Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

openvpn-auth-pam-plugin-2.4.3-5.7.1 RPM for x86_64

From OpenSuSE Leap 15.3 for x86_64

Name: openvpn-auth-pam-plugin Distribution: SUSE Linux Enterprise 15
Version: 2.4.3 Vendor: SUSE LLC <https://www.suse.com/>
Release: 5.7.1 Build date: Tue May 4 09:48:08 2021
Group: Productivity/Networking/Security Build host: sheep55
Size: 18688 Source RPM: openvpn-2.4.3-5.7.1.src.rpm
Packager: https://www.suse.com/
Url: http://openvpn.net/
Summary: OpenVPN auth-pam plugin
The OpenVPN auth-pam plugin implements username/password authentication
via PAM, and essentially allows any authentication method supported by
PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with
OpenVPN.

While PAM supports username/password authentication, this can be
combined with X509 certificates to provide two indepedent levels of
authentication.

This plugin uses a split privilege execution model which will function
even if you drop openvpn daemon privileges using the user, group, or
chroot directives.

Provides

Requires

License

SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1

Changelog

* Sat May 01 2021 max@suse.com
  - bsc#1185279, CVE-2020-15078, openvpn-CVE-2020-15078.patch:
    Authentication bypass with deferred authentication.
  - bsc#1169925, CVE-2020-11810, openvpn-CVE-2020-11810.patch:
    race condition between allocating peer-id and initializing data
    channel key
  - bsc#1085803, CVE-2018-7544, openvpn-CVE-2018-7544.patch:
    Cross-protocol scripting issue was discovered in the management
    interface
* Wed May 09 2018 max@suse.com
  - CVE-2018-9336, bsc#1090839: Fix potential double-free() in
    Interactive Service (openvpn-CVE-2018-9336.patch).
* Thu Nov 23 2017 rbrown@suse.com
  - Replace references to /var/adm/fillup-templates with new
    %_fillupdir macro (boo#1069468)
* Tue Oct 10 2017 ndas@suse.de
  - Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877).
    [+ 0002-Fix-bounds-check-in-read_key.patch]
* Fri Aug 11 2017 sebix+novell.com@sebix.at
  - Do not package empty /usr/lib64/tmpfiles.d
* Fri Jun 23 2017 ndas@suse.de
  - Update to 2.4.3 (bsc#1045489)
    - Ignore auth-nocache for auth-user-pass if auth-token is pushed
    - crypto: Enable SHA256 fingerprint checking in --verify-hash
    - copyright: Update GPLv2 license texts
    - auth-token with auth-nocache fix broke --disable-crypto builds
    - OpenSSL: don't use direct access to the internal of X509
    - OpenSSL: don't use direct access to the internal of EVP_PKEY
    - OpenSSL: don't use direct access to the internal of RSA
    - OpenSSL: don't use direct access to the internal of DSA
    - OpenSSL: force meth->name as non-const when we free() it
    - OpenSSL: don't use direct access to the internal of EVP_MD_CTX
    - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
    - OpenSSL: don't use direct access to the internal of HMAC_CTX
    - Fix NCP behaviour on TLS reconnect.
    - Remove erroneous limitation on max number of args for --plugin
    - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
    - Fix potential 1-byte overread in TCP option parsing.
    - Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
    - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
    - refactor my_strupr
    - Fix 2 memory leaks in proxy authentication routine
    - Fix memory leak in add_option() for option 'connection'
    - Ensure option array p[] is always NULL-terminated
    - Fix a null-pointer dereference in establish_http_proxy_passthru()
    - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
    - Fix an unaligned access on OpenBSD/sparc64
    - Missing include for socket-flags TCP_NODELAY on OpenBSD
    - Make openvpn-plugin.h self-contained again.
    - Pass correct buffer size to GetModuleFileNameW()
    - Log the negotiated (NCP) cipher
    - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
    - Skip tls-crypt unit tests if required crypto mode not supported
    - openssl: fix overflow check for long --tls-cipher option
    - Add a DSA test key/cert pair to sample-keys
    - Fix mbedtls fingerprint calculation
    - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
    - mbedtls: require C-string compatible types for --x509-username-field
    - Fix remote-triggerable memory leaks (CVE-2017-7521)
    - Restrict --x509-alt-username extension types
    - Fix potential double-free in --x509-alt-username (CVE-2017-7521)
    - Fix gateway detection with OpenBSD routing domains
* Wed Jun 14 2017 ndas@suse.de
  - use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223)
* Tue Jun 06 2017 ndas@suse.de
  - Update to 2.4.2
    - auth-token: Ensure tokens are always wiped on de-auth
    - Make --cipher/--auth none more explicit on the risks
    - Use SHA256 for the internal digest, instead of MD5
    - Deprecate --ns-cert-type
    - Deprecate --no-iv
    - Support --block-outside-dns on multiple tunnels
    - Limit --reneg-bytes to 64MB when using small block ciphers
    - Fix --tls-version-max in mbed TLS builds
    Details changelogs are avilable in
    https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
