Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

openvpn-2.5.3-1.1 RPM for armv7hl

From OpenSuSE Ports Tumbleweed for armv7hl

Name: openvpn Distribution: openSUSE Tumbleweed
Version: 2.5.3 Vendor: openSUSE
Release: 1.1 Build date: Mon Aug 16 10:13:32 2021
Group: Productivity/Networking/Security Build host: obs-arm-11
Size: 1542431 Source RPM: openvpn-2.5.3-1.1.src.rpm
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
OpenVPN is a full-featured SSL VPN solution which can accommodate a wide
range of configurations, including remote access, site-to-site VPNs,
WiFi security, and enterprise-scale remote access solutions with load
balancing, failover, and fine-grained access-controls.

OpenVPN implements OSI layer 2 or 3 secure network extension using the
industry standard SSL/TLS protocol, supports flexible client
authentication methods based on certificates, smart cards, and/or
2-factor authentication, and allows user or group-specific access
control policies using firewall rules applied to the VPN virtual

OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD,
NetBSD, Mac OS X, and Solaris.

OpenVPN is not a web application proxy and does not operate through a
web browser.




LGPL-2.1-only AND SUSE-GPL-2.0-with-openssl-exception


* Thu Aug 05 2021 Reinhard Max <>
  - Update to 2.5.3:
    * Removal of BF-CBC support in default configuration
      See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
    * Connections setup is now much faster
    * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
    * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
    * Client-specific tls-crypt keys (--tls-crypt-v2)
    * Improved Data channel cipher negotiation
    * HMAC based auth-token support for seamless reconnects to
      standalone servers or a group of servers
    * Asynchronous (deferred) authentication support for auth-pam
    * Asynchronous (deferred) support for client-connect scripts and
    * Support IPv4 configs with /31 netmasks
    * 802.1q VLAN support on TAP servers
    * Support IPv6-only tunnels
    * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
    * Support Virtual Routing and Forwarding (VRF)
    * Netlink integration (OpenVPN no longer needs to execute
      ifconfig/route or ip commands)
    * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
  - bsc#1062157: The fix for bsc#934237 causes problems with the
    crypto self-test of newer openvpn versions.
    Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
* Mon May 31 2021 Dirk Müller <>
  - update to 2.4.11 (bsc#1185279):
    * CVE-2020-15078 see
    * This bug allows - under very specific circumstances - to trick a server using
      delayed authentication (plugin or management) into returning a PUSH_REPLY
      before the AUTH_FAILED message, which can possibly be used to gather
      information about a VPN setup.
    * In combination with "--auth-gen-token" or an user-specific token auth
      solution it can be possible to get access to a VPN with an
      otherwise-invalid account.
    * Fix potential NULL ptr crash if compiled with DMALLOC
  - drop sysv init support, it hasn't build successfully in ages
    and is build-disabled in devel project
* Sun Apr 25 2021 Christian Boltz <>
  - update 'rcopenvpn' to work without /etc/rc.status (boo#1185273)
* Wed Jan 06 2021 Dirk Müller <>
  - update to 2.4.10:
    - OpenVPN client will now announce the acceptable ciphers to the server
    (IV_CIPHER=...), so NCP cipher negotiation works better
    - Parse static challenge response in auth-pam plugin
    - Accept empty password and/or response in auth-pam plugin
    - Log serial number of revoked certificate
    - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
    - Fix auth-token not being updated if auth-nocache is set
    (this should fix all remaining client-side bugs for the combination
    "auth-nocache in client-config" + "auth-token in use on the server")
    - Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
    - Fix error detection / abort in --inetd corner case (#350)
    - Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
    - Fix handling of 'route remote_host' for IPv6 transport case
    (#1247 and #1332)
    - Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
    - A number of documentation improvements / clarification fixes.
    - Fix line number reporting on config file errors after <inline> segments
    - Fix fatal error at switching remotes (#629)
    - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
    - Switch "ks->authenticated" assertion failure to returning false (#1270)
  - refresh 0001-preform-deferred-authentication-in-the-background.patch
    openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
* Fri Sep 11 2020 Dirk Mueller <>
  - update to 2.4.9 (CVE-2020-11810, bsc#1169925O):
    * Allow unicode search string in --cryptoapicert option (Windows)
    * Skip expired certificates in Windows certificate store (Windows) (trac #966)
    * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
    * fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
    This can be used to disrupt service to a freshly connected client (no session
    keys negotiated yet). It can not be used to inject or steal VPN traffic.
    * fix combination of async push (deferred auth) and NCP (trac #1259)
    * Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
    * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
