pkgsrc.se | The NetBSD package collection

./net/openvpn-nagios, OpenVPN certificate checks for Nagios

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 20130210nb6, Package name: openvpn-nagios-20130210nb6, Maintainer: manu

This OpenVPN plugin check certificate expiration for Nagios

Required to run:
[net/openvpn] [security/openssl]

Required to build:
[pkgtools/cwrappers]

Master sites:

http://ftp.espci.fr/pub/openvpn-nagios/ (Download)

Filesize: 2.963 KB

Version history: (Expand)

(2024-02-13) Updated to version: openvpn-nagios-20130210nb6
(2023-11-19) Updated to version: openvpn-nagios-20130210nb5
(2023-11-10) Updated to version: openvpn-nagios-20130210nb4
(2023-10-25) Updated to version: openvpn-nagios-20130210nb3
(2023-08-26) Updated to version: openvpn-nagios-20130210nb2
(2023-06-17) Updated to version: openvpn-nagios-20130210nb1

CVS history: (Expand)

2025-01-16 07:30:38 by Adam Ciarcinski | Files touched by this commit (5) | Package updated

Log message:
openvpn: updated to 2.6.13

Overview of changes in 2.6.13
=============================
New features
------------
- on non-windows clients (MacOS, Linux, Unix) send "release" string from
  uname() call as IV_PLAT_VER= to server - while highly OS specific this
  is still helpful to keep track of OS versions used on the client side

- Windows: protect cached username, password and token in client memory
  (using the CryptProtectMemory() windows API

- Windows: use new API to get dco-win driver version from driver
  (newly introduced non-exclusive control device)

- Linux: pass --timeout=0 argument to systemd-ask-password, to avoid
  default timeout of 90 seconds ("console prompting also has no timeout")

Bug fixes
---------
- fix potentially unaligned access in drop_if_recursive_routing on
  Linux (ASAN)

- correct documentation for port-share journal

- fix logging of IPv6 addresses in port-share journal

- fix various typos in messages, documentation, comments and examples

- FreeBSD DCO: fix memory leaks in nvlist handling

- route handling: correctly handle case of "route installation fails"
  in the face of an already-existing route - previously, OpenVPN would
  remove the "other" route on exit, incorrectly changing system state.

- fix generation of warning messages for overlapping --local/--remote
  and --ifconfig addresses

- purge proxy authentication credentials from memory after use
  (if --auth-nocache is in use)

- fix missing space in various (long and wrapped) msg() calls

Code maintenance
----------------
- improve documentation/examples for <peer-fingerprint> feature

- simplify Github Action macOS build setup

- update Github Action macOS runners (remove macOS 12, add macOS 15)

- fix a number of uninitialized "struct user_pass" local variables
  (no impact beyond "compiler warning", but future-proofing the code)

Security fixes
--------------
- improve server-side handling of clients sending usernames or passwords
  longer than USER_PASS_LEN - this would not result in a crash, buffer
  overflow or other security issues, but the server would then misparse
  incoming IV_* variables and produce misleading error messages.

2024-07-18 15:00:07 by Adam Ciarcinski | Files touched by this commit (4) | Package updated

Log message:
openvpn: updated to 2.6.12

v2.6.12

Bug fixes:

the fix for CVE-2024-5594 (refuse control channel messages with
nonprintable characters) was too strict, breaking user configurations
with AUTH_FAIL messages having trailing CR/NL characters. This often
happens if the AUTH_FAIL reason is set by a script. Strip those before
testing the command buffer. Also, add unit test.
Http-proxy: fix bug preventing proxy credentials caching.

2024-03-20 20:24:02 by Adam Ciarcinski | Files touched by this commit (5) | Package updated

Log message:
openvpn: updated to 2.6.10

Version 2.6.10

Christoph Schug (1):
      Update documentation references in systemd unit files

Frank Lichtenheld (6):
      Fix typo --data-cipher-fallback
      samples: Remove tls-*.conf
      check_compression_settings_valid: Do not test for LZ4 in LZO check
      t_client.sh: Allow to skip tests
      Update Copyright statements to 2024
      GHA: general update March 2024

Lev Stipakov (4):
      win32: Enforce loading of plugins from a trusted directory
      interactive.c: disable remote access to the service pipe
      interactive.c: Fix potential stack overflow issue
      Disable DCO if proxy is set via management

Martin Rys (1):
      openvpn-[client|server].service: Remove syslog.target

Max Fillinger (1):
      Remove license warning from README.mbedtls

Selva Nair (1):
      Document that auth-user-pass may be inlined

wellweek (1):
      remove repetitive words in documentation and comments

2024-02-18 15:01:05 by Adam Ciarcinski | Files touched by this commit (2)

Log message:
regen distinfo

2024-02-13 20:34:38 by Greg Troxel | Files touched by this commit (3)

Log message:
net/openvpn-*: PKGREVISION++ (these build something else with openvpn also)

2023-11-18 13:51:20 by Greg Troxel | Files touched by this commit (6)

Log message:
net/openvpn: Update to 2.6.8

upstream NEWS: bugfixes

2023-11-10 01:17:47 by Greg Troxel | Files touched by this commit (8)

Log message:
net/openvpn: Update to 2.6.7

Upstream NEWS:

Security Fixes:

* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send \ 
buffer after
 it has been free()d in some circumstances, causing some free()d memory to be \ 
sent to the peer.
 All configurations using TLS (e.g. not using --secret) are affected by this issue.
 (found while tracking down CVE-2023-46849 / Github #400, #417)
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore \ 
--fragment configuration
 in some circumstances, leading to a division by zero when --fragment is used. \ 
On platforms where
 division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417).

User visible changes:

* DCO: warn if DATA_V1 packets are sent by the other side - this a hard \ 
incompatibility between
 a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use \ 
--disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be removed because \ 
the original author
 did not agree to relicensing the code with the new linking exception added. \ 
This was a somewhat
 obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a \ 
combination that used to work
 without cipher negotiation (pre 2.6 on both ends), but would fail in \ 
non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are listed (this is
 due the internal enumeration in OpenSSL being a bit weird, omitting X448 and \ 
X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new 2.6 option,
 with no backend support implemented yet on any platform, and it turns out that
 no platform supported it at all - so remove option again)
* warn user if INFO control message too long, do not forward to management client
 (safeguard against protocol-violating server implementations)

New features:

* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the \ 
algorithms used
 are in acceptable to OpenSSL (misleading message would be printed in cryptoapi \ 
/ pkcs11 scenarios)
* add CMake build system for MinGW and MSVC builds
* remove old MSVC build system
* improve cmocka unit test building for Windows

2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298)

Log message:
*: bump for openssl 3