.gitignore

@@ -1,86 +1,2 @@
-openvpn-2.1.1.tar.gz
-openvpn-2.1.1.tar.gz.asc
-openvpn-2.1.2.tar.gz
-openvpn-2.1.2.tar.gz.asc
-/openvpn-2.1.3.tar.gz
-/openvpn-2.1.3.tar.gz.asc
-/openvpn-2.1.4.tar.gz
-/openvpn-2.1.4.tar.gz.asc
-/openvpn-2.2.0.tar.gz
-/openvpn-2.2.0.tar.gz.asc
-/openvpn-2.2.1.tar.gz
-/openvpn-2.2.1.tar.gz.asc
-/openvpn-2.2.2.tar.gz
-/openvpn-2.2.2.tar.gz.asc
-/openvpn-2.3.0.tar.gz
-/openvpn-2.3.0.tar.gz.asc
-/openvpn-2.3.1.tar.gz
-/openvpn-2.3.1.tar.gz.asc
-/openvpn-2.3.2.tar.gz
-/openvpn-2.3.2.tar.gz.asc
-/openvpn-2.3.3.tar.gz
-/openvpn-2.3.3.tar.gz.asc
-/openvpn-2.3.4.tar.gz
-/openvpn-2.3.4.tar.gz.asc
-/openvpn-2.3.5.tar.gz
-/openvpn-2.3.5.tar.gz.asc
-/openvpn-2.3.6.tar.gz
-/openvpn-2.3.6.tar.gz.asc
-/openvpn-2.3.7.tar.gz
-/openvpn-2.3.7.tar.gz.asc
-/openvpn-2.3.8.tar.gz
-/openvpn-2.3.8.tar.gz.asc
-/openvpn-2.3.9.tar.gz
-/openvpn-2.3.9.tar.gz.asc
-/openvpn-2.3.10.tar.gz
-/openvpn-2.3.10.tar.gz.asc
-/openvpn-2.3.11.tar.gz
-/openvpn-2.3.11.tar.gz.asc
-/openvpn-2.3.12.tar.gz
-/openvpn-2.3.12.tar.gz.asc
-/openvpn-2.3.13.tar.gz
-/openvpn-2.3.13.tar.gz.asc
-/openvpn-2.3.14.tar.gz
-/openvpn-2.3.14.tar.gz.asc
-/openvpn-2.4.0.tar.gz
-/openvpn-2.4.0.tar.gz.asc
-/openvpn-2.4.1.tar.xz
-/openvpn-2.4.1.tar.xz.asc
-/openvpn-2.4.2.tar.xz
-/openvpn-2.4.2.tar.xz.asc
-/openvpn-2.4.3.tar.xz.asc
-/openvpn-2.4.3.tar.xz
-/openvpn-2.4.4.tar.xz
-/openvpn-2.4.4.tar.xz.asc
-/openvpn-2.4.5.tar.xz
-/openvpn-2.4.5.tar.xz.asc
-/openvpn-2.4.6.tar.xz
-/openvpn-2.4.6.tar.xz.asc
-/openvpn-2.4.7.tar.xz
-/openvpn-2.4.7.tar.xz.asc
-/openvpn-2.4.8.tar.xz
-/openvpn-2.4.8.tar.xz.asc
-/openvpn-2.4.9.tar.xz
-/openvpn-2.4.9.tar.xz.asc
-/openvpn-2.5.0.tar.xz
-/openvpn-2.5.0.tar.xz.asc
-/openvpn-2.5.1.tar.xz
-/openvpn-2.5.1.tar.xz.asc
-/openvpn-2.5.2.tar.xz
-/openvpn-2.5.2.tar.xz.asc
-/openvpn-2.5.3.tar.xz
-/openvpn-2.5.3.tar.xz.asc
-/openvpn-2.5.4.tar.xz
-/openvpn-2.5.4.tar.xz.asc
-/openvpn-2.5.5.tar.xz
-/openvpn-2.5.5.tar.xz.asc
-/openvpn-2.5.6.tar.xz
-/openvpn-2.5.6.tar.xz.asc
-/openvpn-2.5.7.tar.xz
-/openvpn-2.5.7.tar.xz.asc
-/openvpn-2.5.8.tar.xz
-/openvpn-2.5.8.tar.xz.asc
-/openvpn-2.5.9.tar.gz
-/openvpn-2.5.9.tar.gz.asc
-/openvpn-2.5.11.tar.gz
-/openvpn-2.5.11.tar.gz.asc
+SOURCES/openvpn-2.4.12.tar.xz
+SOURCES/openvpn-2.4.12.tar.xz.asc

