2021-04-22 15:53:16 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message:
openvpn: updated to 2.5.2
The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes \
two related security vulnerabilities (CVE-2020-15078) which under very specific \
circumstances allow tricking a server using delayed authentication (plugin or \
management) into returning a PUSH_REPLY before the AUTH_FAILED message, which \
can possibly be used to gather information about a VPN setup. In combination \
with “–auth-gen-token” or a user-specific token auth solution it can be \
possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 \
also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI \
are included in Windows installers.
|
2021-02-24 20:13:51 by Adam Ciarcinski | Files touched by this commit (7) | |
Log message:
openvpn: updated to 2.5.1
Version 2.5.1
* Fix auth-token not being updated if auth-nocache is set
* Remove auth_user_pass.wait_for_push variable
* Fix port-share option with TLS-Crypt v2
* Zero initialise msghdr prior to calling sendmesg
* Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
* build: Fix missing install of man page in certain environments
* Fix too early argv freeing when registering DNS
* Remove 1 second delay before running netsh
* Skip DHCP renew with Wintun adapter
* Change travis build scripts to use https when fetching prerequisites.
* Fix line number reporting on config file errors after <inline> segments
* Clarify --block-ipv6 intent and direction.
* Document common uses of 'echo' directive, re-enable logging for 'echo'.
* Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
* clean up / rewrite sample-plugins/defer/simple.c
* Fix naming error in sample-plugins/defer/simple.c
* Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
* Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
* More explicit versioning compatibility in sample-plugins/defer/simple.c
* Explain structver usage in sample defer plugin.
* Man page sections corrections
* Quote the domain name argument passed to the wmic command
* tls-crypt-v2: fix server memory leak
* tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
|
2020-11-29 03:24:20 by Makoto Fujiwara | Files touched by this commit (1) |
Log message:
(net/openvpn-nagios) regend distinfo
|
2020-04-17 22:14:22 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message:
openvpn: updated to 2.4.9
OpenVPN 2.4.9
* socks: use the right function when printing struct openvpn_sockaddr
* Fetch OpenSSL versions via source/old links
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection
* Fix broken fragmentation logic when using NCP
* Fix building with --enable-async-push in FreeBSD
* Fix broken async push with NCP is used
* Fix illegal client float (CVE-2020-11810)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file
* Fix OpenSSL private key passphrase notices
* Swap the order of checks for validating interactive service user
* Move querying username/password from management interface to a function
* When auth-user-pass file has no password query the management interface (if \
available).
* Fix possibly uninitialized return value in GetOpenvpnSettings()
* Fix possible access of uninitialized pipe handles
* Skip expired certificates in Windows certificate store
* Allow unicode search string in --cryptoapicert option
* mbedTLS: Make sure TLS session survives move
* docs: Add reference to X509_LOOKUP_hash_dir(3)
|
2020-01-26 18:32:28 by Roland Illig | Files touched by this commit (981) |
Log message:
all: migrate homepages from http to https
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
|
2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836) |
Log message:
*: Recursive revision bump for openssl 1.1.1.
|
2019-11-04 13:52:14 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message:
openvpn: updated to 2.4.8
Version 2.4.8
This is primarily a maintenance release with minor bugfixes and improvements.
New features
Support compiling with OpenSSL 1.1 without deprecated APIs
handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
User visible changes
do not abort when hitting the combination of "--pull-filter" and \
"--mode server" (this got hit when starting OpenVPN servers using the \
windows GUI which installs a pull-filter to force ip-win32)
increase listen() backlog queue to 32 (improve response behaviour on openvpn \
servers using TCP that get portscanned)
fix and enhance documentation (INSTALL, man page, ...)
Bug fixes
the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as \
a workaround, force IPv4 in this case until a full implementation for \
IPv6-UDP-SOCKS can be made.
fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
fix building with LibreSSL
do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in systemd \
environments)
repair windows builds
repair Darwin builds (remove -no-cpp-precomp flag)
|
2019-02-21 17:22:54 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message:
openvpn: updated to 2.4.7
OpenVPN 2.4.7
- Fix subnet topology on NetBSD (2.4).
- add support for %lu in argv_printf and prevent ASSERT
- buffer_list: add functions documentation
- ifconfig-ipv6(-push): allow using hostnames
- Properly free tuntap struct on android when emulating persist-tun
- Add OpenSSL compat definition for RSA_meth_set_sign
- Add support for tls-ciphersuites for TLS 1.3
- Add better support for showing TLS 1.3 ciphersuites in --show-tls
- Use right function to set TLS1.3 restrictions in show-tls
- Add message explaining early TLS client hello failure
- Fallback to password authentication when auth-token fails
- systemd: extend CapabilityBoundingSet for auth_pam
- plugin: Export base64 encode and decode functions
- Add %d, %u and %lu tests to test_argv unit tests.
- Fix combination of --dev tap and --topology subnet across multiple platforms.
- Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
- preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
- Minor reliability layer documentation fixes
- Resolves small IV_GUI_VER typo in the documentation.
