From 4214b7e7997683dcdd6953ae31db409d31ecc013 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@eurephia.org>
Date: Wed, 21 Apr 2021 15:11:13 +0200
Subject: [PATCH] Update to upstream OpenVPN 2.5.2

- Update to upstream OpenVPN 2.5.2
- Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit

Signed-off-by: David Sommerseth <dazo@eurephia.org>
---
 .gitignore                                    |   2 ++
 ...lt-cipher-to-AES-256-GCM-for-server-.patch |   2 +-
 ...54A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg | Bin 43297 -> 43992 bytes
 openvpn.spec                                  |   9 +++++++--
 sources                                       |   4 ++--
 5 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 849fe2f..6907d80 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,3 +66,5 @@ openvpn-2.1.2.tar.gz.asc
 /openvpn-2.5.0.tar.xz.asc
 /openvpn-2.5.1.tar.xz
 /openvpn-2.5.1.tar.xz.asc
+/openvpn-2.5.2.tar.xz
+/openvpn-2.5.2.tar.xz.asc
diff --git a/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch b/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
index 7e11fe8..aca649e 100644
--- a/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
+++ b/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
@@ -23,7 +23,7 @@ index 9a8a2c7..0ecda08 100644
  PrivateTmp=true
  WorkingDirectory=/etc/openvpn/server
 -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
  CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
  LimitNPROC=10
  DeviceAllow=/dev/null rw
diff --git a/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg b/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
index d5abc3e52f84fd43d3463ec1c3b9260f64d9356f..8272cee5dd0b5a6ab233c728d6ce11ac3d7b5d56 100644
GIT binary patch
delta 3073
zcmai#X*AUR8^&jThQ<(PEMXF38`&nJ#!j|mOO`OQ4-&}|DjH;)D726@vMY+8B_7+9
zjBPC0ciESslAZd`b2`uK|C{@Kulu^MbKft%=X`QL10%!0yJ#3#&5{Fvf$Uf)sKF%-
z1s4RepkNG45CD}h8ZeMaQwsns*o2@Ull3_$nC_qn1v5Fk05I85ir#b9f`ZJPbVJ{T
zE(HyO0Pr^VC=6sURfK}Z{B+}&KD|6Z(+mDGeWcfso@msg%i5FlZG}uKP>>fvUl}1-
z0|ixVenCNhR}BD+5IYBeT}Dy>C`+JU@E%K-KG*1S?sO0g9J8dq^e@nj3O8v0yevBl
