openvpn-2.4.3-lp150.3.3.1<>,[=6/=„Y,q)b%Ӑ#O/qIz 5 v?ͪON>_Zߐ%_S X F%iBQQN}l&Dh?Xd   Upt| !( WHW W W W 'W 'pW(W*W,2,TW--".P"1L"(181=92=:6==>x?@FGWHWI\WXY\W]<W^bcdefl!u4WvwWxHWyz TCopenvpn2.4.3lp150.3.3.1Full-featured SSL VPN solution using a TUN/TAP InterfaceOpenVPN is a full-featured SSL VPN solution which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. OpenVPN is not a web application proxy and does not operate through a web browser.[=6lamb03]openSUSE Leap 15.0openSUSESUSE-GPL-2.0-with-openssl-exception and LGPL-2.1http://bugs.opensuse.orgProductivity/Networking/Securityhttp://openvpn.net/linuxx86_64systemd-tmpfiles --create /usr/lib/tmpfiles.d/openvpn.conf ||: test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -eq 1 ]; then if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl preset openvpn.target || : fi elif [ "$FIRST_ARG" -gt 1 ]; then for service in openvpn.target ; do if [ ! -e "/run/rpm-openvpn-update-$service-new-in-upgrade" ]; then continue fi rm -f "/run/rpm-openvpn-update-$service-new-in-upgrade" if [ ! -x /usr/bin/systemctl ]; then continue fi /usr/bin/systemctl preset "$service" || : done for service in openvpn.target ; do sysv_service=${service%.*} if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --apply $sysv_service || : touch /var/lib/systemd/migrated/$sysv_service || : done fi # try to migrate openvpn.service autostart to openvpn@.service if test ${FIRST_ARG:-$1} -ge 1 -a \ -x /bin/systemctl -a \ -f /etc/sysconfig/openvpn -a \ -f /usr/share/fillup-templates/sysconfig.openvpn && \ /bin/systemctl --quiet is-enabled openvpn.service &>/dev/null ; then . /etc/sysconfig/openvpn try_service_cgroup_join() { local p="/var/run/openvpn/${1}.pid" local t="/sys/fs/cgroup/systemd/system/openvpn@.service/${1}" /sbin/checkproc -p "$p" "/usr/sbin/openvpn" &>/dev/null || return 0 test -d "$t" || mkdir -p "$t" 2>/dev/null || return 1 cat "$p" > "$t/tasks" 2>/dev/null || return 1 } if test "X$OPENVPN_AUTOSTART" != "X" ; then for conf in $OPENVPN_AUTOSTART ; do test -f "/etc/openvpn/${conf}.conf" && \ /bin/systemctl enable "openvpn@${conf}.service" && \ try_service_cgroup_join "$conf" || continue done else shopt -s nullglob || : for conf in /etc/openvpn/*.conf ; do conf=${conf##*/} conf=${conf%.conf} test -f "/etc/openvpn/${conf}.conf" && \ /bin/systemctl enable "openvpn@${conf}.service" && \ try_service_cgroup_join "$conf" || continue done fi fi rm -f /etc/sysconfig/openvpn || : test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable openvpn.target || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop openvpn.target ) || : fi/bin/systemctl --system daemon-reload &>/dev/null || :a %P)%Fjb -5 +bFBJd  {-1wBp {5 >>?* .| h9SaAA聤A큤A큤AA큤A큤A큤A큤A큤A큤A큤큤[=3[=3[=3[=3[=3[=3[=3[=3[=4YIYIYIYIYIYIYIRYIYIYI[=YIYIYI[=YIYIYIYIYIYIYIYIYIYI[=YIYIYI[=YIYIYI[=YIYIYIYIYIYIYIYIYIYIYIYIYIYIYIYI[=YIYIYIYIYIYIYIYIYIYIYIYIYIYIYIYIYI[=3YIYIYI[=3[=3YIYI[=2d014ac279d3e98492f0dabc15fd92180f69c8a70993f37a660db7dd851fc41bac6036e6b1581bb6fe6ca9d7381617170fa9139282b7422834916d72f0e75bc9ee2d9ed9278ee76ddb66cb02331a00567fc36a0aada32056afb473bb3f1a31685ceb225965ce74fcd5bf692e876620059fc9957bfb3a06b2e62cc45d010ada17cfe2be2fe7777ba870fe04cd52d0b9d869cfcf01a2da0ab18bcf8e1c60f5ba33e24438a3747863ddc4b6d997c1845378193991b83ef6b343feeedee1e4d899b86901e7fb3bf0d250ba10b84e7b3404a907203daf60a895c2dadf12117e34dae561fcb78d7e478bb8a9408010bdc91b36e213b1facfad093df3f7ce7e28af190435651a964ca5d142da8107449905823d777f10974292d9741c7aaa110b0ba29de6b4c407368eef79cfe87d1598fbf7a42a7ad43589fccf804e2673b0bf278435c635a162e9402719c834d3216f08d99a1956cdd981d288f74c3d51e7833dacfbfa2f22331aebfea76dfe6d3fda7ca813c240e45ac94d30bca065bdbf7e5943fce666088dd817e24bde55fb9b3c21feb2ac90419a925df05d32600f1c3dc7a86db63f34624cf73a6d40b1fa3f7a5cb10f402739476fca78b271c5bd6c64a64b17a941ac7b8297da1c46d4a056a0adcf920a8b8a2bad38b0bef548c82c79219655c191535e1a023a064204696e08ea715a86ef8db2f88aae3aac65f71c034336954a66d089f122748ad4764ddbb7a972a677c4c2a79e4fc272ab76d5ac720eaabc370547100d533cc453bbe9b6c22b52b4e6ba73a676042a45b3e2acf914cc390f119d149888b475712c08a7ceccd1a11bf7b734411d0d457e54d9ff76ee8872fb7b9e1c4d20760c9930e916739cfd94137504ea3dccdd3fd766343c3749a7cd9d40293a9ae2a0c76b7f69aad34570e245cfb3b43035ec06c3d52a1fd491ebe550839c153c0f19884c1045b63a75a046200520f771a96a87c69bf75d26794252f4e703cbae187670192543e1f1e4f5e2a1e1dd1f39da4745089293e2df50ef1b71fff16d74986eb3ac08338bfd22642465a573b90bb3d32b414e6bbd5657d9020e85cc15343c0db4ab417a653df4b4e1c7109cda58771bcec5bcd5a5d4aa2af6c0c0452ed770111c00d68c199f28e90c6ef29fecb67d678f5ebab0203c145d1ee8eefc8eeed976fe82792b7c9ad90297fc790d277407c830488a97b6a3de1711b771c9f6676e9f8cd7cfd7fb42089c16cba3e1e8e517bd9b89bd4cb6cd79e3cc2e1734d4be80f4980f9e5da566cb7e5729f90dd74d81011f5d38cf5064a5c37ac66bfe02f4f47f2186cc5a36c49450a4cf824024e750198bd58c4a2999dd7533d77bb4bb64b5572c74e7a4c873a6650c2e7e2e3b4e480c0785474fc5d198bad82f96227b60b32af28eb4e7b92747256bf31284e38ab25a5d0ec7909d75b7d9253fec84e8f343add81cf302aa77357c65a7b9bc27ceb428e8b086d43baf7a28a9b530ef22c9652523d0aef2f150078536211aff3ccd7bb70e640c2f325ce89b6b251c0121a3855785eb8bb4121b698e30f859739023cad3a5a6f22a14f2defa6a155bc8a81a59e7bd44e4fbca87afd800c4f819b106e13f81bbadcdd4a6201f42e8be4cf3626a04b024f8c8e772760175e173ab5f870d91f8f04e4954ef7d3a62606170c094052efa123841b50cd336f91e13fbedf25ef23bda6b5512846c4d684f8b63f5e034ca95df3a8be96206a2e09b09c24019abf144759e1f4765116c0aa49837a4b04c8fdc4ca8afc42f40fe28de8ae24cb20f839dc31322440652b8cbd6b8dbd93cd636f931509023c50e4d51a27fcd3769251dcc5a1e07e0c3279b7b42d2720153a474d78b7475e8eb813a87018fdea6b9dc26b733af0aa58008275d79250f70711d06ff00e4c747c007618652e058f25e11a3e42513a5278cc13065b84f928fbfa3fac762884b00dbb3abe7a79d6825ee804a01922156b50b20c4ddd886f3b4496614b9b46ec1943e54826374a9979c2b4a2b7aa0dd51b0b04d14c9a6df924dc95790b3cc313aa56d0c0077013e52f9a8f9b092db9e88a9c9d903f3d8d2750a6271c35ef4d20023c44802f5c3ebd315930bdf6b5800d442d63ed52c6d2791bd1cb12ca05aae8e82a009a04fe159a632b6e33b3a573b1746a856dfaa1a9132e2b5f275da9b75c95d6adfb103c9fbe316ed3da3a0f3b0adecb112caaf3d25368a60ee36e2aadec5a36c983b8c6c005fd7b06d91e7cd3035cf9dad83c57a2568461eb8858d24817506df14c5f36d2298c9bd9cbbfefbcaec6bcbb64a5dccdc004604391fe65bb430b60e774b269f443b785b164b675f4d12d7e0027bee5f79cde07280573666d9ffe7d29f64561643f1d1086dd425503968a1485c5334e1246ee6fd7cc033179ce5a9689b1446315ebc04aa9350f67962d691ea9c98bf161bfab4297f53c732a6959110b05953a31ba2ee682615d95399af6921334b6e16f3f2b4fe18f380d5e2c9590f0535288ff69a556c40d2a8fdebc56e65c72e290d2260ea749d9491bbe27a8f29e7062a7cd95d56fe603f924f25485611b2d8079ef5f360847b8306c074e4ffd030aa36ad1de431970f83394f92d2e60903ce2806d558b875ce76181eaa0b71cd3276a335404960f48f4f3de32c20e5150568bd0fc3598bf4836cc22c5347b64ff7a3f01f3ee6284440149559a1c1e1ac20ea0bee35e3097b0f5987d451dfdabacd8ac5c66aaceb1ffec55eaeee8a67aff49f7f8e1530ee2b2c73b1cb566edbb1c550a6e760af3eac1cc4f5455602317dc1a249156c883aa59b5141595636e30ccb1680b46cf9b29c21a5889a72e653ec0334bf2ed13bd26195ad751522771b5d1b46278938347532162a3b1581c7ec694c7e2e256d383868ddbec241be6860a01ad1177cb5be91d03d25ef7f4351d0ba8240754bcc7abdcabff545dda4480fafd5ec96ee70629aeed4de2df2e890277678e5c17a061b2e3c881e8b4b4c1213aab9545b29d35430478cc3847490762f1a6a8d7f45d074141e181040b911440ad37c7f845741ec9cc5fb8e7946d90b29a8392ec317b6bd6359067b850c0bc3d5ed68581774f532f687a9554daf1da63603b69b14239c5a5c57b94d5fbe48799a227356e80f12557da75ae81cd7510838c716f37e6b580da1ed8679582cf8046ea1451adb6231b2ca7398e7e4a528a8dec6beebf021aea342be2017b1432b1214b1a296a0a35ac0f9ec91c876cde3dea48c19b6e38789a6b8d5d524105bb0eff5108a40494c52ada16fb35afb6ce1f4e0fe6891bf601697a7bb3c90fd111ec96339b7a2fe83a1444d339f38c26cafddd0cee9f3328572b47ea61e17ea2d0e735481c4d60fc38d3486648d3502412320312487cc07651@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootopenvpn-2.4.3-lp150.3.3.1.src.rpmopenvpnopenvpn(x86-64)@ @@@@@@@@@@@@@@@@@@@@     /bin/bash/bin/sh/bin/sh/bin/shiproute2libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)liblzo2.so.2()(64bit)libpkcs11-helper.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)pkcs11-helperrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)systemdsystemdsystemdsystemd1.113.0.4-14.6.0-14.0-15.2-14.14.1ZZ@Yܶ@Y@YMYA%@Y6@X@XXXXBX<@WRW1@V^VqR@V`.U@ŬUUv@TPT|X@TR(@S%@S,Sof@R&RΏ@Rname as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) - Skip tls-crypt unit tests if required crypto mode not supported - openssl: fix overflow check for long --tls-cipher option - Add a DSA test key/cert pair to sample-keys - Fix mbedtls fingerprint calculation - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) - mbedtls: require C-string compatible types for --x509-username-field - Fix remote-triggerable memory leaks (CVE-2017-7521) - Restrict --x509-alt-username extension types - Fix potential double-free in --x509-alt-username (CVE-2017-7521) - Fix gateway detection with OpenBSD routing domains- use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223)- Update to 2.4.2 - auth-token: Ensure tokens are always wiped on de-auth - Make --cipher/--auth none more explicit on the risks - Use SHA256 for the internal digest, instead of MD5 - Deprecate --ns-cert-type - Deprecate --no-iv - Support --block-outside-dns on multiple tunnels - Limit --reneg-bytes to 64MB when using small block ciphers - Fix --tls-version-max in mbed TLS builds Details changelogs are avilable in https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 [*0001-preform-deferred-authentication-in-the-background.patch * openvpn-2.3.x-fixed-multiple-low-severity-issues.patch * openvpn-fips140-2.3.2.patch] - pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2 - cleanup the spec file- Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch] - Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] - Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]- silence warning about %{_rundir}/openvpn - for non systemd case: just package the %{_rundir}/openvpn in the package - for systemd case: call systemd-tmpfiles and own the dir as %ghost in the filelist- refreshed patches to apply cleanly again openvpn-2.3-plugin-man.dif openvpn-fips140-2.3.2.patch- update to 2.3.14 - update year in copyright message - Document the --auth-token option - Repair topology subnet on FreeBSD 11 - Repair topology subnet on OpenBSD - Drop recursively routed packets - Support --block-outside-dns on multiple tunnels - When parsing '--setenv opt xx ..' make sure a third parameter is present - Map restart signals from event loop to SIGTERM during exit-notification wait - Correctly state the default dhcp server address in man page - Clean up format_hex_ex() - enabled pkcs11 support- update to 2.3.13 - removed obsolete patch files openvpn-2.3.0-man-dot.diff and openvpn-fips140-AES-cipher-in-config-template.patch 2016.11.02 -- Version 2.3.13 Arne Schwabe (2): * Use AES ciphers in our sample configuration files and add a few modern 2.4 examples * Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer David Sommerseth (4): * t_client.sh: Make OpenVPN write PID file to avoid various sudo issues * t_client.sh: Add support for Kerberos/ksu * t_client.sh: Improve detection if the OpenVPN process did start during tests * t_client.sh: Add prepare/cleanup possibilties for each test case Gert Doering (5): * Do not abort t_client run if OpenVPN instance does not start. * Fix t_client runs on OpenSolaris * make t_client robust against sudoers misconfiguration * add POSTINIT_CMD_suf to t_client.sh and sample config * Fix --multihome for IPv6 on 64bit BSD systems. Ilya Shipitsin (1): * skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Lev Stipakov (2): * Exclude peer-id from pulled options digest * Fix compilation in pedantic mode Samuli Seppänen (1): * Automatically cache expected IPs for t_client.sh on the first run Steffan Karger (6): * Fix unittests for out-of-source builds * Make gnu89 support explicit * cleanup: remove code duplication in msg_test() * Update cipher-related man page text * Limit --reneg-bytes to 64MB when using small block ciphers * Add a revoked cert to the sample keys 2016.08.23 -- Version 2.3.12 Arne Schwabe (2): * Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. * Move ASSERT so external-key with OpenSSL works again David Sommerseth (3): * Only build and run cmocka unit tests if its submodule is initialized * Another fix related to unit test framework * Remove NOP function and callers Dorian Harmans (1): * Add CHACHA20-POLY1305 ciphersuite IANA name translations. Ivo Manca (1): * Plug memory leak in mbedTLS backend Jeffrey Cutter (1): * Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (2): * Add unit testing support via cmocka * Add a test for auth-pam searchandreplace Josh Cepek (1): * Push an IPv6 CIDR mask used by the server, not the pool's size Leon Klingele (1): * Add link to bug tracker Samuli Seppänen (2): * Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes * Clarify the fact that build instructions in README are for release tarballs Selva Nair (4): * Make error non-fatal while deleting address using netsh * Make block-outside-dns work with persist-tun * Ignore SIGUSR1/SIGHUP during exit notification * Promptly close the netcmd_semaphore handle after use Steffan Karger (4): * Fix polarssl / mbedtls builds * Don't limit max incoming message size based on c2->frame * Fix '--cipher none --cipher' crash * Discourage using 64-bit block ciphers- Require iproute2 explicitly. openvpn uses /bin/ip from iproute2, so it should be installed- Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration files. Fixes bsc#988522 adding openvpn-fips140-AES-cipher-in-config-template.patch - remove gpg-offline signature verification, now a source service- Update to version 2.3.11 * Fixed port-share bug with DoS potential * Fix buffer overflow by user supplied data * Fix undefined signed shift overflow * Ensure input read using systemd-ask-password is null terminated * Support reading the challenge-response from console * hardening: add safe FD_SET() wrapper openvpn_fd_set() * Restrict default TLS cipher list - Add BuildRequires on xz for SLE11- Update to version 2.3.10 * Warn user if their certificate has expired * Fix regression in setups without a client certificate- Update to version 2.3.9 * Show extra-certs in current parameters. * Do not set the buffer size by default but rely on the operation system default. * Remove --enable-password-save option * Detect config lines that are too long and give a warning/error * Log serial number of revoked certificate * Avoid partial authentication state when using --disabled in CCD configs * Replace unaligned 16bit access to TCP MSS value with bytewise access * Fix possible heap overflow on read accessing getaddrinfo() result. * Fix isatty() check for good. (obsoletes revert-daemonize.patch) * Client-side part for server restart notification * Fix privilege drop if first connection attempt fails * Support for username-only auth file. * Increase control channel packet size for faster handshakes * hardening: add insurance to exit on a failed ASSERT() * Fix memory leak in auth-pam plugin * Fix (potential) memory leak in init_route_list() * Fix unintialized variable in plugin_vlog() * Add macro to ensure we exit on fatal errors * Fix memory leak in add_option() by simplifying get_ipv6_addr * openssl: properly check return value of RAND_bytes() * Fix rand_bytes return value checking * Fix "White space before end tags can break the config parser"- Adjust /var/run to _rundir macro value in openvpn@.service too.- Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS. - Moved openvpn-plugin.h into a devel package, removed .gitignore- Add revert-daemonize.patch, looks like under systemd the stdin and stdout are not TTYs by default. This reverts to previous behaviour fixing bsc#941569- Update to version 2.3.8 * Report missing endtags of inline files as warnings * Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit * Produce a meaningful error message if --daemon gets in the way of asking for passwords. * Document --daemon changes and consequences (--askpass, --auth-nocache) * Del ipv6 addr on close of linux tun interface * Fix --askpass not allowing for password input via stdin * Write pid file immediately after daemonizing * Fix regression: query password before becoming daemon * Fix using management interface to get passwords * Fix overflow check in openvpn_decrypt()- Update to version 2.3.7 * down-root plugin: Replaced system() calls with execve() * sockets: Remove the limitation of --tcp-nodelay to be server-only * pkcs11: Load p11-kit-proxy.so module by default * New approach to handle peer-id related changes to link-mtu * Fix incorrect use of get_ipv6_addr() for iroute options * Print helpful error message on --mktun/--rmtun if not available * Explain effect of --topology subnet on --ifconfig * Add note about file permissions and --crl-verify to manpage * Repair --dev null breakage caused by db950be85d37 * Correct note about DNS randomization in openvpn.8 * Disallow usage of --server-poll-timeout in --secret key mode * Slightly enhance documentation about --cipher * On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo() * Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo() * Fix --redirect-private in --dev tap mode * Updated manpage for --rport and --lport * Properly escape dashes on the man-page * Improve documentation in --script-security section of the man-page * Really fix '--cipher none' regression * Set tls-version-max to 1.1 if cryptoapicert is used * Account for peer-id in frame size calculation * Disable SSL compression * Fix frame size calculation for non-CBC modes. * Allow for CN/username of 64 characters (fixes off-by-one) * Re-enable TLS version negotiation by default * Remove size limit for files inlined in config * Improve --tls-cipher and --show-tls man page description * Re-read auth-user-pass file on (re)connect if required * Clarify --capath option in manpage * Call daemon() before initializing crypto library- Fixed to use correct sha digest data length and in fips mode, use aes instead of the disallowed blowfish crypto (boo#914166). - Fixed to provide actual plugin/doc dirs in openvpn(8) man page.- Update to version 2.3.6 fixing a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT (bnc#907764,CVE-2014-8104). See ChangeLog file for a complete list of changes.- Update to version 2.3.5 * See included changelog - Depend on systemd-devel for the daemon check functionality- Update to version 2.3.4 * Add support for client-cert-not-required for PolarSSL. * Introduce safety check for http proxy options.- Build with large file support in 32 bit systems.- use %_rundir for %ghost directory - leaving /var/run everywhere else- Updated README.SUSE, documented also the rcopenvpn compatibility wrapper script (bnc#848070).- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in some internal checking routines. This allows operation in FIPS 140-2 mode.- Readded rcopenvpn helper script under systemd (bnc#848070)- Fixed invalid mode in exec bit removal call from doc files- Add a section about how to control all or a named configuration with the help of systemctl to the README.SUSE file.