diff --git a/SOURCES/0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch b/SOURCES/0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch new file mode 100644 index 00000000..edf80d4c --- /dev/null +++ b/SOURCES/0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch @@ -0,0 +1,201 @@ +From 273d10b74973d672317c0c0bd5e58897e49a94f0 Mon Sep 17 00:00:00 2001 +From: David Sommerseth +Date: Thu, 23 Mar 2017 22:50:41 +0100 +Subject: [PATCH] Re-introduce --tls-remote for Fedora EPEL-6 and EPEL-7 only + +This reverts commit 10ce637066f44e8ad9f4af000b8d0c2a4012236d. + +To avoid breaking any existing OpenVPN installations using the +Fedora EPEL repository, this patch re-introduces this DEPRECATED +--tls-remote option for Fedora EPEL-6 and EPEL-7 ONLY. This is +only considered to be an exceptional patch and will not be part +of any upstream OpenVPN releases. + +Signed-off-by: David Sommerseth +--- + Changes.rst | 6 ++++++ + doc/openvpn.8 | 45 +++++++++++++++++++++++++++++++++++++++ + src/openvpn/options.c | 55 +++++++++++++++++++++++++++++++++++++++++++----- + src/openvpn/ssl_verify.h | 2 ++ + 4 files changed, 103 insertions(+), 5 deletions(-) + +diff --git a/Changes.rst b/Changes.rst +index d5e12eb..a536f5b 100644 +--- a/Changes.rst ++++ b/Changes.rst +@@ -179,6 +179,12 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions + non-standard X.509 subject formatting must be updated to the standardized + formatting. See the man page for more information. + ++ NOTE: For Fedora EPEL-6 and EPEL-7 this feature have been re-introduced ++ to maintain a possible upgrade path from v2.3 to v2.4. All users are STRONGLY ++ encouraged to update their configurations to use ``--verify-x509-name`` ASAP. ++ The ``--tls-remote`` option WILL NOT be preserved in newer major Fedora EPEL ++ releases. ++ + - ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. + + - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 +diff --git a/doc/openvpn.8 b/doc/openvpn.8 +index 0b3e1ad..44f528c 100644 +--- a/doc/openvpn.8 ++++ b/doc/openvpn.8 +@@ -5349,6 +5349,51 @@ prefix will be left as\-is. This automatic upcasing feature + is deprecated and will be removed in a future release. + .\"********************************************************* + .TP ++.B \-\-tls\-remote name (DEPRECATED) ++Accept connections only from a host with X509 name ++or common name equal to ++.B name. ++The remote host must also pass all other tests ++of verification. ++ ++.B NOTE: ++Because tls\-remote may test against a common name prefix, ++only use this option when you are using OpenVPN with a custom CA ++certificate that is under your control. ++Never use this option when your client certificates are signed by ++a third party, such as a commercial web CA. ++ ++Name can also be a common name prefix, for example if you ++want a client to only accept connections to "Server-1", ++"Server-2", etc., you can simply use ++.B \-\-tls\-remote Server ++ ++Using a common name prefix is a useful alternative to managing ++a CRL (Certificate Revocation List) on the client, since it allows the client ++to refuse all certificates except for those associated ++with designated servers. ++ ++.B \-\-tls\-remote ++is a useful replacement for the ++.B \-\-tls\-verify ++option to verify the remote host, because ++.B \-\-tls\-remote ++works in a ++.B \-\-chroot ++environment too. ++ ++.B Please also note: ++This option is DEPRECATED. It has been removed in upstream OpenVPN v2.4.0 ++and have only been re-introduced into Fedora EPEL-6 and EPEL-7 for backwards ++compatibility purposes. It will NOT be provided in any newer major EPEL ++releases. So please make sure you support the new X.509 name formatting ++described with the ++.B \-\-compat\-names ++option as soon as possible by updating your configurations to use ++.B \-\-verify\-x509\-name ++instead. ++.\"********************************************************* ++.TP + .B \-\-verify\-x509\-name name type + Accept connections only if a host's X.509 name is equal to + .B name. +diff --git a/src/openvpn/options.c b/src/openvpn/options.c +index 8dee5d1..2f97442 100644 +--- a/src/openvpn/options.c ++++ b/src/openvpn/options.c +@@ -66,7 +66,7 @@ const char title_string[] = + #ifdef CONFIGURE_GIT_REVISION + " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]" + #endif +- " " TARGET_ALIAS ++ " " TARGET_ALIAS " [Fedora EPEL patched]" + #ifdef ENABLE_CRYPTO + #if defined(ENABLE_CRYPTO_MBEDTLS) + " [SSL (mbed TLS)]" +@@ -7887,12 +7887,16 @@ add_option(struct options *options, + #endif + { + VERIFY_PERMISSION(OPT_P_GENERAL); +- if (options->verify_x509_type != VERIFY_X509_NONE) ++ if (options->verify_x509_type != VERIFY_X509_NONE ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg(msglevel, "you cannot use --compat-names with --verify-x509-name"); + goto err; + } +- msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5."); ++ msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your " ++ "configuration. This option is especially preserved for " ++ "Fedora EPEL-6 and EPEL-7 ONLY."); + compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); + #if P2MP_SERVER + if (p[1] && streq(p[1], "no-remapping")) +@@ -7903,16 +7907,57 @@ add_option(struct options *options, + else if (streq(p[0], "no-name-remapping") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); +- if (options->verify_x509_type != VERIFY_X509_NONE) ++ if (options->verify_x509_type != VERIFY_X509_NONE ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); + goto err; + } +- msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5."); ++ msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your " ++ "configuration. This option is especially preserved for " ++ "Fedora EPEL-6 and EPEL-7 ONLY."); + compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); + compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); + #endif + } ++ else if (streq(p[0], "tls-remote") && p[1] && !p[2]) ++ { ++ VERIFY_PERMISSION(OPT_P_GENERAL); ++ ++ if (options->verify_x509_type != VERIFY_X509_NONE ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) ++ { ++ msg(msglevel, "you cannot use --tls-remote with --verify-x509-name"); ++ goto err; ++ } ++ msg(M_WARN, "DEPRECATED OPTION: --tls-remote is espectially " ++ "re-introduced in v2.4 for Fedora EPEL-6 and EPEL-7 only. " ++ "Do update your configuration now!"); ++ ++ if (strlen(p[1])) ++ { ++ int is_username = (!strchr(p[1], '=') || !strstr(p[1], ", ")); ++ int type = TLS_REMOTE_SUBJECT_DN; ++ if (p[1][0] != '/' && is_username) ++ { ++ type = TLS_REMOTE_SUBJECT_RDN_PREFIX; ++ } ++ ++ /* ++ * Enable legacy openvpn format for DNs that have not been converted ++ * yet and --x509-username-field (not containing an '=' or ', ') ++ */ ++ if (p[1][0] == '/' || is_username) ++ { ++ compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); ++ } ++ ++ options->verify_x509_type = type; ++ options->verify_x509_name = p[1]; ++ } ++ } + else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3]) + { + int type = VERIFY_X509_SUBJECT_DN; +diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h +index f2d0d6c..e244566 100644 +--- a/src/openvpn/ssl_verify.h ++++ b/src/openvpn/ssl_verify.h +@@ -66,6 +66,8 @@ struct cert_hash_set { + #define VERIFY_X509_SUBJECT_DN 1 + #define VERIFY_X509_SUBJECT_RDN 2 + #define VERIFY_X509_SUBJECT_RDN_PREFIX 3 ++#define TLS_REMOTE_SUBJECT_DN 1 + 0x100 ++#define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100 + + #define TLS_AUTHENTICATION_SUCCEEDED 0 + #define TLS_AUTHENTICATION_FAILED 1 +-- +2.13.5 diff --git a/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg b/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg new file mode 100644 index 00000000..4dff7eb3 Binary files /dev/null and b/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg differ diff --git a/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch b/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch new file mode 100644 index 00000000..8adb7006 --- /dev/null +++ b/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch @@ -0,0 +1,9 @@ +diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf +index bb79671e..9258f5c6 100644 +--- a/distro/systemd/tmpfiles-openvpn.conf ++++ b/distro/systemd/tmpfiles-openvpn.conf +@@ -1,2 +1,2 @@ +-d /run/openvpn-client 0710 root root - +-d /run/openvpn-server 0710 root root - ++d /run/openvpn-client 0750 root openvpn - ++d /run/openvpn-server 0750 root openvpn - diff --git a/SOURCES/openvpn@.service b/SOURCES/openvpn@.service new file mode 100644 index 00000000..f6af6d73 --- /dev/null +++ b/SOURCES/openvpn@.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I +After=network.target + +[Service] +Type=notify +PrivateTmp=true +ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/roadwarrior-client.conf b/SOURCES/roadwarrior-client.conf new file mode 100644 index 00000000..dd12fdb5 --- /dev/null +++ b/SOURCES/roadwarrior-client.conf @@ -0,0 +1,38 @@ +######################################### +# Sample client-side OpenVPN config file +# for connecting to multi-client server. +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# The server can be pinged at 10.8.0.1. +# +# This configuration can be used by multiple +# clients, however each client should have +# its own cert and key files. +# +# tun-style tunnel + +port 1194 +dev tun +remote [my server hostname or IP address] + +# TLS parms + +tls-client +ca sample-keys/tmp-ca.crt +cert sample-keys/client.crt +key sample-keys/client.key + +# This parm is required for connecting +# to a multi-client server. It tells +# the client to accept options which +# the server pushes to us. +pull + +# Scripts can be used to do various +# things (change nameservers, for +# example. +#up scripts/ifup-post +#down scripts/ifdown-post + +verb 4 diff --git a/SOURCES/roadwarrior-server.conf b/SOURCES/roadwarrior-server.conf new file mode 100644 index 00000000..2d740f6f --- /dev/null +++ b/SOURCES/roadwarrior-server.conf @@ -0,0 +1,67 @@ +######################################## +# Sample OpenVPN config file for +# 2.0-style multi-client udp server +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# tun-style tunnel + +port 1194 +dev tun + +# Use "local" to set the source address on multi-homed hosts +#local [IP address] + +# TLS parms +tls-server +ca sample-keys/tmp-ca.crt +cert sample-keys/server.crt +key sample-keys/server.key +dh sample-keys/dh1024.pem + +# Tell OpenVPN to be a multi-client udp server +mode server + +# The server's virtual endpoints +ifconfig 10.8.0.1 10.8.0.2 + +# Pool of /30 subnets to be allocated to clients. +# When a client connects, an --ifconfig command +# will be automatically generated and pushed back to +# the client. +ifconfig-pool 10.8.0.4 10.8.0.255 + +# Push route to client to bind it to our local +# virtual endpoint. +push "route 10.8.0.1 255.255.255.255" + +# Push any routes the client needs to get in +# to the local network. +push "route 192.168.0.0 255.255.255.0" + +# Push DHCP options to Windows clients. +push "dhcp-option DOMAIN example.com" +push "dhcp-option DNS 192.168.0.1" +push "dhcp-option WINS 192.168.0.1" + +# Client should attempt reconnection on link +# failure. +keepalive 10 60 + +# Delete client instances after some period +# of inactivity. +inactive 600 + +# Route the --ifconfig pool range into the +# OpenVPN server. +route 10.8.0.0 255.255.255.0 + +# The server doesn't need privileges +user openvpn +group openvpn + +# Keep TUN devices and keys open across restarts. +persist-tun +persist-key + +verb 4 diff --git a/SPECS/openvpn.spec b/SPECS/openvpn.spec new file mode 100644 index 00000000..03cc1af9 --- /dev/null +++ b/SPECS/openvpn.spec @@ -0,0 +1,259 @@ +%define _hardened_build 1 +#define prerelease rc22 + +# Build conditionals +# tests_long - Enabled by default, enables long running tests in %%check +%bcond_without tests_long + +Name: openvpn +Version: 2.4.6 +Release: 1%{?prerelease:.%{prerelease}}%{?dist} +Summary: A full-featured SSL VPN solution +URL: https://community.openvpn.net/ +Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz +Source1: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc +Source2: roadwarrior-server.conf +Source3: roadwarrior-client.conf +# Deprecated systemd unit file. Will be removed in Fedora 27 +Source5: openvpn@.service +# Upstream signing key +Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg +Patch0: 0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch +Patch50: openvpn-2.4-change-tmpfiles-permissions.patch +License: GPLv2 +BuildRequires: gnupg2 +BuildRequires: gcc +BuildRequires: systemd-devel +BuildRequires: lzo-devel +BuildRequires: lz4-devel +BuildRequires: openssl-devel +BuildRequires: pkcs11-helper-devel >= 1.11 +BuildRequires: pam-devel +BuildRequires: libselinux-devel +# For the perl_default_filter macro +BuildRequires: perl-macros +%{?systemd_requires} +# For /sbin/ip. +BuildRequires: iproute +Requires: iproute +Requires(pre): /usr/sbin/useradd +Requires(post): systemd-sysv +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +# Filter out the perl(Authen::PAM) dependency. +# No perl dependency is really needed at all. +%{?perl_default_filter} + +%description +OpenVPN is a robust and highly flexible tunneling application that uses all +of the encryption, authentication, and certification features of the +OpenSSL library to securely tunnel IP networks over a single UDP or TCP +port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library +for compression. + +%package devel +Group: Applications/Internet +Summary: Development headers and examples for OpenVPN plug-ins + +%description devel +OpenVPN can be extended through the --plugin option, which provides +possibilities to add specialized authentication, user accounting, +packet filtering and related features. These plug-ins need to be +written in C and provides a more low-level and information rich access +to similar features as the various script-hooks. + + +%prep +gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} +%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} +%patch0 -p1 +%patch50 -p1 + +sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 + +# %%doc items shouldn't be executable. +find contrib sample -type f -perm /100 \ + -exec chmod a-x {} \; + +%build +%configure \ + --enable-iproute2 \ + --with-crypto-library=openssl \ + --enable-pkcs11 \ + --enable-selinux \ + --enable-systemd \ + --enable-x509-alt-username \ + --docdir=%{_pkgdocdir} \ + SYSTEMD_UNIT_DIR=%{_unitdir} \ + TMPFILES_DIR=%{_tmpfilesdir} \ + IPROUTE=/sbin/ip +%{__make} + +%check +# Test Crypto: +./src/openvpn/openvpn --genkey --secret key +./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key + +%if %{with tests_long} +# Randomize ports for tests to avoid conflicts on the build servers. +cport=$[ 50000 + ($RANDOM % 15534) ] +sport=$[ $cport + 1 ] +sed -e 's/^\(rport\) .*$/\1 '$sport'/' \ + -e 's/^\(lport\) .*$/\1 '$cport'/' \ + < sample/sample-config-files/loopback-client \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client +sed -e 's/^\(rport\) .*$/\1 '$cport'/' \ + -e 's/^\(lport\) .*$/\1 '$sport'/' \ + < sample/sample-config-files/loopback-server \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server + +pushd sample +# Test SSL/TLS negotiations (runs for 2 minutes): +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client & +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +wait +popd + +rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +%endif + +%install +%{__make} install DESTDIR=$RPM_BUILD_ROOT +find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f +mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server +cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ + +# Create some directories the OpenVPN package should own +mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server} +mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name} + +# DEPRECATED openvpn@.service ... this unit file will be removed in EPEL8 +install -D -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/ + +# Package installs into %%{_pkgdocdir} directly +# Add various additional files +cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir} + +# Remove some files which does not really belong here +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am} +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch +rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys + +%pre +getent group openvpn &>/dev/null || groupadd -r openvpn +getent passwd openvpn &>/dev/null || \ + /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ + -d /etc/openvpn openvpn + +%post +%systemd_post openvpn-client@\*.service +%systemd_post openvpn-server@\*.service + +%preun +%systemd_preun openvpn-client@\*.service +%systemd_preun openvpn-server@\*.service + +%postun +%systemd_postun_with_restart openvpn-client@\*.service +%systemd_postun_with_restart openvpn-server@\*.service +%systemd_postun_with_restart openvpn@\*.service + + +%files +%{_pkgdocdir} +%exclude %{_pkgdocdir}/README.IPv6 +%exclude %{_pkgdocdir}/README.mbedtls +%exclude %{_pkgdocdir}/sample/sample-plugins +%{_mandir}/man8/%{name}.8* +%{_sbindir}/%{name} +%{_libdir}/%{name}/ +%{_unitdir}/%{name}@.service +%{_unitdir}/%{name}-client@.service +%{_unitdir}/%{name}-server@.service +%{_tmpfilesdir}/%{name}.conf +%config %dir %{_sysconfdir}/%{name}/ +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server +%attr(0750,-,openvpn) %{_rundir}/%{name}-client +%attr(0750,-,openvpn) %{_rundir}/%{name}-server +%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name} + +%files devel +%{_pkgdocdir}/sample/sample-plugins +%{_includedir}/openvpn-plugin.h +%{_includedir}/openvpn-msg.h + + +%changelog +* Thu Apr 26 2018 David Sommerseth - 2.4.6-1 +- Updating to upstream, openvpn-2.4.6 + +* Thu Mar 1 2018 David Sommerseth - 2.4.5-1 +- Updating to upstream, openvpn-2.4.5 +- Package upstream ChangeLog, which contains a bit more details than Changes.rst +- Cleaned up spec file further, removed Group: tag, trimmed changelog section, + added gcc to BuildRequires. +- Excluded not relevant file, README.mbedtls +- Package upstream version of README.systemd +- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743) +- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated) +- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn + +* Thu Jan 25 2018 Igor Gnatenko - 2.4.4-2 +- Fix systemd executions/requirements + +* Tue Sep 26 2017 David Sommerseth - 2.4.4-1 +- Update to upstream openvpn-2.4.4 +- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166} +- Build against Fedora EPEL lz4 compression library +- Build with long running test cases +- Use %%{name} instead of the openvpn string in a few directory paths + +* Wed Jun 21 2017 David Sommerseth - 2.4.3-1 +- Updating to upstream openvpn-2.4.3 +- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508} +- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520} +- Fix potential double-free in --x509-alt-username {CVE-2017-7521} +- Fix remote-triggerable memory leaks {CVE-2017-7521} +- Ensure OpenVPN systemd services are restarted upon upgrades +- Verify PGP signature of source tarball as part of package building + +* Thu May 11 2017 David Sommerseth - 2.4.2-2 +- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601) +- Install and take ownership of /var/lib/openvpn (rhbz#922786) +- Re-enable --enable-x509-alt-username (rhbz#1443942) + +* Thu May 11 2017 David Sommerseth - 2.4.2-1 +- Update to upstream openvpn-2.4.2 + +* Mon Apr 3 2017 David Sommerseth - 2.4.1-2 +- Splitting out -devel files into a separate package +- Removed several contrib and sample files which makes is not + strictly needed in this package. +- Use systemd-rpm macros (rhbz#850257) +- Updated openvpn@.service to use Type=notify instead of Type=forking (rhbz#1435831) + BEWARE: openvpn@.service is DEPRECATED. +- Added README.systemd describing new systemd unit files (openvpn-client/server@.service) +- Lots of packaging cleanups +- build: Enable tests runs by default, long running tests can + be disabled with "--without tests_long" +- build: Removed defined %%{plugins} macro not in use + +* Thu Mar 23 2017 David Sommerseth - 2.4.1-1 +- Updating to upstream release, v2.4.1 +- Removed no-functional ./configure options +- Use upstream tmfiles.d/openvpn +- Package newer openvpn-client/server@.service unit files +- Fedora EPEL exception: Re-introduce --tls-remote feature +- Package management-notes.txt, describing the management interface + +* Thu Feb 09 2017 Jon Ciesla 2.4.0-1 +- 2.4.0.