From 31847e11e7f9bf2d1363b154bf06a88668d811f2 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@eurephia.org>
Date: Wed, 21 Jun 2017 12:57:07 +0200
Subject: [PATCH] Updating to upstream openvpn-2.4.3

  - Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
  - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-752
  - Fix potential double-free in --x509-alt-username {CVE-2017-7521}
  - Fix remote-triggerable memory leaks {CVE-2017-7521}
  - Ensure OpenVPN systemd services are restarted upon upgrades
  - Verify PGP signature of source tarball as part of package building
  - Build against system lz4 library
---
 .gitignore   |  2 ++
 openvpn.spec | 28 ++++++++++++++++++++++------
 sources      |  4 ++--
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/.gitignore b/.gitignore
index 0d3f26f..6f170a0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,3 +48,5 @@ openvpn-2.1.2.tar.gz.asc
 /openvpn-2.4.1.tar.xz.asc
 /openvpn-2.4.2.tar.xz
 /openvpn-2.4.2.tar.xz.asc
+/openvpn-2.4.3.tar.xz.asc
+/openvpn-2.4.3.tar.xz
diff --git a/openvpn.spec b/openvpn.spec
index 576346f..c004eb4 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -6,8 +6,8 @@
 %bcond_without tests_long
 
 Name:              openvpn
-Version:           2.4.2
-Release:           2%{?prerelease:.%{prerelease}}%{?dist}
+Version:           2.4.3
+Release:           1%{?prerelease:.%{prerelease}}%{?dist}
 Summary:           A full-featured SSL VPN solution
 URL:               https://community.openvpn.net/
 Source0:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
@@ -15,16 +15,20 @@ Source1:           https://swupdate.openvpn.org/community/releases/%{name}-%{ver
 Source2:           roadwarrior-server.conf
 Source3:           roadwarrior-client.conf
 Source4:           README.systemd
+# Upstream signing key
+Source6:           gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
 License:           GPLv2
 Group:             Applications/Internet
 BuildRequires:     systemd-devel
 BuildRequires:     lzo-devel
 BuildRequires:     lz4-devel
-BuildRequires:     compat-openssl10-devel
-BuildRequires:     compat-openssl10-pkcs11-helper-devel >= 1.11
+BuildRequires:     openssl-devel
+BuildRequires:     pkcs11-helper-devel >= 1.11
 BuildRequires:     pam-devel
 # For the perl_default_filter macro
 BuildRequires:     perl-macros
+%{?systemd_requires}
+BuildRequires:     systemd
 BuildRequires:     systemd-units
 BuildRequires:     libselinux-devel
 # For /sbin/ip.
@@ -61,6 +65,7 @@ to similar features as the various script-hooks.
 
 
 %prep
+gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
 %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
 
 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
@@ -149,8 +154,9 @@ getent passwd openvpn &>/dev/null || \
 %systemd_preun openvpn-server@\*.service
 
 %postun
-%systemd_postun openvpn-client@\*.service
-%systemd_postun openvpn-server@\*.service
+%systemd_postun_with_restart openvpn-client@\*.service
+%systemd_postun_with_restart openvpn-server@\*.service
+%systemd_postun_with_restart openvpn@\*.service
 
 
 %files
@@ -178,6 +184,16 @@ getent passwd openvpn &>/dev/null || \
 
 
 %changelog
+* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
+- Updating to upstream openvpn-2.4.3
+- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
+- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-752
+- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
+- Fix remote-triggerable memory leaks {CVE-2017-7521}
+- Ensure OpenVPN systemd services are restarted upon upgrades
+- Verify PGP signature of source tarball as part of package building
+- Build against system lz4 library
+
 * Fri May 12 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
 - Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
 - Install and take ownership of /var/lib/openvpn (rhbz#922786)
diff --git a/sources b/sources
index 9b1a161..bce4172 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (openvpn-2.4.2.tar.xz) = 438f16ac2d12dfd9f11ebcddebf709102046c71b4c4608a294da552587ea346d6ebb8c916f717bce992057754d6bc35ca1df5653fc907cc0003d9e34c92da963
-SHA512 (openvpn-2.4.2.tar.xz.asc) = 2deed80ef3b7017b2eb60931810c1902b855e9ba734caa012842227963c1ffe1ecb90b5912123ce0e4001e2dee52b9a735df91137562ed39e0a0bb24ac3f6ba5
+SHA512 (openvpn-2.4.3.tar.xz.asc) = 75fdf046e407cf02e30a3f3bd4dbd7e65c34a30e67670f2359b4b0442ee30831e80238539a6e784c28795ba1505ad57dffc8042f1cb472d82754535d50ccfe40
+SHA512 (openvpn-2.4.3.tar.xz) = 26d25bb71c5ecfa398924b3ee3dec16b2776b3d67cf0b532c2b8a4368f1307bbd04b80ed38f0344c313aab38ec6e4e4f9bf2b3bc90bc197b2f257288e72eb5d8