    * mbedTLS: Make sure TLS session survives move (trac #880)
    * Fix OpenSSL private key passphrase notices
    * Fix building with --enable-async-push in FreeBSD (trac #1256)
    * Fix broken fragmentation logic when using NCP (trac #1140)
* Wed Aug 26 2020 Franck Bui <>
  - Modernize openvpn.service
    * /var/run has been obsoleted since a long time.
    * on reload, send HUP signal directly rather than relying on
      killproc to look for the main process.
* Wed Aug 26 2020 Franck Bui <>
  - Explicitly requires sysvinit-tools as some of the tools shipped by
    this package are used in various places regardless of whether
    openvpn is built for systemd or non systemd systems.
    For the context: sysvinit-tools was pulled in by systemd since 2014
    but it's no longer the case so better to be safe than sorry.
* Wed Mar 04 2020 Fabian Vogt <>
  - Fix inconsistency in openvpn.service:
    * It uses the unescape instance name as config file basename,
      so use that in the description as well
* Fri Jan 24 2020 Dominique Leuenberger <>
  - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
    shortcut through the -mini flavors.
  - Use %systemd_ordering instead of systemd_requires: in fact,
    systemd is not a hard requirement for openvpn. But in case a
    system is being installed with systemd, we want systemd to be
    there before  openvpn is being installed.
* Tue Jan 07 2020 Bjørn Lie <>
  - Update to version 2.4.8:
    * mbedtls: fix segfault by calling mbedtls_cipher_free() in
    * cleanup: Remove RPM openvpn.spec build approach
    * docs: Update INSTALL
    * build: Package missing mock_msg.h
    * Increase listen() backlog queue to 32
    * Force combinationation of --socks-proxy and --proto UDP to use
    * Wrong FILETYPE in .rc files
    * Do not set pkcs11-helper 'safe fork mode'
    * tests/ Switch sed(1) to POSIX-compatible regex.
    * Fix various compiler warnings
    * Fix regression, reinstate LibreSSL support.
    * man: correct the description of --capath and --crl-verify
      regarding CRLs
    * Fix typo in NTLM proxy debug message
    * Ignore --pull-filter for --mode server
    * openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
    * Better error message when script fails due to script-security
    * Correct the return value of cryptoapi RSA signature callbacks
    * Handle PSS padding in cryptoapicert
    * cmocka: use relative paths
    * Fix documentation of tls-verify script argument
* Thu Dec 19 2019 Dominique Leuenberger <>
  - BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
    Allow OBS to shortcut through the -mini flavors.
* Wed Sep 18 2019 Michal Hrusecky <>
  - Add p11kit build time dependency for pkcs providers autodetection
* Mon Jul 29 2019 Reinhard Max <>
  - Clarify in the service file that the reload action doesn't work
    when dropping root privileges (boo#1142830).
* Tue Jun 25 2019 Michael Ströder <>
  - Updated openvpn.keyring with public key downloaded from
* Thu Feb 21 2019 Franck Bui <>
  - Drop use of $FIRST_ARG in openvpn.spec
    The use of $FIRST_ARG was probably required because of the
    %service_* rpm macros were playing tricks with the shell positional
    parameters. This is bad practice and error prones so let's assume
    that no macros should do that anymore and hence it's safe to assume
    that positional parameters remains unchanged after any rpm macro
* Wed Feb 20 2019 Michael Ströder <>
  - Update to 2.4.7:
    Adam Ciarcin?ski (1):
    * Fix subnet topology on NetBSD (2.4).
    Antonio Quartulli (3):
    * add support for %lu in argv_printf and prevent ASSERT
    * buffer_list: add functions documentation
    * ifconfig-ipv6(-push): allow using hostnames
    Arne Schwabe (7):
    * Properly free tuntap struct on android when emulating persist-tun
    * Add OpenSSL compat definition for RSA_meth_set_sign
    * Add support for tls-ciphersuites for TLS 1.3
    * Add better support for showing TLS 1.3 ciphersuites in --show-tls
    * Use right function to set TLS1.3 restrictions in show-tls
    * Add message explaining early TLS client hello failure
    * Fallback to password authentication when auth-token fails
    Christian Ehrhardt (1):
    * systemd: extend CapabilityBoundingSet for auth_pam
    David Sommerseth (1):
    * plugin: Export base64 encode and decode functions
    Gert Doering (3):
    * Add %d, %u and %lu tests to test_argv unit tests.
    * Fix combination of --dev tap and --topology subnet across multiple platforms.
    * Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
    Gert van Dijk (1):
    * Minor reliability layer documentation fixes
    James Bekkema (1):
    * Resolves small IV_GUI_VER typo in the documentation.
    Jonathan K. Bullard (1):
    * Clarify and expand management interface documentation
    Lev Stipakov (5):
    * Refactor NCP-negotiable options handling
    * init.c: refine functions names and description
    * interactive.c: fix usage of potentially uninitialized variable
    * options.c: fix broken unary minus usage
    * Remove extra token after #endif
    Richard van den Berg via Openvpn-devel (1):
    * Fix error message when using RHEL init script
    Samy Mahmoudi (1):
    * man: correct a --redirection-gateway option flag
    Selva Nair (7):
    * Replace M_DEBUG with D_LOW as the former is too verbose
    * Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
    * Bump version of openvpn plugin argument structs to 5
    * Move get system directory to a separate function
    * Enable dhcp on tap adapter using interactive service
    * Pass the hash without the DigestInfo header to NCryptSignHash()
    * White-list pull-filter and script-security in interactive service
    Simon Rozman (2):
    * Add Interactive Service developer documentation
    * Detect TAP interfaces with root-enumerated hardware ID
    Steffan Karger (7):
    * man: add security considerations to --compress section
    * mbedtls: print warning if random personalisation fails
    * Fix memory leak after sighup
    * travis: add OpenSSL 1.1 Windows build
    * Fix --disable-crypto build
    * Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
    * buffer_list_aggregate_separator(): simplify code
* Fri Apr 27 2018
  - Update to 2.4.6:
    * CVE-2018-9336, bsc#1090839: Fix potential double-free() in
      Interactive Service
    * Delete the IPv6 route to the "connected" network on tun close
    * Management: warn about password only when the option is in use
    * Avoid overflow in wakeup time computation
* Tue Apr 10 2018
  - Remove --askpass again, because it was also asking for a password
    when none was needed. As a workaround for keys that need a
    password, the "askpass" statement should be added to the config
    file (bsc#1078026).
  - Use Type=notify in openvpn.service to reflect what openvpn is
    actually doing.
  - Import the new signing key from upstream.
  - Remove obsolete configure switch --enable-password-save .
* Tue Mar 13 2018
  - Update to 2.4.5
    * New features
      + The new option --tls-cert-profile can be used to restrict the
      set of allowed crypto algorithms in TLS certificates in mbed
      TLS builds. The default profile is 'legacy' for now, which
      allows SHA1+, RSA-1024+ and any elliptic curve certificates.
      The default will be changed to the 'preferred' profile in the
      future, which requires SHA2+, RSA-2048+ and any curve.
      + openvpnserv: Add support for multi-instances (to support
      multiple parallel OpenVPN installations, like EduVPN and
      regular OpenVPN)
      + Use P_DATA_V2 for server->client packets too (better packet
      + improve management interface documentation
      + rework registry key handling for OpenVPN service, notably
      making most registry values optional, falling back to
      reasonable defaults
      + accept IPv6 address for pushed "dhcp-option DNS ..." (make
      OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
    * Bug fixes
      + Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
      + Fix lots of compiler warnings (format string, type casts, ...)
      + reload HTTP proxy credentials when moving to the next
      connection profile
      + Fix build with LibreSSL (multiple times)
      + Remove non-useful warning on pushed tun-ipv6 option.
      + autoconf: Fix engine checks for openssl 1.1
      + lz4: Rebase compat-lz4 against upstream v1.7.5
      + lz4: Fix broken builds when pkg-config is not present but
      system library is
      + Fix '--bind ipv6only'
      + Allow learning iroutes with network made up of all 0s
  - Includes 2.4.4
    * Bug fixes
      + Fix issues when a pushed cipher via the Negotiable Crypto
      Parameters (NCP) is rejected by the remote side
      + Ignore --keysize when NCP have resulted in a changed cipher
      + Configurations using --auth-nocache and the management
      interface to provide user credentials (like NetworkManager)
      on client side with servers implementing authentication
      tokens (for example, using --auth-gen-token) will now behave
      correctly and not query the user for an, to them, unknown
      authentication token on renegotiations of the tunnel.
      + Invalid or corrupt SOCKS port number when changing the proxy
      via the management interface.
      + man page should now have proper escaping of hyphen/minus
      characters and other minor corrections.
    * User-visible Changes
      + Linux servers with systemd which use the openvpn-server@.service
      unit file for server configurations will now utilize the
      automatic restart feature in systemd. If the OpenVPN server
      process dies unexpectedly, systemd will ensure the OpenVPN
      configuration will be restarted automatically.
    * Deprecated
      + --no-replay (will be removed in 2.5)
      + --keysize (will be removed in 2.6)
    * Security
      + CVE-2017-12166: Fix bounds check for configurations using
    - -key-method 1. Before this fix, attackers could send a
      malformed packet to trigger a stack overflow. This is
      considered to be a low risk issue, as --key-method 2 has
      been the default since 2.0 (released on 2005-04-17). This
      option is already deprecated in v2.4 and will be completely
      removed in v2.5.
  - Rebase openvpn-fips140-2.3.2.patch
  - Drop 0002-Fix-bounds-check-in-read_key.patch
    * upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
  - Partial cleanup with spec-cleaner
* Tue Feb 13 2018
  - Add --askpass to ExecStart, so that the user name and password
    are correctly being queried from the user.
    (bsc#1078026, boo#985798, boo#1031748)
  - Use %service_add/del macros throughout (bsc#1038406).



Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Nov 30 00:04:46 2021