Reviewed-by: Peter Müller > - Update from version 2.5.4 to 2.5.6 > - Update of rootfile not required > - No changes related to ciphers or options > - Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not > available. Raised on Openvpn forum but response was that they also didn't know why xz > option was not available but they thought it was not a big deal as the gz version is > only slightly larger. Thank you for taking care about this. > - Changelog > Overview of changes in 2.5.6 > User-visible Changes > update copyright year to 2022 > New features > new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple > parallel plugins that succeed/fail in direct/deferred mode > various build improvements (github actions etc) > upgrade pkcs11-helper to release 1.28.4 > Bugfixes > CVE-2022-0547 see > https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements > If openvpn is configured with multiple authentication plugins and more than > one plugin tries to do deferred authentication, the result is not > well-defined - creating a possible authentication bypass. > In this situation the server process will now abort itself with a clear log > message. Only one plugin is allowed to do deferred authentication. > Fix "--mtu-disc maybe|yes" on Linux > Due to configure/syshead.h/#ifdef confusion, the code in question was not > compiled-in since a long time. Fixed. Trac: #1452 > Fix $common_name variable passed to scripts when username-as-common-name is > in effect. > This was not consistently set - sometimes, OpenVPN exported the username, > sometimes the common name from the client cert. Fixed. Trac: #1434 > Fix potential memory leaks in add_route() and add_route_ipv6(). > Apply connect-retry backoff only to one side of the connection in p2p mode. > Without that fix/enhancement, two sides could end up only sending packets > when the other end is not ready. Trac: #1010, #1384 > remove unused sitnl.h file > clean up msvc build files, remove unused MSVC build .bat files > repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes > due to integer overflow, this ended up being "0" on Linux, but on Windows > with MSVC it ends up being "always 2 Gbyte", both not doing what is > requested. Trac: #1448 > repair handling of EC certificates on Windows with pkcs11-helper > (wrong compile-time defines for OpenSSL 1.1.1) > Documentation > documentation improvements related to DynDNS. Trac: #1417 > clean up documentation for --proto and related options > rebuild rst docs if input files change (proper dependency handling) > Overview of changes in 2.5.5 > User-visible Changes > SWEET32/64bit cipher deprecation change was postponed to 2.7 > Windows: use network address for emulated DHCP server as default this > enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud. > require EC support in windows builds (this means it's no longer possible to > build a Windows OpenVPN binary with an OpenSSL lib without EC support) > New features > Windows build: use CFG and Spectre mitigations on MSVC builds > bring back OpenSSL config loading to Windows builds. OpenSSL config is > loaded from %installdir%\ssl\openssl.cnf (typically: > c:\program files\openvpn\ssl\openssl.cnf) if it exists. > This is important for some hardware tokens which need special OpenSSL > config for correct operation. Trac #1296 > Bugfixes > Windows build: enable EKM > Windows build: improve various vcpkg related build issues > Windows build: fix regression related to non-writeable status files > (Trac #1430) > Windows build: fix regression that broke OpenSSL EC support > Windows build: fix "product version" display (2.5..4 -> 2.5.4) > Windows build: fix regression preventing use of PKCS12 files > improve "make check" to notice if "openvpn --show-cipher" crashes > improve argv unit tests > ensure unit tests work with mbedTLS builds without BF-CBC ciphers > include "--push-remove" in the output of "openvpn --help" > fix error in iptables syntax in example firewall.sh script > fix "resolvconf -p" invocation in example "up" script > fix "common_name" environment for script calls when > "--username-as-common-name" is in effect (Trac #1434) > Documentation > move "push-peer-info" documentation from "server options" to "client" > (where it belongs) > correct "foreign_option_{n}" typo in manpage > update IRC information in CONTRIBUTING.rst (libera.chat) > README.down-root: fix plugin module name > > Signed-off-by: Adolf Belka > --- > lfs/openvpn | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/lfs/openvpn b/lfs/openvpn > index 9b2e7853c..27a052ae1 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -24,10 +24,10 @@ > > include Config > > -VER = 2.5.4 > +VER = 2.5.6 > > THISAPP = openvpn-$(VER) > -DL_FILE = $(THISAPP).tar.xz > +DL_FILE = $(THISAPP).tar.gz > DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c401d59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301 > +$(DL_FILE)_BLAKE2 = d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3ef78b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2 > > install : $(TARGET) > > @@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) > + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && ./configure \ > --prefix=/usr \ > --sysconfdir=/var/ipfire/ovpn \