Up to [cvs.NetBSD.org] / pkgsrc / net / openvpn-nagios
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
net/openvpn-*: PKGREVISION++ (these build something else with openvpn also)
net/openvpn: Update to 2.6.8 upstream NEWS: bugfixes
net/openvpn: Update to 2.6.7 Upstream NEWS: Security Fixes: * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417) * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417). User visible changes: * DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco. * Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support. * add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6. * add warning to --show-groups that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves). * --dns: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again) * warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations) New features: * DCO-WIN: get and log driver version (for easier debugging). * print "peer temporary key details" in TLS handshake * log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios) * add CMake build system for MinGW and MSVC builds * remove old MSVC build system * improve cmocka unit test building for Windows
*: bump for openssl 3
net/openvpn-*: revbump and regen distinfo for openvpn update
net/openvpn-nagios: Revbump/distinfo for openvpn update
openvpn: updated to 2.5.2 The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with “–auth-gen-token” or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.
all: migrate homepages from http to https pkglint -r --network --only "migrate" As a side-effect of migrating the homepages, pkglint also fixed a few indentations in unrelated lines. These and the new homepages have been checked manually.
*: Recursive revision bump for openssl 1.1.1.
OpenVPN 2.4.2 Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy. Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
update openvpn to 2.3.15 fixes DoSses: CVE-2017-7478 CVE-2017-7479 fixes PR pkg/52044 relevant excerpt of ChangeLog: OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> 2017.05.11 -- Version 2.3.15 David Sommerseth (5): dev-tools: Added script for updating copyright years in files Update copyrights docs: Further improve --reneg-bytes and SWEET32 information git: Merge .gitignore files into a single file Make --cipher/--auth none more explicit on the risks Gert Doering (1): Document --proto udp6, tcp6, etc. Julien Muchembled (1): Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset Steffan Karger (6): Add missing includes in error.h cleanup: merge packet_id_alloc_outgoing() into packet_id_write() Document that OpenVPN 2.3 does not check the CRL signature Introduce and use secure_memzero() to erase secrets Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) Don't assert out on receiving too-large control packets (CVE-2017-7478) 2016.12.06 -- Version 2.3.14 Christian Hesse (1): update year in copyright message David Sommerseth (1): Document the --auth-token option Gert Doering (2): Repair topology subnet on FreeBSD 11 Repair topology subnet on OpenBSD Lev Stipakov (1): Drop recursively routed packets Selva Nair (4): Support --block-outside-dns on multiple tunnels When parsing '--setenv opt xx ..' make sure a third parameter is present Map restart signals from event loop to SIGTERM during exit-notification wait Correctly state the default dhcp server address in man page Steffan Karger (1): Clean up format_hex_ex() 2016.11.02 -- Version 2.3.13 Arne Schwabe (2): Use AES ciphers in our sample configuration files and add a few modern 2.4 examples Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer David Sommerseth (4): t_client.sh: Make OpenVPN write PID file to avoid various sudo issues t_client.sh: Add support for Kerberos/ksu t_client.sh: Improve detection if the OpenVPN process did start during tests t_client.sh: Add prepare/cleanup possibilties for each test case Gert Doering (5): Do not abort t_client run if OpenVPN instance does not start. Fix t_client runs on OpenSolaris make t_client robust against sudoers misconfiguration add POSTINIT_CMD_suf to t_client.sh and sample config Fix --multihome for IPv6 on 64bit BSD systems. Ilya Shipitsin (1): skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Lev Stipakov (2): Exclude peer-id from pulled options digest Fix compilation in pedantic mode Samuli Seppänen (1): Automatically cache expected IPs for t_client.sh on the first run Steffan Karger (6): Fix unittests for out-of-source builds Make gnu89 support explicit cleanup: remove code duplication in msg_test() Update cipher-related man page text Limit --reneg-bytes to 64MB when using small block ciphers Add a revoked cert to the sample keys 2016.08.23 -- Version 2.3.12 Arne Schwabe (2): Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. Move ASSERT so external-key with OpenSSL works again David Sommerseth (3): Only build and run cmocka unit tests if its submodule is initialized Another fix related to unit test framework Remove NOP function and callers Dorian Harmans (1): Add CHACHA20-POLY1305 ciphersuite IANA name translations. Ivo Manca (1): Plug memory leak in mbedTLS backend Jeffrey Cutter (1): Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (2): Add unit testing support via cmocka Add a test for auth-pam searchandreplace Josh Cepek (1): Push an IPv6 CIDR mask used by the server, not the pool's size Leon Klingele (1): Add link to bug tracker Samuli Seppänen (2): Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes Clarify the fact that build instructions in README are for release tarballs Selva Nair (4): Make error non-fatal while deleting address using netsh Make block-outside-dns work with persist-tun Ignore SIGUSR1/SIGHUP during exit notification Promptly close the netcmd_semaphore handle after use Steffan Karger (4): Fix polarssl / mbedtls builds Don't limit max incoming message size based on c2->frame Fix '--cipher none --cipher' crash Discourage using 64-bit block ciphers
Update openvpn distfile. Bump PKGREVISION.
Bump PKGREVISION for security/openssl ABI bump.
bulk build wants openssl
Changes 2.3.4: The most important change in this release is that TLS version negotiation is no longer used unless it's explicitly turned on in the configuration files, thus reverting back to the 2.3.2 behaviour as interoperability issues were encountered in 2.3.3. Other notable changes include addition of SSL library version reporting, fixing of SOCKSv5 authentication logic and making serial env exporting consistent between OpenSSL and PolarSSL. This release also contains a number of other bug fixes and small enhancements.
Keep in sync with the openvpn main package. Bump revision.
Add openvpn-nagios, an OpenVPN certificate monitoring plugin to be used in nagios