.openvpn.metadata

@@ -0,0 +1,2 @@
+6a2b67d4f56da70ebdfc32340ba554af1f211d67  SOURCES/openvpn-2.4.12.tar.xz
+2852ec59f46c9f8c85209062f9c6c1c8372fed6f  SOURCES/openvpn-2.4.12.tar.xz.asc

0001-Allow-running-a-default-configuration-with-TLS-libra.patch

@@ -1,225 +0,0 @@
-From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne@rfc2549.org>
-Date: Fri, 3 Jun 2022 11:52:19 +0200
-Subject: [PATCH] Allow running a default configuration with TLS libraries
- without BF-CBC
-
-Modern TLS libraries might drop Blowfish by default or distributions
-might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
-options with BF-CBC compatible strings. To avoid requiring BF-CBC
-for this, special this one usage of BF-CBC enough to avoid a hard
-requirement on Blowfish in the default configuration.
-
-This patch is cherry-picked from 79ff3f79 and the missing
-ciphername = "none"; has been added in the OCC code.
-
-Due to uncrustify complains, a few extra whitespace fixes had to be
-done to options.c.
-
-Signed-off-by: Arne Schwabe <arne@rfc2549.org>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Message-Id: <20220603095219.637361-1-arne@rfc2549.org>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/crypto_backend.h |  2 ++
- src/openvpn/init.c           | 37 ++++++++++++++++-----
- src/openvpn/options.c        | 62 ++++++++++++++++++++++++++++--------
- 3 files changed, 80 insertions(+), 21 deletions(-)
-
-diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
-index a9bb38ed..aebda3d6 100644
---- a/src/openvpn/crypto_backend.h
-+++ b/src/openvpn/crypto_backend.h
-@@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername);
-  * The returned name is normalised to the OpenVPN config name in case the
-  * name differs from the name used by the crypto library.
-  *
-+ * Returns [null-cipher] in case the cipher_kt is NULL.
-+ *
-  * @param cipher_kt     Static cipher parameters
-  *
-  * @return a statically allocated string describing the cipher.
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index da4d60af..b1b7b350 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c)
- #endif /* if P2MP */
-         }
- 
--        /* Do not warn if we only have BF-CBC in options->ciphername
--         * because it is still the default cipher */
--        bool warn = !streq(options->ciphername, "BF-CBC")
--             || options->enable_ncp_fallback;
--        /* Get cipher & hash algorithms */
--        init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
--                      options->keysize, true, warn);
--
-+        /*
-+         * BF-CBC is allowed to be used only when explicitly configured
-+         * as NCP-fallback or when NCP has been disabled or explicitly
-+         * allowed in the in ncp_ciphers list.
-+         * In all other cases do not attempt to initialize BF-CBC as it
-+         * may not even be supported by the underlying SSL library.
-+         *
-+         * Therefore, the key structure has to be initialized when:
-+         * - any non-BF-CBC cipher was selected; or
-+         * - BF-CBC is selected and NCP is disabled (explicit request to
-+         *   use the BF-CBC cipher); or
-+         * - BF-CBC is selected, NCP is enabled and fallback is enabled
-+         *   (BF-CBC will be the fallback).
-+         * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
-+         *   If the negotiated cipher and options->ciphername are the
-+         *   same we do not reinit the cipher
-+         *
-+         * Note that BF-CBC will still be part of the OCC string to retain
-+         * backwards compatibility with older clients.
-+         */
-+        if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
-+            || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
-+            || options->enable_ncp_fallback)
-+        {
-+            /* Do not warn if the if the cipher is used only in OCC */
-+            bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
-+            init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
-+                          options->keysize, true, warn);
-+        }
-         /* Initialize PRNG with config-specified digest */
-         prng_init(options->prng_hash, options->prng_nonce_secret_len);
- 
-diff --git a/src/openvpn/options.c b/src/openvpn/options.c
-index f6ef02ae..2206d9f4 100644
---- a/src/openvpn/options.c
-+++ b/src/openvpn/options.c
-@@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren
- #ifndef ENABLE_SMALL
- 
- static void
--show_dhcp_option_list(const char *name, const char * const*array, int len)
-+show_dhcp_option_list(const char *name, const char *const *array, int len)
- {
-     int i;
-     for (i = 0; i < len; ++i)
-@@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options,
-     if (options->mode == MODE_SERVER)
-     {
- #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
--      "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
