- Update from version 2.5.4 to 2.5.6 - Update of rootfile not required - No changes related to ciphers or options - Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not available. Raised on Openvpn forum but response was that they also didn't know why xz option was not available but they thought it was not a big deal as the gz version is only slightly larger. - Changelog Overview of changes in 2.5.6 User-visible Changes update copyright year to 2022 New features new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple parallel plugins that succeed/fail in direct/deferred mode various build improvements (github actions etc) upgrade pkcs11-helper to release 1.28.4 Bugfixes CVE-2022-0547 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements If openvpn is configured with multiple authentication plugins and more than one plugin tries to do deferred authentication, the result is not well-defined - creating a possible authentication bypass. In this situation the server process will now abort itself with a clear log message. Only one plugin is allowed to do deferred authentication. Fix "--mtu-disc maybe|yes" on Linux Due to configure/syshead.h/#ifdef confusion, the code in question was not compiled-in since a long time. Fixed. Trac: #1452 Fix $common_name variable passed to scripts when username-as-common-name is in effect. This was not consistently set - sometimes, OpenVPN exported the username, sometimes the common name from the client cert. Fixed. Trac: #1434 Fix potential memory leaks in add_route() and add_route_ipv6(). Apply connect-retry backoff only to one side of the connection in p2p mode. Without that fix/enhancement, two sides could end up only sending packets when the other end is not ready. Trac: #1010, #1384 remove unused sitnl.h file clean up msvc build files, remove unused MSVC build .bat files repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes due to integer overflow, this ended up being "0" on Linux, but on Windows with MSVC it ends up being "always 2 Gbyte", both not doing what is requested. Trac: #1448 repair handling of EC certificates on Windows with pkcs11-helper (wrong compile-time defines for OpenSSL 1.1.1) Documentation documentation improvements related to DynDNS. Trac: #1417 clean up documentation for --proto and related options rebuild rst docs if input files change (proper dependency handling) Overview of changes in 2.5.5 User-visible Changes SWEET32/64bit cipher deprecation change was postponed to 2.7 Windows: use network address for emulated DHCP server as default this enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud. require EC support in windows builds (this means it's no longer possible to build a Windows OpenVPN binary with an OpenSSL lib without EC support) New features Windows build: use CFG and Spectre mitigations on MSVC builds bring back OpenSSL config loading to Windows builds. OpenSSL config is loaded from %installdir%\ssl\openssl.cnf (typically: c:\program files\openvpn\ssl\openssl.cnf) if it exists. This is important for some hardware tokens which need special OpenSSL config for correct operation. Trac #1296 Bugfixes Windows build: enable EKM Windows build: improve various vcpkg related build issues Windows build: fix regression related to non-writeable status files (Trac #1430) Windows build: fix regression that broke OpenSSL EC support Windows build: fix "product version" display (2.5..4 -> 2.5.4) Windows build: fix regression preventing use of PKCS12 files improve "make check" to notice if "openvpn --show-cipher" crashes improve argv unit tests ensure unit tests work with mbedTLS builds without BF-CBC ciphers include "--push-remove" in the output of "openvpn --help" fix error in iptables syntax in example firewall.sh script fix "resolvconf -p" invocation in example "up" script fix "common_name" environment for script calls when "--username-as-common-name" is in effect (Trac #1434) Documentation move "push-peer-info" documentation from "server options" to "client" (where it belongs) correct "foreign_option_{n}" typo in manpage update IRC information in CONTRIBUTING.rst (libera.chat) README.down-root: fix plugin module name
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/openvpn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lfs/openvpn b/lfs/openvpn index 9b2e7853c..27a052ae1 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,10 +24,10 @@
include Config
-VER = 2.5.4 +VER = 2.5.6
THISAPP = openvpn-$(VER) -DL_FILE = $(THISAPP).tar.xz +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c401d59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301 +$(DL_FILE)_BLAKE2 = d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3ef78b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2
install : $(TARGET)
@@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/var/ipfire/ovpn \
Reviewed-by: Peter Müller peter.mueller@ipfire.org
- Update from version 2.5.4 to 2.5.6
- Update of rootfile not required
- No changes related to ciphers or options
- Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not available. Raised on Openvpn forum but response was that they also didn't know why xz option was not available but they thought it was not a big deal as the gz version is only slightly larger.
