- Update to upstream OpenVPN 2.5.2
- Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
Signed-off-by: David Sommerseth <dazo@eurephia.org>
The unit file patch had to be slightly adopted to fit with upstream
changes. And the signing key has been updated.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
- Package upstream ChangeLog, which contains a bit more details than Changes.rst
- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
added gcc to BuildRequires.
- Excluded not relevant file, README.mbedtls
- Package upstream version of README.systemd
- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
Signed-off-by: David Sommerseth <dazo@eurephia.org>
These have not been in use for a long time. No need to carry them here
any longer. And if needed, they're in the git history.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
At the same time, utilize the Negotiable Crypto Parameters (NCP) feature
in OpenVPN v2.4, which allows clients using the old BF-CBC default cipher
to connect without any issues.
F-27 Change request: https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN
This change was approved in the FESCO meeting 2017-08-04.
Also fix a truncated changelog entry for openvpn-2.4.3-1
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-752
- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
- Fix remote-triggerable memory leaks {CVE-2017-7521}
- Ensure OpenVPN systemd services are restarted upon upgrades
- Verify PGP signature of source tarball as part of package building
- Build against system lz4 library
Also:
- Switching back to OpenSSL 1.0, via compat-openssl10 and
compat-openssl10-pkcs11-helper (rhbz#1443749, rhbz#1432125, rhbz#1440468)
- Re-enable --enable-x509-alt-username which got removed during the clean-up
patches (rhbz#1443942)
- Build with lz4 library from Fedora
- Splitting out -devel files into a separate package
- Removed several contrib and sample files which makes is not
strictly needed in this package.
- build: Enable tests runs by default, long running tests can
be disabled with "--without tests_long"
- build: Removed defined %%{plugins} macro not in use
- Added .rpmlint to whitelist false positives
David Sommerseth
Fedora Release Engineering
Sahana Prasad
Zbigniew Jędrzejewski-Szmek
Tom Stellard
Orion Poplawski
Vladimír Beneš
Igor Gnatenko