-+    "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
- #ifdef TARGET_ANDROID
-         msg(M_FATAL, "--mode server not supported on Android");
- #endif
-@@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o)
-         if (!o->ncp_enabled)
-         {
-             msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
--                         "--data-ciphers-fallback config option");
-+                "--data-ciphers-fallback config option");
-         }
- 
-         msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
-@@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
-     {
-         struct frame fake_frame = *frame;
-         struct key_type fake_kt;
--        init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
--                      false);
-+
-         frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
-+
-+
-+        /* o->ciphername might be BF-CBC even though the underlying SSL library
-+         * does not support it. For this reason we workaround this corner case
-+         * by pretending to have no encryption enabled and by manually adding
-+         * the required packet overhead to the MTU computation.
-+         */
-+        const char *ciphername = o->ciphername;
-+
-+        if (strcmp(o->ciphername, "BF-CBC") == 0)
-+        {
-+            /* none has no overhead, so use this to later add only --auth
-+             * overhead */
-+
-+            /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
-+            frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
-+            ciphername = "none";
-+        }
-+
-+        init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true,
-+                      false);
-+
-         crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
-                                        cipher_kt_mode_ofb_cfb(fake_kt.cipher));
-         frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
-@@ -3853,18 +3874,33 @@ options_string(const struct options *o,
-                + (TLS_SERVER == true)
-                <= 1);
- 
--        init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
--                      false);
-+        /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
-+         * to work here in the default configuration */
-+        const char *ciphername = o->ciphername;
-+        int keysize;
-+
-+        if (strcmp(o->ciphername, "BF-CBC") == 0)
-+        {
-+            init_key_type(&kt, "none", o->authname, o->keysize, true,
-+                          false);
-+            keysize = 128;
-+        }
-+        else
-+        {
-+            init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
-+                          false);
-+            ciphername = cipher_kt_name(kt.cipher);
-+            keysize = kt.cipher_length * 8;
-+        }
-         /* Only announce the cipher to our peer if we are willing to
-          * support it */
--        const char *ciphername = cipher_kt_name(kt.cipher);
-         if (p2p_nopull || !o->ncp_enabled
-             || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
-         {
-             buf_printf(&out, ",cipher %s", ciphername);
-         }
-         buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
--        buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
-+        buf_printf(&out, ",keysize %d", keysize);
-         if (o->shared_secret_file)
-         {
-             buf_printf(&out, ",secret");
-@@ -6168,9 +6204,9 @@ add_option(struct options *options,
-         }
-     }
- #ifdef TARGET_LINUX
--    else if (streq (p[0], "bind-dev") && p[1])
-+    else if (streq(p[0], "bind-dev") && p[1])
-     {
--        VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
-+        VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
-         options->bind_dev = p[1];
-     }
- #endif
-@@ -6248,7 +6284,7 @@ add_option(struct options *options,
-         {
-             int64_t val = atoll(p[2]);
-             options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
--            if ( options->inactivity_minimum_bytes > INT_MAX )
-+            if (options->inactivity_minimum_bytes > INT_MAX)
-             {
-                 msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
-                     " >2 Gbyte was silently ignored in older versions.  If "
-@@ -8132,7 +8168,7 @@ add_option(struct options *options,
- #endif
-     else if (streq(p[0], "providers") && p[1])
-     {
--        for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
-+        for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
-         {
-             options->providers.names[j] = p[j];
-         }
--- 
-2.31.1
-

SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch

@@ -1,4 +1,6 @@
+From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001
 From: David Sommerseth <dazo@eurephia.org>
+Date: Tue, 4 Jul 2017 16:06:24 +0200
 Subject: [PATCH] Change the default cipher to AES-256-GCM for server
  configurations
 