z2lLG7Be6Pk1AATx0Nu>+0JwBa4gjwy6*GZT9`ekf%v}@!y5F}2K(!DF0HlN=0gx|-
z0DyfF`Y<qnTq;Pa1&+fU^;E2&9FVOgx7tZy%KG{Z?2D|Xlh*|&DiLufH?timtQzOI
zS-%=m;cvF)Tig{_#x|5Z4?alvAC^2OnwhAJ-qV{%!R-#QD#XNN=UK&X$(W)s5JZ|~
zUFAYch8agUbKbOHdK}NQkgvH9Yw8Wdx#ub?$Dih&Dy}9?CKsuF%QBd5xx&HW&UW|k
ztJncS)9{S%GVXWC)5dll-MSP*n=#=?Cadm?=Z#>vRV98exK9q4(KnHjj>G7^CE8nS
zoH5lnTzf6$T-fcl!c0QpK7?whZ>C)23sa3L9DMMH=yt%_%_Tg$UuLe8SD(q?Fpaii
z);zOKLcJmdr^W2Ls!qQD`TzyaFd8i8j+8THTHC$D%d&OMW@EfNPqU}#MBWZBvN%*w
zVlq?rqH!@+q0KM)|BAR)(0=kI^+$&-7D6_XU~`wA?|Yt_FfJaX<~ZSAZ$kLSpRJ$v
za5=H16!{e>_w(e^BFLh3^3b=qiJzjA+!dmDyK_m1XsB$z(oWcSt$^)FSCv`07c)28
zQr_G0oA+^Ze4)U58p<!OcbYaNEl1|=^+V!oU=Jc_YSyp}k#Lvb&Jvl4wcTSO`~9B2
z`c&grBJjLt4V;EeGUxYqr$**<61ENQhypJ>M{wKGx407Aw(1%q5(@91{|$F=kd9t)
zeLYEvZ6E$&IVT}uXYPLS=A{$}5(<HmVSX@PC>$crgMn>X<az|4dVV)-%;ciBb}DgF
z&?QFT-yZ{@0Y+x%pJ)i6$;|PeMF|js@zJ9K^yuNaU}3k7ZBbVJOf0fPsZE-3o%}Zn
zK`?Xt?U2^VZ`?T`9n5c8!>c21?^;NnvdZYybpZ`henmTfPlc_8kFKbvPZzxFw}c-E
zvqg#Gz!BUpwk2N!W#~G0oib&S1u^W5P#x%pw#&qHeW(_mC{`5N3idNw<ujD;=dlOz
zJ?PH~%4gV$A6ZHDe*Iu8bo8?N)d#tiUH&%|Wzx-keB@x1WWPM;Xwjwo)!h?a`9$Q;
z?tzRd6Zc$mU#)+v_Y-BmH#yv?J$*UZKCAn)XHW_5DEqFa{F-7);mjo4M}HNg{ybE0
zEN6C`m3Q&mmBX9Gic1m|%Rt%r=z_4>16Rzug++n3o1FKs<&i!IjjLj8r_l<z+5vZF
zM72m9V|LH^jrL<Xaf7rnTCHKDEF(FU)38w5#QM?HF7H_^g5(FyZ%%HmYwhfv$yxo>
zB+J-XvRX2z6B|viQ+-)P?$PBtc4fN3i0KctIX#r2l2)c@pC8D<LO!$EHSvnQR$vp)
zLq*par=!GkpK&-14W3UqibZnyV(Pr8YNRthV(Z*9m$pr<THRjvl*E)SJk1%%`CYdz
zjCSWf&FvzSX?V@7m)Cr+?0dX{#j4sS^<fe|_GhngNO7UXaR*CT2eF{Q<@n!q_Q~Z6
zw3-_$*n$krx$$>fyhE`ICJWir&L{1*YDUrSG)0?g`^^HmF+$fpXd5H``SKGccp6E^
zI9$kjskGcu+2|De5qFJ%d&KJ7P_|Z&Vt6E_VffNw+xoLgRr}Jj<IEnJ*_s<6!onw+
z7Xh@c+?2~v8Uu4=Vl1M|&yWx|zUY2RcD7vlpRN7T$MR>2rE)vijJF2svMYL1lL_^G
zkF4R(N4oEkyPJ8pw|X;l1FiIMDUV5NBO4FCxubW;A!g-Y^hyZZzw+i*QiSxG5V4kD
z%qdegUoNRN83bMsI;;SuY19ztY_`yLvVDQ;eb>Gfg%UOw_@lE{7Pjiu3Ag2X-zTF3
zdo!@5Mdxk#tLMS|!u~ht&Bp_GdERRZd^4%a*H5~y^NP_hw%6QtBZK&Gp*V}=%-P4A
zTEF*=;N7!2uBlz~O?1pOBGKXQEdp6sno*FfvLn}#T0npxS07zK3ROP4whw8h*c-H5
zrP&bPYdV^om5zPdBANDBR4jY8u7OK<)2TIZ!2_su5I7p<F8U#5lt>a)OVeAq8~&4J