- Clarify and expand management interface documentation
- Refactor NCP-negotiable options handling
- init.c: refine functions names and description
- interactive.c: fix usage of potentially uninitialized variable
- options.c: fix broken unary minus usage
- Remove extra token after #endif
- Fix error message when using RHEL init script
- man: correct a --redirection-gateway option flag
- Replace M_DEBUG with D_LOW as the former is too verbose
- Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
- Bump version of openvpn plugin argument structs to 5
- Move get system directory to a separate function
- Enable dhcp on tap adapter using interactive service
- Pass the hash without the DigestInfo header to NCryptSignHash()
- White-list pull-filter and script-security in interactive service
- Add Interactive Service developer documentation
- Detect TAP interfaces with root-enumerated hardware ID
- man: add security considerations to --compress section
- mbedtls: print warning if random personalisation fails
- Fix memory leak after sighup
- travis: add OpenSSL 1.1 Windows build
- Fix --disable-crypto build
- Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
- buffer_list_aggregate_separator(): simplify code
|
2018-04-27 08:40:28 by Adam Ciarcinski | Files touched by this commit (5) |
Log message:
openvpn: 2.4.6
OpenVPN 2.4.6
management: Warn if TCP port is used without password
Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
Fix potential double-free() in Interactive Service (CVE-2018-9336)
preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst)
manpage: improve description of --status and --status-version
Make return code external tls key match docs
Delete the IPv6 route to the "connected" network on tun close
Management: warn about password only when the option is in use
Avoid overflow in wakeup time computation
Add missing #ifdef SSL_OP_NO_TLSv1_1/2
Check for more data in control channel
|
2018-03-13 19:12:50 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message:
openvpn: updated to 2.4.5
OpenVPN 2.4.5:
reload HTTP proxy credentials when moving to the next connection profile
Allow learning iroutes with network made up of all 0s (only if netbits < 8)
mbedtls: fix typ0 in comment
manpage: fix simple typ0
Treat dhcp-option DNS6 and DNS identical
show the right string for key-direction
Fix typo in error message: "optione" -> "option"
lz4: Fix confused version check
lz4: Fix broken builds when pkg-config is not present but system library is
Remove references to keychain-mcd in Changes.rst
lz4: Rebase compat-lz4 against upstream v1.7.5
systemd: Add and ship README.systemd
Update copyright to include 2018 plus company name change
man: Add .TQ groff support macro
man: Reword --management to prefer unix sockets over TCP
OpenSSL: check EVP_PKEY key types before returning the pkey
Remove warning on pushed tun-ipv6 option.
Fix removal of on-link prefix on windows with netsh
travis-ci: add brew cache, remove ccache
travis-ci: modify openssl build script to support openssl-1.1.0
autoconf: Fix engine checks for openssl 1.1
Cast time_t to long long in order to print it.
Fix build with LibreSSL
Check whether in pull_mode before warning about previous connection blocks
Avoid illegal memory access when malformed data is read from the pipe
Fix missing check for return value of malloc'd buffer
Return NULL if GetAdaptersInfo fails
Use RSA_meth_free instead of free
Bring cryptoapi.c upto speed with openssl 1.1
Add SSL_CTX_get_max_proto_version() not in openssl 1.0
TLS v1.2 support for cryptoapicert -- RSA only
Refactor get_interface_metric to return metric and auto flag separately
Ensure strings read from registry are null-terminated
Make most registry values optional
Use lowest metric interface when multiple interfaces match a route
Adapt to RegGetValue brokenness in Windows 7
Fix format spec errors in Windows builds
Local functions are not supported in MSVC. Bummer.
Mixing wide and regular strings in concatenations is not allowed in MSVC.
RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
Simplify iphlpapi.dll API calls
Fix local #include to use quoted form
Document ">PASSWORD:Auth-Token" real-time message
Fix typo in "verb" command examples
Uniform swprintf() across MinGW and MSVC compilers
MSVC meta files added to .gitignore list
openvpnserv: Add support for multi-instances
Document missing OpenVPN states
make struct key * argument of init_key_ctx const
buffer_list_aggregate_separator(): add unit tests
Add --tls-cert-profile option.
Use P_DATA_V2 for server->client packets too
Fix memory leak in buffer unit tests
buffer_list_aggregate_separator(): update list size after aggregating
buffer_list_aggregate_separator(): don't exceed max_len
buffer_list_aggregate_separator(): prevent 0-byte malloc
Fix types around buffer_list_push(_data)
ssl_openssl: fix compiler warning by removing getbio() wrapper
travis: use clang's -fsanitize=address to catch more bugs
Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Add support for TLS 1.3 in --tls-version-{min, max}
Plug memory leak if push is interrupted
Fix format errors when cross-compiling for Windows
Log pre-handshake packet drops using D_MULTI_DROPPED
Enable stricter compiler warnings by default
Get rid of ax_check_compile_flag.m4
mbedtls: don't use API deprecated in mbed 2.7
Warn if tls-version-max < tls-version-min
Don't throw fatal errors from create_temp_file()
Fix '--bind ipv6only'
|