Message ID | 20220414082112.4096021-1-adolf.belka@ipfire.org |
---|---|
State | Accepted |
Commit | 75072c7702208179b392570485d5b301673525a0 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KfC8v50z8z3x1Y for <patchwork@web04.haj.ipfire.org>; Thu, 14 Apr 2022 08:21:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KfC8t6sGyz4Kd; Thu, 14 Apr 2022 08:21:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KfC8t6bxSz2yZk; Thu, 14 Apr 2022 08:21:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KfC8s3FHfz2xWY for <development@lists.ipfire.org>; Thu, 14 Apr 2022 08:21:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KfC8s0Dzhz4Kd; Thu, 14 Apr 2022 08:21:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649924477; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=auIZFwWSyTwfY9UK44eAuyk6qWJislHb7ZBTIG6kxfA=; b=100v4rMo/WCZDyD2nAWR3bJmPoXC+0VuDmzJmQUaYnUo+HDeIzbr+b/jpQdTad8Vhy1FHm IoAU7hmHmyt+h4Bg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649924477; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=auIZFwWSyTwfY9UK44eAuyk6qWJislHb7ZBTIG6kxfA=; b=OwWeCcLMyAzchA33VGyqVp2nrRhsIJyA0hzPTXeUaCOq0rdfgqnPvFx49e8tTN5IYDt6PY cMucCtVgVHNdngXoyL8R4qnrxqcTVCgVtS7uAzT5lB/OzaZ9hcMcAoS/xCZULhJNVvaPQt zBTycxcacbhWIllr/9b/KCj4s5a57GlsmoVvNjpP1ITc16UThS6X5tsYJW3gHuc49YaNfV 6dZcxt7XeaZeKFg8nfeQOw57qhQ2WiyNJxTlwGEBkti9u6rURDL0jlWVl+3g9K1WLg9jEa WYHUyBMHnLTRxCoZCs3BUu9u5wcmB5Q+vNgePeWMVYWq+VPXfDOESluiKPsJZA== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] openvpn: Update to version 2.5.6 Date: Thu, 14 Apr 2022 10:21:12 +0200 Message-Id: <20220414082112.4096021-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
openvpn: Update to version 2.5.6
|
|
Commit Message
Adolf Belka
April 14, 2022, 8:21 a.m. UTC
- Update from version 2.5.4 to 2.5.6
- Update of rootfile not required
- No changes related to ciphers or options
- Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not
available. Raised on Openvpn forum but response was that they also didn't know why xz
option was not available but they thought it was not a big deal as the gz version is
only slightly larger.
- Changelog
Overview of changes in 2.5.6
User-visible Changes
update copyright year to 2022
New features
new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple
parallel plugins that succeed/fail in direct/deferred mode
various build improvements (github actions etc)
upgrade pkcs11-helper to release 1.28.4
Bugfixes
CVE-2022-0547 see
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
If openvpn is configured with multiple authentication plugins and more than
one plugin tries to do deferred authentication, the result is not
well-defined - creating a possible authentication bypass.
In this situation the server process will now abort itself with a clear log
message. Only one plugin is allowed to do deferred authentication.
Fix "--mtu-disc maybe|yes" on Linux
Due to configure/syshead.h/#ifdef confusion, the code in question was not
compiled-in since a long time. Fixed. Trac: #1452
Fix $common_name variable passed to scripts when username-as-common-name is
in effect.
This was not consistently set - sometimes, OpenVPN exported the username,
sometimes the common name from the client cert. Fixed. Trac: #1434
Fix potential memory leaks in add_route() and add_route_ipv6().
Apply connect-retry backoff only to one side of the connection in p2p mode.
Without that fix/enhancement, two sides could end up only sending packets
when the other end is not ready. Trac: #1010, #1384
remove unused sitnl.h file
clean up msvc build files, remove unused MSVC build .bat files
repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
due to integer overflow, this ended up being "0" on Linux, but on Windows
with MSVC it ends up being "always 2 Gbyte", both not doing what is
requested. Trac: #1448
repair handling of EC certificates on Windows with pkcs11-helper
(wrong compile-time defines for OpenSSL 1.1.1)
Documentation
documentation improvements related to DynDNS. Trac: #1417
clean up documentation for --proto and related options
rebuild rst docs if input files change (proper dependency handling)
Overview of changes in 2.5.5
User-visible Changes
SWEET32/64bit cipher deprecation change was postponed to 2.7
Windows: use network address for emulated DHCP server as default this
enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud.
require EC support in windows builds (this means it's no longer possible to
build a Windows OpenVPN binary with an OpenSSL lib without EC support)
New features
Windows build: use CFG and Spectre mitigations on MSVC builds
bring back OpenSSL config loading to Windows builds. OpenSSL config is
loaded from %installdir%\ssl\openssl.cnf (typically:
c:\program files\openvpn\ssl\openssl.cnf) if it exists.