zsa7a{;e!)a6RGmY<<p7yN;^@~eLZs-hSjkfK8vmqRT8H>SybW%3QyI}#F<>%=T(ky
z3QUg5(z`k@?a(>g=CaVHDnHpV3B4@H<~g%}=(l#snjP-@Z3IfeNrjcVwU60cI`OiZ
z#Tn*S%VE0Gc_pr<!->;atVigRP?ZVq+**xGAt97nR7?{YkdSjEa>wzJ9<LSR(58?k
z{2Hi@X}oHeNc>AARXCkUYriG%@yRao!cR8#_A)p%o6maWhi*BB{YW`k>a-ben|jY|
zIA`?{!uGZoV?q4fXsxP!jbBSUQ`e9aR4vQK-y*ntbn#~pSLcp&gYyrnZadQnvX~FT
zMbiHtQ4w)ZqSF9Lg?$7yw9-#}!1+Dl*k`Mvx1sJ2X^1PqUC)%#K$Om+%P8VAGz~d4
zG;Db_EpuAviJCN<75|)sv7kLnXUDMg<A=*Hb&^^h+}LWHEETkZRF(exm4DMr*LG+^
z`;BIiwvA!(#uucG+(GT+&5iD>L$isT-*~?7Ht*d)P+Z^9Na``D5sl(PSN4-z!3+xG
zZxm)w!h9u+-u^?ua?90?zA5@B7ZOgtY}F+=w_;E0&SoKRPpVwEKqtExCr?4adf}fd
zpHS?_bv?>12GOwBSve>6jzw}zzW70&5b@qud5_y5E``?C4Tla*4UeeDS;3=^%eTB8
zpbQKp`nJ2xkQ{ALnR|bxx)?)-`E*|BmiLovya#&BtTvkY^R~r{uGv}KFY`Sb?#)kN
z7&)t!*2>OpRNFAw@8h}56qh|8OsTBGij|ubN=h6L_-W=$J*92i>XpRj_~}AAUqNPe
zt0!iRdPbu`XJ1?Xt?a<UuOuCtDB^72;hvTrL~`+k4Cx#Y)sZUq5#N9~5t8UNE<%xE
z&=0!e>^6|wr+!xjvGDdUkpR{IOC(h|fM)$mq<{JHACaoa>__ODA9z8v#mS5c63x?_
zEMD8le$$c0bMHAH=_-=O=bSV(vlb$eybSa=pzK~#NohG)7~*5lVImyk)u}OwM01X^
z+xI?Bg1l+<z6#hgo;&hdxpA%Mqtb_L0Zgeyj`<9KS^T4bKJ$37JbhxaIU!fEZqG6|
z{EaJ{*ov9P9{7EU>c(|_=+n6Ej>t|sa>UBCDW&f<uZ=Bfzo2ML&8@*7AIv&X(Q_$c
zUa^3fMM4*)@NE*xP+pGOZ7PP&#wLzkJ|_GfGl)~Nu3@^<hWi4SX|IP@C-SK2BdPP&
z$`~;f%IS(I)Y%Kz36>J4TZ@U0G{m3UwfA<0;+26=$J-4u?200-VjMn1`Gf@f<+0!m
zq4p6m+E<e6!n0x-QZ+A|RQ(~#QB{ams7C_zV0mpcAZ}R%t1JQ5q^U>o5*{e@AQ{Fh
zUH2ExdmLz0uUPxv3uqU@e1BKUqT9GM7||(7smJ37_v`<;J>;td*=u4R+;}x9idpl5
zQDSY@oe0qhl4+71B}XXT(Db493>;?qWx}2e@w!r0*hB2gQolU1*L2jt9Trn!uwava
zSt(dnURc(y?u!g$Rikyb9RK}?-|W!O-eDS3t`sxzT3Y~{4^|#pA@?jD3v^%t075{k
iXro+94F45VF|VgrIoK5rsh8ju-QE%Po;gvvt@}UqO{(z#

delta 2305
zcma)+X*ARg8^+DwU>GzeOJ$of_BCe4(qt_pvOG<Vv6F1Wpkm}<Y)xd#V=YUKEoFJ|
zXBb<`k|JAWc~Da%$r?ox@0{nH&U@Z(@0a_W`*+{hb$_|eJuwb2MuA#76qJCY0Pwmd
z9s=&W;Q)}SRRjU)PzC_D9F&HD@_fn=&_;p`fbvo}2zU;r1_3uvvrte_5eossl{w5-
zgTt=#b7TZ<CIr+KGJ=8_J!1f58*==t&B#!YbZ!C$7CC7Epq^(rFBm3b0)Vq;IK|gd
z6##|RO(39&62~e-hI5E@SQP^L8E~{O<T-<C6;Auy<pcn#UBm-mvjs;nCaMbo1u+{C
z@IIb%NZf?O1jRYav#K1I)gzqZB+ZfSVL4N@wHg4v_0{I5B>_561O&z<Eq)Xl(!f{j
zG=OM~eEUP;+2iknahW>#Jb()_(U41kAMu;OkO;2UkBmwK)=n0tEi8`;XFeh84K157