@@ -8,14 +10,6 @@ defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
 the BF-CBC in addition to AES-CBC.  This makes it possible to migrate
 existing older client configurations one-by-one to use at least AES-CBC unless
 the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
-
-[Update 2022-06-10]
-The BF-CBC reference is now removed as of Fedora 36 and newer.  The Blowfish
-cipher is no longer available by default in OpenSSL 3.0.  It can be enabled
-via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
-not be used any more.  OpenVPN 2.4 and newer will always negotiate a stronger
-cipher by default and older OpenVPN releases are no longer supported upstream.
-
 ---
  distro/systemd/openvpn-server@.service.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
@@ -29,7 +23,7 @@ index 9a8a2c7..0ecda08 100644
  PrivateTmp=true
  WorkingDirectory=/etc/openvpn/server
 -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
  CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
  LimitNPROC=10
  DeviceAllow=/dev/null rw

SPECS/openvpn.spec

@@ -1,56 +1,42 @@
 %define _hardened_build 1
+#define prerelease rc22
 
 # Build conditionals
 # tests_long - Enabled by default, enables long running tests in %%check
 %bcond_without tests_long
 
 Name:              openvpn
-Version:           2.5.11
-Release:           1%{?dist}
-Summary:           A full-featured TLS VPN solution
+Version:           2.4.12
+Release:           2%{?prerelease:.%{prerelease}}%{?dist}
+Summary:           A full-featured SSL VPN solution
 URL:               https://community.openvpn.net/
-Source0:           https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
-Source1:           https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
+Source0:           https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
+Source1:           https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
 Source2:           roadwarrior-server.conf
 Source3:           roadwarrior-client.conf
 # Upstream signing key
-Source10:          gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
+Source6:           gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
 Patch1:            0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
 Patch50:           openvpn-2.4-change-tmpfiles-permissions.patch
 License:           GPLv2
 BuildRequires:     gnupg2
 BuildRequires:     gcc
-BuildRequires:     automake
-BuildRequires:     autoconf
-BuildRequires:     autoconf-archive
-BuildRequires:     libtool
-BuildRequires:     gettext
+BuildRequires:     systemd-devel
 BuildRequires:     lzo-devel
 BuildRequires:     lz4-devel
-BuildRequires:     make
 BuildRequires:     openssl-devel
 BuildRequires:     pkcs11-helper-devel >= 1.11
 BuildRequires:     pam-devel
 BuildRequires:     libselinux-devel
-BuildRequires:     libcmocka-devel
+# For the perl_default_filter macro
+BuildRequires:     perl-macros
 BuildRequires:     systemd
-BuildRequires:     systemd-devel
-
 %{?systemd_requires}
+# For /sbin/ip.
+BuildRequires:     iproute
+Requires:          iproute
 Requires(pre):     /usr/sbin/useradd
 
-%if 0%{?rhel} > 7 || 0%{?fedora} > 29
-BuildRequires:  python3-docutils
-%else
-# We cannot use python36-docutils on RHEL-7 as
-# the ./configure script does not currently find
-# the rst2man-3 executable, it only looks for rst2man
-BuildRequires:  python-docutils
-%endif
-
-# For the perl_default_filter macro
-BuildRequires:     perl-macros
-
 # Filter out the perl(Authen::PAM) dependency.
 # No perl dependency is really needed at all.
 %{?perl_default_filter}
@@ -74,18 +60,20 @@ to similar features as the various script-hooks.
 
 
 %prep
-gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
-%setup -q -n %{name}-%{version}
+gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
+%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
 %patch1 -p1 -b .ch_default_cipher
 %patch50 -p1
 
+sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
+
 # %%doc items shouldn't be executable.
 find contrib sample -type f -perm /100 \
     -exec chmod a-x {} \;
 
 %build
 %configure \
-    --enable-silent-rules \
+    --enable-iproute2 \
     --with-crypto-library=openssl \
     --enable-pkcs11 \
     --enable-selinux \
@@ -94,8 +82,9 @@ find contrib sample -type f -perm /100 \
     --enable-async-push \
     --docdir=%{_pkgdocdir} \
     SYSTEMD_UNIT_DIR=%{_unitdir} \
-    TMPFILES_DIR=%{_tmpfilesdir}
-%{__make}
+    TMPFILES_DIR=%{_tmpfilesdir} \
+    IPROUTE=/sbin/ip
+%{__make} %{?_smp_mflags}
 
 %check
 # Test Crypto:
@@ -146,7 +135,7 @@ mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
 cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
 
 # Remove some files which does not really belong here
-rm -f  $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
+rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
 rm -f  $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
 rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
 