- Update to 2.3.2 +Fixes since 2.3.0 - Remove dead code path and putenv functionality - Remove unused function xor - Move static prototype definition from header into c file - Remove unused function no_tap_ifconfig - fix build with automake 1.13(.1) - Fix corner case in NTLM authentication (trac #172) - Update README.IPv6 to match what is in 2.3.0 - Repair "tcp server queue overflow" brokenness, more fallout. - Permit pool size of /64.../112 for ifconfig-ipv6-pool - Add MIN() compatibility macro - Fix directly connected routes for "topology subnet" on Solaris. - close more file descriptors on exec - Ignore UTF-8 byte order mark - reintroduce --no-name-remapping option - make --tls-remote compatible with pre 2.3 configs - add new option for X.509 name verification - add man page patch for missing options - Fix parameter listing in non-debug builds at verb 4 - (updated) [PATCH] Warn when using verb levels >=7 without debug - Enable TCP_NODELAY configuration on FreeBSD. - Updated README - Cleaned up and updated INSTALL - PolarSSL-1.2 support - Improve PolarSSL key_state_read_{cipher, plain}text messages - Improve verify_callback messages - Config compatibility patch. Added translate_cipher_name. - Switch to IANA names for TLS ciphers. - Fixed autoconf script to properly detect missing pkcs11 with polarssl. - Use constant time memcmp when comparing HMACs in openvpn_decrypt.- Try to migrate openvpn.service autostart to openvpn@.service instance enablement.- Fixed to enable systemd support in configure - Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group. - Added openvpn.target file allowing to handle all instances at once. - Fixed to install the service template correctly as openvpn@.service. Use "systemctl enable openvpn@foo.service" to enable instance using /etc/openvpn/foo.conf. - Disabled systemd variant of restart on update rpm macro, adopted other macros to use openvpn.target to e.g. stop all instances on uninstall.- Remove _unitdir definition, it is provided by systemd. - Install service file without x permissionsUpdate to version 2.3.0: * Full IPv6 support * SSL layer modularised, enabling easier implementation for other SSL libraries * PolarSSL support as a drop-in replacement for OpenSSL * New plug-in API providing direct certificate access, improved logging API and easier to extend in the future * Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP' * New feature: --management-external-key - to provide access to the encryption keys via the management interface * New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins * New feature: --client-nat support * New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling * New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback) * New feature: --stale-routes-check, which cleans up the internal routing table * New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name * Improved client-kill management interface command * Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins * Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation * More options can now be used inside blocks * Completely new build system, enabling easier cross-compilation and Windows builds * Much of the code has been better documented * Many documentation updates * Plenty of bug fixes and other code clean-ups - Add systemd native support for OpenSUSE > 12.1 - Adapt patchs to upstream release: * openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif * openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff - Remove obsolete patchs; fixed or merged on upstream release: * 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch * openvpn-2.1-plugin-build.dif * openvpn-2.1-systemd-passwd.patch - Rebase specfile to upstream changes: * easy-rsa is not provided anymore with main package * remove %clean section * autoreconf -fi is no needed - Update openvpn.keyring file for upstream release asc key- Join openvpn.service systemd cgroup in start when needed, e.g. when starting with further parameters. (bnc#781106)- Verify GPG signature.