Thank you for taking care about this.
- Changelog Overview of changes in 2.5.6 User-visible Changes update copyright year to 2022 New features new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple parallel plugins that succeed/fail in direct/deferred mode various build improvements (github actions etc) upgrade pkcs11-helper to release 1.28.4 Bugfixes CVE-2022-0547 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements If openvpn is configured with multiple authentication plugins and more than one plugin tries to do deferred authentication, the result is not well-defined - creating a possible authentication bypass. In this situation the server process will now abort itself with a clear log message. Only one plugin is allowed to do deferred authentication. Fix "--mtu-disc maybe|yes" on Linux Due to configure/syshead.h/#ifdef confusion, the code in question was not compiled-in since a long time. Fixed. Trac: #1452 Fix $common_name variable passed to scripts when username-as-common-name is in effect. This was not consistently set - sometimes, OpenVPN exported the username, sometimes the common name from the client cert. Fixed. Trac: #1434 Fix potential memory leaks in add_route() and add_route_ipv6(). Apply connect-retry backoff only to one side of the connection in p2p mode. Without that fix/enhancement, two sides could end up only sending packets when the other end is not ready. Trac: #1010, #1384 remove unused sitnl.h file clean up msvc build files, remove unused MSVC build .bat files repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes due to integer overflow, this ended up being "0" on Linux, but on Windows with MSVC it ends up being "always 2 Gbyte", both not doing what is requested. Trac: #1448 repair handling of EC certificates on Windows with pkcs11-helper (wrong compile-time defines for OpenSSL 1.1.1) Documentation documentation improvements related to DynDNS. Trac: #1417 clean up documentation for --proto and related options rebuild rst docs if input files change (proper dependency handling) Overview of changes in 2.5.5 User-visible Changes SWEET32/64bit cipher deprecation change was postponed to 2.7 Windows: use network address for emulated DHCP server as default this enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud. require EC support in windows builds (this means it's no longer possible to build a Windows OpenVPN binary with an OpenSSL lib without EC support) New features Windows build: use CFG and Spectre mitigations on MSVC builds bring back OpenSSL config loading to Windows builds. OpenSSL config is loaded from %installdir%\ssl\openssl.cnf (typically: c:\program files\openvpn\ssl\openssl.cnf) if it exists. This is important for some hardware tokens which need special OpenSSL config for correct operation. Trac #1296 Bugfixes Windows build: enable EKM Windows build: improve various vcpkg related build issues Windows build: fix regression related to non-writeable status files (Trac #1430) Windows build: fix regression that broke OpenSSL EC support Windows build: fix "product version" display (2.5..4 -> 2.5.4) Windows build: fix regression preventing use of PKCS12 files improve "make check" to notice if "openvpn --show-cipher" crashes improve argv unit tests ensure unit tests work with mbedTLS builds without BF-CBC ciphers include "--push-remove" in the output of "openvpn --help" fix error in iptables syntax in example firewall.sh script fix "resolvconf -p" invocation in example "up" script fix "common_name" environment for script calls when "--username-as-common-name" is in effect (Trac #1434) Documentation move "push-peer-info" documentation from "server options" to "client" (where it belongs) correct "foreign_option_{n}" typo in manpage update IRC information in CONTRIBUTING.rst (libera.chat) README.down-root: fix plugin module name
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
lfs/openvpn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lfs/openvpn b/lfs/openvpn index 9b2e7853c..27a052ae1 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,10 +24,10 @@
include Config
-VER = 2.5.4 +VER = 2.5.6
THISAPP = openvpn-$(VER) -DL_FILE = $(THISAPP).tar.xz +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c401d59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301 +$(DL_FILE)_BLAKE2 = d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3ef78b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2
install : $(TARGET)
@@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/var/ipfire/ovpn \