From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] openvpn: Update to version 2.5.6 Date: Mon, 18 Apr 2022 21:00:15 +0000 Message-ID: <652c7c37-f7d6-2c32-30ad-989737fbc37e@ipfire.org> In-Reply-To: <20220414082112.4096021-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1546718677366340223==" List-Id: --===============1546718677366340223== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Peter M=C3=BCller > - Update from version 2.5.4 to 2.5.6 > - Update of rootfile not required > - No changes related to ciphers or options > - Source tarball changed from .xz to .gz as for version 2.5.6 the xz option= s was not > available. Raised on Openvpn forum but response was that they also didn'= t know why xz > option was not available but they thought it was not a big deal as the g= z version is > only slightly larger. Thank you for taking care about this. > - Changelog > Overview of changes in 2.5.6 > User-visible Changes > update copyright year to 2022 > New features > new plugin (sample-plugin/defer/multi-auth.c) to help testing with mul= tiple > parallel plugins that succeed/fail in direct/deferred mode > various build improvements (github actions etc) > upgrade pkcs11-helper to release 1.28.4 > Bugfixes > CVE-2022-0547 see > https://community.openvpn.net/openvpn/wiki/SecurityAnnouncemen= ts > If openvpn is configured with multiple authentication plugins and mo= re than > one plugin tries to do deferred authentication, the result i= s not > well-defined - creating a possible authentication bypass. > In this situation the server process will now abort itself with a cl= ear log > message. Only one plugin is allowed to do deferred authentic= ation. > Fix "--mtu-disc maybe|yes" on Linux > Due to configure/syshead.h/#ifdef confusion, the code in question was = not > compiled-in since a long time. Fixed. Trac: #1452 > Fix $common_name variable passed to scripts when username-as-common-na= me is > in effect. > This was not consistently set - sometimes, OpenVPN exported the user= name, > sometimes the common name from the client cert. Fixed. Trac:= #1434 > Fix potential memory leaks in add_route() and add_route_ipv6(). > Apply connect-retry backoff only to one side of the connection in p2p = mode. > Without that fix/enhancement, two sides could end up only send= ing packets > when the other end is not ready. Trac: #1010, #1384 > remove unused sitnl.h file > clean up msvc build files, remove unused MSVC build .bat files > repair "--inactive" handling with a 'bytes' parameter larger than 2 Gb= ytes > due to integer overflow, this ended up being "0" on Linux, but on Win= dows > with MSVC it ends up being "always 2 Gbyte", both not doing w= hat is > requested. Trac: #1448 > repair handling of EC certificates on Windows with pkcs11-helper > (wrong compile-time defines for OpenSSL 1.1.1) > Documentation > documentation improvements related to DynDNS. Trac: #1417 > clean up documentation for --proto and related options > rebuild rst docs if input files change (proper dependency handling) > Overview of changes in 2.5.5 > User-visible Changes > SWEET32/64bit cipher deprecation change was postponed to 2.7 > Windows: use network address for emulated DHCP server as default this > enables use of a /30 subnet, which is needed when connecting t= o OpenVPN Cloud. > require EC support in windows builds (this means it's no longer possib= le to > build a Windows OpenVPN binary with an OpenSSL lib without EC = support) > New features > Windows build: use CFG and Spectre mitigations on MSVC builds > bring back OpenSSL config loading to Windows builds. OpenSSL config is > loaded from %installdir%\ssl\openssl.cnf (typically: > c:\program files\openvpn\ssl\openssl.cnf) if it exists. > This is important for some hardware tokens which need special OpenSSL > config for correct operation. Trac #1296 > Bugfixes > Windows build: enable EKM > Windows build: improve various vcpkg related build issues > Windows build: fix regression related to non-writeable status files > (Trac #1430) > Windows build: fix regression that broke OpenSSL EC support > Windows build: fix "product version" display (2.5..4 -> 2.5.4) > Windows build: fix regression preventing use of PKCS12 files > improve "make check" to notice if "openvpn --show-cipher" crashes > improve argv unit tests > ensure unit tests work with mbedTLS builds without BF-CBC ciphers > include "--push-remove" in the output of "openvpn --help" > fix error in iptables syntax in example firewall.sh script > fix "resolvconf -p" invocation in example "up" script > fix "common_name" environment for script calls when > "--username-as-common-name" is in effect (Trac #1434) > Documentation > move "push-peer-info" documentation from "server options" to "client" > (where it belongs) > correct "foreign_option_{n}" typo in manpage > update IRC information in CONTRIBUTING.rst (libera.chat) > README.down-root: fix plugin module name >=20 > Signed-off-by: Adolf Belka > --- > lfs/openvpn | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) >=20 > diff --git a/lfs/openvpn b/lfs/openvpn > index 9b2e7853c..27a052ae1 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -24,10 +24,10 @@ > =20 > include Config > =20 > -VER =3D 2.5.4 > +VER =3D 2.5.6 > =20 > THISAPP =3D openvpn-$(VER) > -DL_FILE =3D $(THISAPP).tar.xz > +DL_FILE =3D $(THISAPP).tar.gz > DL_FROM =3D $(URL_IPFIRE) > DIR_APP =3D $(DIR_SRC)/$(THISAPP) > TARGET =3D $(DIR_INFO)/$(THISAPP) > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c40= 1d59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301 > +$(DL_FILE)_BLAKE2 =3D d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3e= f78b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2 > =20 > install : $(TARGET) > =20 > @@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) : > =20 > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) > + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && ./configure \ > --prefix=3D/usr \ > --sysconfdir=3D/var/ipfire/ovpn \ --===============1546718677366340223==--