- fix ciaran's previous license entry. the license has a SUSE prefix- Fixed openvpn init script to not map reopen to reload so the reopen code is without any effect (bnc#781106). - Added requested OPENVPN_AUTOSTART variable allowing to provide an optional list of config names started by default (bnc#692440).- license update: GPL-2.0-with-openssl-exception and LGPL-2.1 openssl has an openssl exception (also, it is GPL-2.0 only)- Fixed SLES build readding Group tags to sub-packages in spec, not require libselinux-devel on SLE-10 and datadir/doc cleanup.- Updated to openvpn-2.2.2: - Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2 - Pkcs11 support built into the Windows version - Fixed a bug in the Windows TAP-driver- Fix source URLs.- add automake as buildrequire to avoid implicit dependency- Marked /var/run/openvpn as ghost (bnc#710270), man page and other rpmlint warning fixes- BuildRequires libselinux-devel - Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent upstream as https://community.openvpn.net/openvpn/ticket/157- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to support systemd password query (bnc#675406)- Updated to openvpn-2.2.1, a new version series providing several new features. This version fixes build issues and provides updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125), - Adopted spec file, enabled saving password in a file and to specify an alternative username in x509 cert. - Removed X-Interactive from init script again, as systemd isn't able to use it correctly [any more?] (bnc#675406). We will address it later and probably use /bin/systemd-ask-password.- KVPNC is unable to parse openvpn version [bnc#679153]- Added X-Interactive: true LSB tag to the init script.- Updated to openvpn 2.1.4, providing several bug fixes and improvements, such as: * Fix of a problem with special case route targets * Try to ensure, that the tun/tap interface gets closed on non-graceful aborts. * Several AUTH_FAILED reporting fixes causing the connection to fail without any error indication. * Enable exponential backoff in reliability layer retransmits. * Proxy improvements Please review the ChangeLog file for a complete and exact list.- Do not include build date in binaries- Improved netconfig based client up and down sample scripts.- Added netconfig based client up and down scripts to samples.- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20: * Fixed a couple issues in sample plugins auth-pam.c and down-root.c. (1) Fail gracefully rather than segfault if calloc returns NULL. (2) The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle (Thanks to David Sommerseth for finding this bug). * Documented "multihome" option in the man page. * Added a hard failure when peer provides a certificate chain with depth > 16. Previously, a warning was issued. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain. - Improved openvpn init script adding messages giving a hint about pid write failure and to look into the log messages (bnc#559041). - Added -fno-strict-aliasing to compile flags in the spec file.- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and option handling provided by the from server (bnc#552440). For complete list of changes, see ChangeLog file, here just the IMO most important: * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. * Optimized PUSH_REQUEST handshake sequence to shave several seconds off of a typical client connection initiation. * The maximum number of "route" directives (specified in the config file or pulled from a server) can now be configured via the new "max-routes" directive. * Eliminated the limitation on the number of options that can be pushed to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. * Added --server-poll-timeout option : when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. * Added the ability for the server to provide a custom reason string when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. * client-kill management interface command, when issued on server, will now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list.