@@ -175,14 +164,12 @@ do
     %systemd_postun_with_restart $srv
 done
 
-
 %files
 %{_pkgdocdir}
 %exclude %{_pkgdocdir}/README.IPv6
 %exclude %{_pkgdocdir}/README.mbedtls
 %exclude %{_pkgdocdir}/sample/sample-plugins
 %{_mandir}/man8/%{name}.8*
-%{_mandir}/man5/%{name}-*.5*
 %{_sbindir}/%{name}
 %{_libdir}/%{name}/
 %{_unitdir}/%{name}-client@.service
@@ -202,94 +189,30 @@ done
 
 
 %changelog
-* Thu Jul 18 2024 Frank Lichtenheld <frank@lichtenheld.com> - 2.5.11-1
-- Update to upstream OpenVPN 2.5.11
-- Fixes CVE-2024-5594
+* Wed Mar 20 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.4.12-2
+- Rebuilt for MSVSphere 8.9
 
-* Thu Nov 9 2023 David Sommerseth  <davids@openvpn.net> - 2.5.9-2
+* Thu Nov 9 2023 David Sommerseth <davids@openvpn.net> - 2.4.12-2
 - Fix false exit status on pre runtime scriptlet (Elkhan Mammadli <elkhan@almalinux.org>, RHBZ#2239722)
+- Misbehaving systemctl scriptlet globbing issues (RHBZ#1887984)
 
-* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1
-- Update to upstream OpenVPN 2.5.9
-
-* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
-- Update to upstream OpenVPN 2.5.8
-
-* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
-- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
-  https://patchwork.openvpn.net/patch/2504/
-- Removed BF-CBC from the --data-ciphers list.  This is no longer available by default
-  in OpenSSL 3.0
-
-* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
-- Update to upstream OpenVPN 2.5.7
-
-* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
-- Update to upstream OpenVPN 2.5.6
+* Thu Mar 17 2022 David Sommerseth <davids@openvpn.net> - 2.4.12-1
+- Update to upstream OpenVPN 2.4.12
 - Fixes CVE-2022-0547
 
-* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
-- Fix systemd related scriptlet error (#1887984)
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
-- Rebuild of 2.5.5
-
-* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
-- Update to upstream OpenVPN 2.5.5 (#2032844)
-
-* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
-- Update to upstream OpenVPN 2.5.4
-- Added new man page: openvpn-examples(5)
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
-- Rebuilt with OpenSSL 3.0.0
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
-- Update to upstream OpenVPN 2.5.3
-- Fixes CVE-2021-3606
-
-* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
-- Update to upstream OpenVPN 2.5.2
+* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.4.11-1
+- Update to upstream OpenVPN 2.4.11
 - Fixes CVE-2020-15078
-- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
 
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
-- Update to upstream OpenVPN 2.5.1
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
-- Update to upstream OpenVPN 2.5.0
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+* Wed Dec  9 2020 David Sommerseth <dazo@eurephia.org> - 2.4.10-1
+- Update to upstream OpenVPN 2.4.10
 
 * Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
 - Update to upstream OpenVPN 2.4.9
 
-* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
-- Rebuilt to be linked against latest lzo (RHBZ#1802299)
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
 * Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
 - Updating to upstream OpenVPN 2.4.8
 
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
 * Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
 - Updating to upstream OpenVPN 2.4.7
 

sources

@@ -1,2 +0,0 @@
-SHA512 (openvpn-2.5.11.tar.gz) = 5ef80681e71aa84629d48b067b540c0e8169ee3ff4b1129fc0030a55f0f7e2bb9a9cd568aa627828d8adb1366f5b0cfdd37242fb5cb6cec4a50fea9ffe8805bc
-SHA512 (openvpn-2.5.11.tar.gz.asc) = f8796504341539db4a79ccf26706d2cc7e13b9fc511e0e38a0676b5eb94c0c43174b1cc29b07a51eb0e6c8dc7715a9728cc367166bdafae705381338cca3aead

tests/tests.yml

@@ -1,14 +0,0 @@
-# Tests for openvpn using NM's tests
-- hosts: localhost
-  roles:
-  - role: standard-test-basic
-    tags:
-    - classic
-    repositories:
-    - repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci"
-      dest: "NetworkManager-ci"
-    tests:
-    - sanity-tests:
-        dir: NetworkManager-ci
-        run: run/osci/run-tests openvpn
-