring back OpenSSL config loading to Windows builds. OpenSSL config is
>              loaded from %installdir%\ssl\openssl.cnf (typically:
>              c:\program files\openvpn\ssl\openssl.cnf) if it exists.
> 	      This is important for some hardware tokens which need special OpenSSL
>                config for correct operation. Trac #1296
> 	Bugfixes
> 	    Windows build: enable EKM
> 	    Windows build: improve various vcpkg related build issues
> 	    Windows build: fix regression related to non-writeable status files
>              (Trac #1430)
> 	    Windows build: fix regression that broke OpenSSL EC support
> 	    Windows build: fix "product version" display (2.5..4 -> 2.5.4)
> 	    Windows build: fix regression preventing use of PKCS12 files
> 	    improve "make check" to notice if "openvpn --show-cipher" crashes
> 	    improve argv unit tests
> 	    ensure unit tests work with mbedTLS builds without BF-CBC ciphers
> 	    include "--push-remove" in the output of "openvpn --help"
> 	    fix error in iptables syntax in example firewall.sh script
> 	    fix "resolvconf -p" invocation in example "up" script
> 	    fix "common_name" environment for script calls when
>              "--username-as-common-name" is in effect (Trac #1434)
> 	Documentation
> 	    move "push-peer-info" documentation from "server options" to "client"
>              (where it belongs)
> 	    correct "foreign_option_{n}" typo in manpage
> 	    update IRC information in CONTRIBUTING.rst (libera.chat)
> 	    README.down-root: fix plugin module name
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  lfs/openvpn | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 9b2e7853c..27a052ae1 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -24,10 +24,10 @@
>  
>  include Config
>  
> -VER        = 2.5.4
> +VER        = 2.5.6
>  
>  THISAPP    = openvpn-$(VER)
> -DL_FILE    = $(THISAPP).tar.xz
> +DL_FILE    = $(THISAPP).tar.gz
>  DL_FROM    = $(URL_IPFIRE)
>  DIR_APP    = $(DIR_SRC)/$(THISAPP)
>  TARGET     = $(DIR_INFO)/$(THISAPP)
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c401d59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301
> +$(DL_FILE)_BLAKE2 = d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3ef78b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2
>  
>  install : $(TARGET)
>  
> @@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) :
>  
>  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
> -	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE)
> +	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>  	cd $(DIR_APP) && ./configure \
>  		--prefix=/usr \
>  		--sysconfdir=/var/ipfire/ovpn \

     prev parent reply	other threads:[~2022-04-18 21:00 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-14  8:21 Adolf Belka
2022-04-18 21:00 ` Peter Müller [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=652c7c37-f7d6-2c32-30ad-989737fbc37e@ipfire.org \
    --to=peter.mueller@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox