./net/openvpn, Easy-to-use SSL VPN daemon

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.4.6nb1, Package name: openvpn-2.4.6nb1, Maintainer: pkgsrc-users

OpenVPN is a robust and highly flexible tunneling application
that uses all of the encryption, authentication, and certification
features of the OpenSSL library to securely tunnel IP networks over
a single TCP/UDP port.


Required to run:
[archivers/lzo] [archivers/lz4]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: 4742492867df31aadc0aeea5c8b4422d1a624e69
RMD160: 9fb17a39b70d96ecc3075a78011496b239e741d6
Filesize: 921.266 KB

Version history: (Expand)


CVS history: (Expand)


   2018-06-24 11:26:12 by Adam Ciarcinski | Files touched by this commit (3)
Log message:
openvpn: fix for NetBSD with subnet topology; remove empty DIST_SUBDIR
   2018-04-27 08:40:28 by Adam Ciarcinski | Files touched by this commit (5)
Log message:
openvpn: 2.4.6

OpenVPN 2.4.6
management: Warn if TCP port is used without password

Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
Fix potential double-free() in Interactive Service (CVE-2018-9336)
preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst)

manpage: improve description of --status and --status-version

Make return code external tls key match docs

Delete the IPv6 route to the "connected" network on tun close
Management: warn about password only when the option is in use
Avoid overflow in wakeup time computation

Add missing #ifdef SSL_OP_NO_TLSv1_1/2

Check for more data in control channel
   2018-04-18 00:29:53 by Thomas Klausner | Files touched by this commit (286)
Log message:
Add p11-kit to gnutls/bl3.mk and bump dependencies.
   2018-03-13 19:12:50 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
openvpn: updated to 2.4.5

OpenVPN 2.4.5:
reload HTTP proxy credentials when moving to the next connection profile
Allow learning iroutes with network made up of all 0s (only if netbits < 8)
mbedtls: fix typ0 in comment
manpage: fix simple typ0
Treat dhcp-option DNS6 and DNS identical
show the right string for key-direction
Fix typo in error message: "optione" -> "option"
lz4: Fix confused version check
lz4: Fix broken builds when pkg-config is not present but system library is
Remove references to keychain-mcd in Changes.rst
lz4: Rebase compat-lz4 against upstream v1.7.5
systemd: Add and ship README.systemd
Update copyright to include 2018 plus company name change
man: Add .TQ groff support macro
man: Reword --management to prefer unix sockets over TCP
OpenSSL: check EVP_PKEY key types before returning the pkey
Remove warning on pushed tun-ipv6 option.
Fix removal of on-link prefix on windows with netsh
travis-ci: add brew cache, remove ccache
travis-ci: modify openssl build script to support openssl-1.1.0
autoconf: Fix engine checks for openssl 1.1
Cast time_t to long long in order to print it.
Fix build with LibreSSL
Check whether in pull_mode before warning about previous connection blocks
Avoid illegal memory access when malformed data is read from the pipe
Fix missing check for return value of malloc'd buffer
Return NULL if GetAdaptersInfo fails
Use RSA_meth_free instead of free
Bring cryptoapi.c upto speed with openssl 1.1
Add SSL_CTX_get_max_proto_version() not in openssl 1.0
TLS v1.2 support for cryptoapicert -- RSA only
Refactor get_interface_metric to return metric and auto flag separately
Ensure strings read from registry are null-terminated
Make most registry values optional
Use lowest metric interface when multiple interfaces match a route
Adapt to RegGetValue brokenness in Windows 7
Fix format spec errors in Windows builds
Local functions are not supported in MSVC. Bummer.
Mixing wide and regular strings in concatenations is not allowed in MSVC.
RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
Simplify iphlpapi.dll API calls
Fix local #include to use quoted form
Document ">PASSWORD:Auth-Token" real-time message
Fix typo in "verb" command examples
Uniform swprintf() across MinGW and MSVC compilers
MSVC meta files added to .gitignore list
openvpnserv: Add support for multi-instances
Document missing OpenVPN states
make struct key * argument of init_key_ctx const
buffer_list_aggregate_separator(): add unit tests
Add --tls-cert-profile option.
Use P_DATA_V2 for server->client packets too
Fix memory leak in buffer unit tests
buffer_list_aggregate_separator(): update list size after aggregating
buffer_list_aggregate_separator(): don't exceed max_len
buffer_list_aggregate_separator(): prevent 0-byte malloc
Fix types around buffer_list_push(_data)
ssl_openssl: fix compiler warning by removing getbio() wrapper
travis: use clang's -fsanitize=address to catch more bugs
Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Add support for TLS 1.3 in --tls-version-{min, max}
Plug memory leak if push is interrupted
Fix format errors when cross-compiling for Windows
Log pre-handshake packet drops using D_MULTI_DROPPED
Enable stricter compiler warnings by default
Get rid of ax_check_compile_flag.m4
mbedtls: don't use API deprecated in mbed 2.7
Warn if tls-version-max < tls-version-min
Don't throw fatal errors from create_temp_file()
Fix '--bind ipv6only'
   2017-10-02 17:54:24 by Thomas Klausner | Files touched by this commit (5) | Package updated
Log message:
openvpn: update to 2.4.4

Version 2.4.4
=============
This is primarily a maintenance release, with further improved OpenSSL 1.1
integration, several minor bug fixes and other minor improvements.

Bug fixes
---------
- Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is
  rejected by the remote side

- Ignore ``--keysize`` when NCP have resulted in a changed cipher.

- Configurations using ``--auth-nocache`` and the management interface to provide
  user credentials (like NetworkManager on Linux) on client side with servers
  implementing authentication tokens (for example, using ``--auth-gen-token``)
  will now behave correctly and not query the user for an, to them, unknown
  authentication token on renegotiations of the tunnel.

- Fix bug causing invalid or corrupt SOCKS port number when changing the
  proxy via the management interface.

- The man page should now have proper escaping of hyphens/minus characters
  and have seen some minor corrections.

User-visible Changes
--------------------
- Linux servers with systemd which uses the ``openvpn-server@.service`` unit
  file for server configurations will now utilize the automatic restart feature
  in systemd.  If the OpenVPN server process dies unexpectedly, systemd will
  ensure the OpenVPN configuration will be restarted without any user interaction.

Deprecated features
-------------------
- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6

Security
--------
- CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``.
  Before this fix, it could allow an attacker to send a malformed packet to
  trigger a stack overflow.  This is considered to be a low risk issue, as
  ``--key-method 2`` has been the default since OpenVPN 2.0 (released on
  2005-04-17).  This option is already deprecated in v2.4 and will be
  completely removed in v2.5.
   2017-07-02 00:12:53 by Joerg Sonnenberger | Files touched by this commit (3)
Log message:
Use DIST_SUBDIR properly.
   2017-06-26 09:21:22 by Adam Ciarcinski | Files touched by this commit (5)
Log message:
Distfile has been changed upstream
   2017-06-21 21:00:47 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
OpenVPN 2.4.3
Ignore auth-nocache for auth-user-pass if auth-token is pushed
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Make openvpn-plugin.h self-contained again.
Pass correct buffer size to GetModuleFileNameW()
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Fix gateway detection with OpenBSD routing domains