- Added network-remotefs to init script dependencies (bnc#522279).- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289). - Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558). - Adopted spec file and patches, improved init script. - Disabled installation of easy-rsa for Windows./bin/sh/bin/sh/bin/shlamb03 1530778678  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVW2.4.3-lp150.3.3.12.4.3-lp150.3.3.1     openvpnopenvpnopenvpn.targetopenvpn@.servicetmpfiles.dopenvpn.confopenvpnrcopenvpnopenvpnAUTHORSCOPYINGCOPYRIGHT.GPLChangeLogPORTSREADMEREADME.IPv6README.SUSEREADME.auth-pamREADME.down-rootREADME.polarsslcontribOCSP_checkOCSP_check.shREADMEkeychain-mcdMakefilecert_data.ccert_data.hcommon_osx.ccommon_osx.hcrypto_osx.ccrypto_osx.hkeychain-mcd.8main.cmultilevel-init.patchopenvpn-fwmarkroute-1.00READMEfwmarkroute.downfwmarkroute.uppull-resolv-confclient.downclient.upmanagement-notes.txtsample-config-filesREADMEclient.conffirewall.shhome.uploopback-clientloopback-serveroffice.upopenvpn-shutdown.shopenvpn-startup.shserver.confstatic-home.confstatic-office.conftls-home.conftls-office.confxinetd-client-configxinetd-server-configsample-keysREADMEca.crtca.keyclient-ec.crtclient-ec.keyclient-pass.keyclient.crtclient.keyclient.p12dh2048.pemgen-sample-keys.shopenssl.cnfserver-ec.crtserver-ec.keyserver.crtserver.keyta.keysample-scriptsauth-pam.plbridge-startbridge-stopclient-netconfig.downclient-netconfig.upucn.plverify-cnopenvpn.8.gz/etc//run//usr/lib/systemd/system//usr/lib//usr/lib/tmpfiles.d//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/openvpn//usr/share/doc/packages/openvpn/contrib//usr/share/doc/packages/openvpn/contrib/OCSP_check//usr/share/doc/packages/openvpn/contrib/keychain-mcd//usr/share/doc/packages/openvpn/contrib/openvpn-fwmarkroute-1.00//usr/share/doc/packages/openvpn/contrib/pull-resolv-conf//usr/share/doc/packages/openvpn/sample-config-files//usr/share/doc/packages/openvpn/sample-keys//usr/share/doc/packages/openvpn/sample-scripts//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:8392/openSUSE_Leap_15.0_Update/a4a5440c77f775ec4544ce831a34d25e-openvpn.openSUSE_Leap_15.0_Updatedrpmxz5x86_64-suse-linux       directoryASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=da893ee02549e7927c300462d537b5e92e6ec487, strippedBourne-Again shell script, ASCII text executableUTF-8 Unicode textPOSIX shell script, ASCII text executablemakefile script, ASCII textC source, ASCII texttroff or preprocessor input, ASCII textunified diff output, ASCII textAlgol 68 source, ASCII textPerl script text executabletroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRRRRR RR R RR RRRR RRRRRL37I_6w,Uutf-8e616335356e838a1bf726762dc1dd5e7b30bbc95ccd4cdcf5d310d0c8e175179?7zXZ !t/)]"k%n..SET&b8Ɣ"@XKmj^qAZ9M G'`}yh{m*M/ێF*R_45{e6K8rd)3wd,Ǿ[A9u=\}THcdZSr{驭̝$+3NPXiX`V)ACs;.b39tzK[M_lz,Rp :d@"ڕv"L.l"9NzHf[s`76&(ߕ#XDnZc'c^2|,v;g(L銼,@o xZIw:R嬨A V1ǗLT>'T{DJr:\ҴVE@H IzƢS\@S  Ckl^g{kjm}YֹGũ]ओ &ElZwHPI\襷1#R$2_9(Ɠ.mjb[ $<$:th|#t' #j[sf"' cc71~'G8gPbiͽDh)'PۈXbO֭I0Ux"|͂iE#j9iA%jbMiDw 9oL8TS طbޘm1?NX/.mUbc%$ĵ Z;ꝀIGNR85=A%VT`lgpc/B) Nbڒjٛ z_`NH|Pjo28~769MWV`e V{\YAi~56 O4Dm puwAb0d{1/n5X=Hۑ.P>bw^oZs~'q*b l`yqжaZ9jW݈ʆ&M IJ0a$PL_=w,>#ݠ uӭMm{JraٮglޚB _fiJm([y~099##W< aisw `Z6EsESnѐ!}ũܩV>5t܎;Gyo0d={^~BW0{h$ݥF7ה.,؊pHvoʿ2OD D bd-PY7_z5yEUވ3Y@g  ~XQލT+H/}WR np^ bI 4h\/Y|3lT.Eُ_RGG$U rEDG۹dwW5u׍ªis'lżkp;Pqm\~]m֒( 2v7N YZ