This is important for some hardware tokens which need special OpenSSL
config for correct operation. Trac #1296
Bugfixes
Windows build: enable EKM
Windows build: improve various vcpkg related build issues
Windows build: fix regression related to non-writeable status files
(Trac #1430)
Windows build: fix regression that broke OpenSSL EC support
Windows build: fix "product version" display (2.5..4 -> 2.5.4)
Windows build: fix regression preventing use of PKCS12 files
improve "make check" to notice if "openvpn --show-cipher" crashes
improve argv unit tests
ensure unit tests work with mbedTLS builds without BF-CBC ciphers
include "--push-remove" in the output of "openvpn --help"
fix error in iptables syntax in example firewall.sh script
fix "resolvconf -p" invocation in example "up" script
fix "common_name" environment for script calls when
"--username-as-common-name" is in effect (Trac #1434)
Documentation
move "push-peer-info" documentation from "server options" to "client"
(where it belongs)
correct "foreign_option_{n}" typo in manpage
update IRC information in CONTRIBUTING.rst (libera.chat)
README.down-root: fix plugin module name
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/openvpn | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Comments
Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > - Update from version 2.5.4 to 2.5.6 > - Update of rootfile not required > - No changes related to ciphers or options > - Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not > available. Raised on Openvpn forum but response was that they also didn't know why xz > option was not available but they thought it was not a big deal as the gz version is > only slightly larger. Thank you for taking care about this. > - Changelog > Overview of changes in 2.5.6 > User-visible Changes > update copyright year to 2022 > New features > new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple > parallel plugins that succeed/fail in direct/deferred mode > various build improvements (github actions etc) > upgrade pkcs11-helper to release 1.28.4 > Bugfixes > CVE-2022-0547 see > https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements > If openvpn is configured with multiple authentication plugins and more than > one plugin tries to do deferred authentication, the result is not > well-defined - creating a possible authentication bypass. > In this situation the server process will now abort itself with a clear log > message. Only one plugin is allowed to do deferred authentication. > Fix "--mtu-disc maybe|yes" on Linux > Due to configure/syshead.h/#ifdef confusion, the code in question was not > compiled-in since a long time. Fixed. Trac: #1452 > Fix $common_name variable passed to scripts when username-as-common-name is > in effect. > This was not consistently set - sometimes, OpenVPN exported the username, > sometimes the common name from the client cert. Fixed. Trac: #1434 > Fix potential memory leaks in add_route() and add_route_ipv6(). > Apply connect-retry backoff only to one side of the connection in p2p mode. > Without that fix/enhancement, two sides could end up only sending packets > when the other end is not ready. Trac: #1010, #1384 > remove unused sitnl.h file > clean up msvc build files, remove unused MSVC build .bat files > repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes > due to integer overflow, this ended up being "0" on Linux, but on Windows > with MSVC it ends up being "always 2 Gbyte", both not doing what is > requested. Trac: #1448 > repair handling of EC certificates on Windows with pkcs11-helper > (wrong compile-time defines for OpenSSL 1.1.1) > Documentation > documentation improvements related to DynDNS. Trac: #1417 > clean up documentation for --proto and related options > rebuild rst docs if input files change (proper dependency handling) > Overview of changes in 2.5.5 > User-visible Changes > SWEET32/64bit cipher deprecation change was postponed to 2.7 > Windows: use network address for emulated DHCP server as default this > enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud. > require EC support in windows builds (this means it's no longer possible to > build a Windows OpenVPN binary with an OpenSSL lib without EC support) > New features > Windows build: use CFG and Spectre mitigations on MSVC builds > bring back OpenSSL config loading to Windows builds. OpenSSL config is > loaded from %installdir%\ssl\openssl.cnf (typically: > c:\program files\openvpn\ssl\openssl.cnf) if it exists. > This is important for some hardware tokens which need special OpenSSL > config for correct operation. Trac #1296 > Bugfixes > Windows build: enable EKM > Windows build: improve various vcpkg related build issues > Windows build: fix regression related to non-writeable status files > (Trac #1430) > Windows build: fix regression that broke OpenSSL EC support > Windows build: fix "product version" display (2.5..4 -> 2.5.4) > Windows build: fix regression preventing use of PKCS12 files > improve "make check" to notice if "openvpn --show-cipher" crashes > improve argv unit tests > ensure unit tests work with mbedTLS builds without BF-CBC ciphers > include "--push-remove" in the output of "openvpn --help" > fix error in iptables syntax in example firewall.sh script > fix "resolvconf -p" invocation in example "up" script > fix "common_name" environment for script calls when > "--username-as-common-name" is in effect (Trac #1434) > Documentation > move "push-peer-info" documentation from "server options" to "client" > (where it belongs) > correct "foreign_option_{n}" typo in manpage > update IRC information in CONTRIBUTING.rst (libera.chat) > README.down-root: fix plugin module name > > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > lfs/openvpn | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/lfs/openvpn b/lfs/openvpn > index 9b2e7853c..27a052ae1 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -24,10 +24,10 @@ > > include Config > > -VER = 2.5.4 > +VER = 2.5.6 > > THISAPP = openvpn-$(VER) > -DL_FILE = $(THISAPP).tar.xz > +DL_FILE = $(THISAPP).tar.gz > DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c401d59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301 > +$(DL_FILE)_BLAKE2 = d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3ef78b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2 > > install : $(TARGET) > > @@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) > + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && ./configure \ > --prefix=/usr \ > --sysconfdir=/var/ipfire/ovpn \
diff --git a/lfs/openvpn b/lfs/openvpn index 9b2e7853c..27a052ae1 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,10 +24,10 @@ include Config -VER = 2.5.4 +VER = 2.5.6 THISAPP = openvpn-$(VER) -DL_FILE = $(THISAPP).tar.xz +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = ebc711981ab93da69ba033f3cf1ea1c99e86f700ec98809a3c401d59a6ecf53f977935aafd37df0233a0498762db01bed0555aeb99ab7e7903274e4d78997301 +$(DL_FILE)_BLAKE2 = d0466d2b95dae892606b6369d2c227add1de43fb708bf1c31a3ef78b28fc37382d501cc559767c8c8358ec28b88d3eb80a0eb915d7872ce30757c7080a37fde2 install : $(TARGET) @@ -69,7 +69,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/var/ipfire/ovpn \