- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
https://patchwork.openvpn.net/patch/2504/
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
in OpenSSL 3.0
Signed-off-by: David Sommerseth <dazo@eurephia.org>
- Update to upstream OpenVPN 2.5.2
- Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
Signed-off-by: David Sommerseth <dazo@eurephia.org>
The unit file patch had to be slightly adopted to fit with upstream
changes. And the signing key has been updated.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
- Package upstream ChangeLog, which contains a bit more details than Changes.rst
- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
added gcc to BuildRequires.
- Excluded not relevant file, README.mbedtls
- Package upstream version of README.systemd
- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
Signed-off-by: David Sommerseth <dazo@eurephia.org>
At the same time, utilize the Negotiable Crypto Parameters (NCP) feature
in OpenVPN v2.4, which allows clients using the old BF-CBC default cipher
to connect without any issues.
F-27 Change request: https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN
This change was approved in the FESCO meeting 2017-08-04.
Also fix a truncated changelog entry for openvpn-2.4.3-1
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-752
- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
- Fix remote-triggerable memory leaks {CVE-2017-7521}
- Ensure OpenVPN systemd services are restarted upon upgrades
- Verify PGP signature of source tarball as part of package building
- Build against system lz4 library
Also:
- Switching back to OpenSSL 1.0, via compat-openssl10 and
compat-openssl10-pkcs11-helper (rhbz#1443749, rhbz#1432125, rhbz#1440468)
- Re-enable --enable-x509-alt-username which got removed during the clean-up
patches (rhbz#1443942)
- Build with lz4 library from Fedora
- Splitting out -devel files into a separate package
- Removed several contrib and sample files which makes is not
strictly needed in this package.
- build: Enable tests runs by default, long running tests can
be disabled with "--without tests_long"
- build: Removed defined %%{plugins} macro not in use
- Added .rpmlint to whitelist false positives
- Use systemd-rpm macros
- Remove %triggerun for openvpn < 2.2.1 (which is way too old anyhow
for newer Fedoras)
- Fixed several issues with installed files
- Fixed ./configure arguments - several of them where outdated or
used wrong
- Removed the deprecated openvpn@.service in favour of the new
upstream unit files
- Added README.systemd which describes the new unit files
- Fixed wrong mixing of %doc and %{_pkgdocdir} causing duplication
of sample and contrib directories
- Install management-notes.txt, which contains useful information
about the OpenVPN management interface commands
- Don't own %{_localstatedir}/run/%{name} ... that's handled by
tmpfiles.d/openvpn.conf instead.
- Own /etc/openvpn{,client,server}/
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
- Removed no-functional ./configure options
- Use upstream tmfiles.d/openvpn
- Package newer openvpn-client/server@.service unit files
Frank Lichtenheld
David Sommerseth
David Sommerseth
Fedora Release Engineering
Sahana Prasad
Zbigniew Jędrzejewski-Szmek
Tom Stellard
Igor Gnatenko