Reviewed-by: Michael Tremer > On 10 Nov 2021, at 11:09, Adolf Belka wrote: > > - Update from 2.5.0 to 2.5.4 > - Update rootfile > - Tested new version in vm testbed. Openvpn server successfully started. > Client connections working with 2.5.0 also successfully worked with 2.5.4 > - Changelog > Overview of changes in 2.5.4 > Bugfixes > - fix prompting for password on windows console if stderr redirection > is in use - this breaks 2.5.x on Win11/ARM, and might also break > on Win11/adm64 when released. > - fix setting MAC address on TAP adapters (--lladdr) to use sitnl > (was overlooked, and still used "ifconfig" calls) > - various improvements for man page building (rst2man/rst2html etc) > - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on > at least one platform strictly checking this) > - fix minor memory leak under certain conditions in add_route() and > add_route_ipv6() > User-visible Changes > - documentation improvements > - copyright updates where needed > - better error reporting when win32 console access fails > New features > - also build man page on Windows builds > Overview of changes in 2.5.3 > Bugfixes > - CVE-2121-3606 > see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements > OpenVPN windows builds could possibly load OpenSSL Config files from > world writeable locations, thus posing a security risk to OpenVPN. > As a fix, disable OpenSSL config loading completely on Windows. > - disable connect-retry backoff for p2p (--secret) instances > (Trac #1010, #1384) > - fix build with mbedtls w/o SSL renegotiation support > - Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409) > - MSI installers: properly schedule reboot in the end of installation > - fix small memory leak in free_key_ctx for auth_token > User-visible Changes > - update copyright messages in files and --version output > New features > - add --auth-token-user option (for --auth-token deployments without > --auth-user-pass in client config) > - improve MSVC building for Windows > - official MSI installers will now contain arm64 drivers and binaries > (x86, amd64, arm64) > Overview of changes in 2.5.2 > Bugfixes > - CVE-2020-15078 > see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements > This bug allows - under very specific circumstances - to trick a > server using delayed authentication (plugin or management) into > returning a PUSH_REPLY before the AUTH_FAILED message, which can > possibly be used to gather information about a VPN setup. > In combination with "--auth-gen-token" or an user-specific token auth > solution it can be possible to get access to a VPN with an > otherwise-invalid account. > - restore pushed "ping" settings correctly on a SIGUSR1 restart > - avoid generating unecessary mbed debug messages - this is actually > a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448 > ED curves - mbedTLS crashes on preparing debug infos that we do not > actually need unless running with "--verb 8" > - do not print inlined (...) Diffie Hellman parameters to log file > - fix Linux/SITNL default route lookup in case of multiple routing tables > with more than one default route present (always use "main table" for now) > - Fix CRL file handling in combination with chroot > User-visible Changes > - OpenVPN will now refuse to start if CRL file is not present at startup > time. At "reload time" absense of the CRL file is still OK (and the > in memory copy is used) but at startup it is now considered an error. > New features > - printing of the TLS ciphers negotiated has been extended, especially > displaying TLS 1.3 and EC certificates more correctly. > Overview of changes in 2.5.1 > New features > - "echo msg" support, to enable the server to pushed messages that are > then displayed by the client-side GUI. See doc/gui-notes.txt and > doc/management-notes.txt. > Supported by the Windows GUI shipped in 2.5.1, not yet supported by > Tunnelblick and the Android GUI. > User-visible Changes > - make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers > to set the "openvpn packet filter", and returns a failure when requested > to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized > structure members. Since PF is going away in 2.6.0, this is just turning > the crash into a well-defined program abort, and no further effort has > been spent in rewriting the PF plugin error handling (see trac #1377). > Documentation > - rework sample-plugins/defer/simple.c - this is an extensive rewrite > of the plugin to bring code quality to acceptable standards and add > documentation on the various plugin API aspects. Since it's just > example code, filed under "Documentation", not under "Bugfix". > - various man page improvements. > - clarify ``--block-ipv6`` intent and direction > Bugfixes > - fix installation of openvpn.8 manpage on systems without docutils. > - Windows: fix DNS search list setup for domains with "-" chars. > - Fix tls-auth mismatch OCC message when tls-cryptv2 is used. > - Windows: Skip DHCP renew with Wintun adapter (Wintun does not support > DHCP, so this was just causing an - harmless - error and needless delay). > - Windows: Remove 1 second delay before running netsh - speeds up > interface init for wintun setups not using the interactive service. > - Windows: Fix too early argv freeing when registering DNS - this would > cause a client side crash on Windows if ``register-dns`` is used, > and the interactive service is not used. > - Android: Zero initialise msghdr prior to calling sendmesg. > - Fix line number reporting on config file errors after segments > (see Trac #1325). > - Fix port-share option with TLS-Crypt v2. > - tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise > dropping privs on the server would fail. > - tls-crypt-v2: fix server memory leak (about 600 bytes per connecting > client with tls-crypt-v2) > - rework handling of server-pushed ``--auth-token`` in combination with > ``--auth-nocache`` on reconnection / TLS renegotiation events. This > used to "forget" to update new incoming token after a reconnection event > (leading to failure to reauth some time later) and now works in all > tested cases. > > Tested-by: Adolf Belka > Signed-off-by: Adolf Belka > --- > config/rootfiles/common/openvpn | 5 +++++ > lfs/openvpn | 4 ++-- > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn > index 41ccc885e..6c3457d01 100644 > --- a/config/rootfiles/common/openvpn > +++ b/config/rootfiles/common/openvpn > @@ -18,7 +18,12 @@ usr/sbin/openvpn > #usr/share/doc/openvpn/README.auth-pam > #usr/share/doc/openvpn/README.down-root > #usr/share/doc/openvpn/README.mbedtls > +#usr/share/doc/openvpn/gui-notes.txt > #usr/share/doc/openvpn/management-notes.txt > +#usr/share/doc/openvpn/openvpn-examples.5.html > +#usr/share/doc/openvpn/openvpn.8.html > +#usr/share/man/man5/openvpn-examples.5 > +#usr/share/man/man8/openvpn.8 > var/ipfire/ovpn/ca > var/ipfire/ovpn/caconfig > var/ipfire/ovpn/ccd > diff --git a/lfs/openvpn b/lfs/openvpn > index 81ccc52bf..82e819bfe 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -24,7 +24,7 @@ > > include Config > > -VER = 2.5.0 > +VER = 2.5.4 > > THISAPP = openvpn-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = ba426e2217833b522810d6c06f7cc8f7 > +$(DL_FILE)_MD5 = 336be3b2388cdc65dd8c81f22b1c2836 > > install : $(TARGET) > > -- > 2.33.1 >