z4E%L!8kt9J?T3yX!x019FKJLPja8EEOgz<6LDl0%%~bl9jpfU;b6uXxECI7ZuZ^Fy
zkvpc(23!mKe7tSqfx*P+ImcI|Nr%7NqGe)qk<ZJ;gW64)nXsYQ#N&CHqn+vdRb%JJ
zr$9^MCiXm!*THwUm9vN?v1LB?Iw}w5GKY(*_(FPCouZiEd`{dmZZUt9MfV|8*Ew7p
zlwJPO;bmqwbw!_ow>>^as5cMki>ad0(#J2-q#HhpSf=_{-I#}~EH4{t-l?qHBOrwi
zt&}g>g=Kbhq!K3)`GYcz*J&LNmrmD9M5fss?v(rMwlV6<?p0&z%D1Ukio@v&cXvJ+
zCjpz|IO&YFuuq>q6evE;6T=)7or0!Hb@bQhYIw-S%&ZQw0@_?oO~k$O6JPzYLGyI-
zu|{fFjI?NIq4oJm`MJTA;J{}s%>FuG5f5d9AW~zcC@k@IeH^QY$F#WI{}bkd1uj$S
z+p+H2sk0gV7DJ<AuUtKf-aUt-GBzXi9oKkJD^}{p4!v&J{RD}<Mllb+X7eKZSTU4U
zaVyhOx85JyoINalW4Qz2r1{5|`_Iq*qh4wB_tE)qq8hvI8iPtw3H;{Jxij|d<E^LW
zdyNEo=otpD5Mg2VGM5iK6qYN5?$z#8A8$?qto}_7hLfCVPcmpiX+<q-SnUS}O~=$w
z{`kxTxMEI+X4(cw(tab6O9-x(LBg5J{k_xd)vwL#1zE~G_o!>(#kCgnY;4@IU*Q&;
za`nKUhnlr)9tn+vYB@RD=)xx$itS#>%D3?9yXy~v<>ODvMHmiBnisy2NAKW-y0pDe
zQ8!)au5!4fChr25BeA%4sfC{g#P4@<qKHg&D?!?djON=%UJ04LT3j)CkiF<C;Sdx|
z%SP~f@Blu+TZU?a-H2L!sM2K2G~{M&@BSj*FPDx{jLTb7?^=^8eiQrYihf%tkE}!N
zw)eaG`P3<;mE*vm)WR~8*?v|~?|`Q;FZVK0v(`bTq>$27J35n!7L0ndy@gk;&~AEB
zp-d|~y;>yo#_Mih*hL(^E2QVLe3*O|Ju4wnCzLDwWwnuKE0A5M0bz%~CCW~+^>VGb
zjH~+zjC@-=#U>uKinDyniR1-|&BJwkk4KtW)zI$?H9ivlW*MT8PO&9i(i(o;Q1~d2
z5+++1<{e<zduw#ugK=OpZ@tJchxeyzJ8dYd{0eLnEl*pR8b%IG=Fcj>3hKUfZ`m)K
zT-c*hE3kcF%h%rO>D<thMebocY3p+Rf=u#<7pa%?Nnfmm!VqHxT4uGsS|?;iZ@yKm
zx6ZhogPt7jL+J!pC#M#%zG*kC+`oh>nMN}*jFH*9f=K-r_`}z|N2=1JH&608`Qv2X
zvjS^P*G=kfg$Unt->vz7qGR6pKhe2Ri{NU{o;e?=KNe8m8-6q5;+A&D)Kd7@A*H&0
zV$s=Gq}DG^_z4-kIx;maVlhHAo>{Cq^QcD6C~Qi|kKFh^VXRV`e}H-%gXGUz`Ma~C
zs*yF@YcERAp|(9<i3u%QS7jvh2s?&nYfeN2uIeCj1orsVPtdsG`Z?1Cw+2gIlGDRk
z%g<INe+rh5{qyBDHcM`HYOpkABN(x0Vk+0R#WjKIe2uVNg&Mx5>$7_f6rblE_cjuk
zK3t|7;c!TECtccL*@PnZrxJz9Z5QL*B}BPO=R1y-Tu%(~odZr<@|X2QYRbM_WCYFH
zqG!krk0toahG=?0caw(|mmX}0)jrv_Ig|LNqFM2D{G*86>ywdY$N?CYxPP*L&)TS8
zpOKQ}Ho2ur`lX(JO%>gptvP^(i|CKlH9E`}D8RQ9e9y)Ipcd{;uca)`W2;S7C91dG
zheNUnYi(b<NXqjtekBz<`{acO`@>nw_<+gD&)vx(skD-(4_PhetqK^tHrcvtdYa3`
zOaR7Az!~;X$g$;P!O-P^m@++S*KG6+#_=HlqctObpPEFYgqXiBu1vX-K&G%@!zqrf
zmI;|><4SI`nSwwVgntg$G4=6zc<FNfKUdvv2p@r+h<f0Vm$UTp9IH<w*$BJ(+I{hw
zGg314Dz1-EwxoDW>gtR^X<D^1)IACE->-8QOGtV_2_-#V7Zq6XBy+jr`A%`ZPN>+6
zf1~posk!j&3KjIev1oOchQQ4)FCN`^)2(LewQuh;+F8yPGx7`AhiqF+9Em?ArsgIn
zqm%@&J-hVA*BLe6yPZkc^^2X!dcaz)a#lqbJKr5YDt8+082osv>`TH|^QS0XdnEj>
z_xv>ww6*UY+8*(9vlb84O`WF&_qb;#P95Uq6%R=#w+1VeSMX38p%q&`Av+_@4w_fk
zR?b`yMS+jShq@1932qCS7<)>%sN@H>c-s;~?C639-@DDU!*#TV%2J$zyH?ZmOAq?9
z8$dj^;sU8k>n6NX_G!mG&6NCVrQFg}0xtLfL=6i&M=lNh`Xz`s&Jga<<evLWbVTR5
p-`bHrM-UN;1i<Jp1pq`{bq2svst5pzM43auhU=X6Vr;eSe*mgmDslh-

diff --git a/openvpn.spec b/openvpn.spec
index 2c22855..8432d48 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -5,8 +5,8 @@
 %bcond_without tests_long
 
 Name:              openvpn
-Version:           2.5.1
-Release:           2%{?dist}
+Version:           2.5.2
+Release:           1%{?dist}
 Summary:           A full-featured TLS VPN solution
 URL:               https://community.openvpn.net/
 Source0:           https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
@@ -193,6 +193,11 @@ getent passwd openvpn &>/dev/null || \
 
 
 %changelog
+* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
+- Update to upstream OpenVPN 2.5.2
+- Fixes CVE-2020-15078
+- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
+
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
 - Rebuilt for updated systemd-rpm-macros
   See https://pagure.io/fesco/issue/2583.
diff --git a/sources b/sources
index c3c4ce1..5a4d97e 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (openvpn-2.5.1.tar.xz) = 7c0adad384f908bd7dbd839a2b90cbe3a4222cac92ef484df89709ca5dd6cb22b3caf19b696c2bb74d7eda148904a8b25f1fe4640c91f0e68d6e65bcf922e0f4
-SHA512 (openvpn-2.5.1.tar.xz.asc) = 44075753973aaec67a2f01f8efa3a7998bfbac77fd333267ed918a56ef884d8264004296bfb3b3ffee3e724a1614dffccdc93a4abe5fe128d8ee668c03df73ed
+SHA512 (openvpn-2.5.2.tar.xz) = ae2cac00ae4b9e06e7e70b268ed47d36bbb45409650175e507d5bfa12b0a4f24bccc64f2494d1563f9269c8076d0f753a492f01ea33ce376ba00b7cdcb5c7bd0
+SHA512 (openvpn-2.5.2.tar.xz.asc) = 49a5f1828d8621e8d71665435efbc5fb55baee9db44c4d8768159667fdddf2ce30c964a11aa6fb28fee37adc34ff5ca8c9eb4c0669b4d847a9ffd0f8aab871b4