    [*0001-preform-deferred-authentication-in-the-background.patch
    * openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
    * openvpn-fips140-2.3.2.patch]
  - pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2
  - cleanup the spec file
* Fri Apr 21 2017 ndas@suse.de
  - Preform deferred authentication in the background to not
    cause main daemon processing delays when the underlying pam mechanism (e.g.
    ldap) needs longer to response (bsc#959511).
    [+ 0001-preform-deferred-authentication-in-the-background.patch]
  - Added fix for possible heap overflow on read accessing getaddrinfo
    result (bsc#959714).
    [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch]
  - Added a patch to fix multiple low severity issues (bsc#934237).
    [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]
* Sun Jan 22 2017 mrueckert@suse.de
  - silence warning about %{_rundir}/openvpn
    - for non systemd case: just package the %{_rundir}/openvpn in
      the package
    - for systemd case: call systemd-tmpfiles and own the dir as
      %ghost in the filelist
* Sun Jan 22 2017 mrueckert@suse.de
  - refreshed patches to apply cleanly again
    openvpn-2.3-plugin-man.dif
    openvpn-fips140-2.3.2.patch
* Sun Jan 22 2017 mrueckert@suse.de
  - update to 2.3.14
    - update year in copyright message
    - Document the --auth-token option
    - Repair topology subnet on FreeBSD 11
    - Repair topology subnet on OpenBSD
    - Drop recursively routed packets
    - Support --block-outside-dns on multiple tunnels
    - When parsing '--setenv opt xx ..' make sure a third parameter
      is present
    - Map restart signals from event loop to SIGTERM during
      exit-notification wait
    - Correctly state the default dhcp server address in man page
    - Clean up format_hex_ex()
  - enabled pkcs11 support
* Sat Dec 03 2016 michael@stroeder.com
  - update to 2.3.13
  - removed obsolete patch files openvpn-2.3.0-man-dot.diff and
    openvpn-fips140-AES-cipher-in-config-template.patch
    2016.11.02 -- Version 2.3.13
    Arne Schwabe (2):
    * Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
    * Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
    David Sommerseth (4):
    * t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
    * t_client.sh: Add support for Kerberos/ksu
    * t_client.sh: Improve detection if the OpenVPN process did start during tests
    * t_client.sh: Add prepare/cleanup possibilties for each test case
    Gert Doering (5):
    * Do not abort t_client run if OpenVPN instance does not start.
    * Fix t_client runs on OpenSolaris
    * make t_client robust against sudoers misconfiguration
    * add POSTINIT_CMD_suf to t_client.sh and sample config
    * Fix --multihome for IPv6 on 64bit BSD systems.
    Ilya Shipitsin (1):
    * skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
    Lev Stipakov (2):
    * Exclude peer-id from pulled options digest
    * Fix compilation in pedantic mode
    Samuli Seppänen (1):
    * Automatically cache expected IPs for t_client.sh on the first run
    Steffan Karger (6):
    * Fix unittests for out-of-source builds
    * Make gnu89 support explicit
    * cleanup: remove code duplication in msg_test()
    * Update cipher-related man page text
    * Limit --reneg-bytes to 64MB when using small block ciphers
    * Add a revoked cert to the sample keys
    2016.08.23 -- Version 2.3.12
    Arne Schwabe (2):
    * Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
    * Move ASSERT so external-key with OpenSSL works again
    David Sommerseth (3):
    * Only build and run cmocka unit tests if its submodule is initialized
    * Another fix related to unit test framework
    * Remove NOP function and callers
    Dorian Harmans (1):
    * Add CHACHA20-POLY1305 ciphersuite IANA name translations.
    Ivo Manca (1):
    * Plug memory leak in mbedTLS backend
    Jeffrey Cutter (1):
    * Update contrib/pull-resolv-conf/client.up for no DOMAIN
    Jens Neuhalfen (2):
    * Add unit testing support via cmocka
    * Add a test for auth-pam searchandreplace
    Josh Cepek (1):
    * Push an IPv6 CIDR mask used by the server, not the pool's size
    Leon Klingele (1):
    * Add link to bug tracker
    Samuli Seppänen (2):
    * Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
    * Clarify the fact that build instructions in README are for release tarballs
    Selva Nair (4):
    * Make error non-fatal while deleting address using netsh
    * Make block-outside-dns work with persist-tun
    * Ignore SIGUSR1/SIGHUP during exit notification
    * Promptly close the netcmd_semaphore handle after use
    Steffan Karger (4):
    * Fix polarssl / mbedtls builds
    * Don't limit max incoming message size based on c2->frame
    * Fix '--cipher none --cipher' crash
    * Discourage using 64-bit block ciphers
* Mon Nov 28 2016 matwey.kornilov@gmail.com
  - Require iproute2 explicitly. openvpn uses /bin/ip from iproute2,
    so it should be installed
* Thu Sep 08 2016 astieger@suse.com
  - Add an example for a FIPS 140-2 approved cipher configuration to
    the sample configuration files. Fixes bsc#988522
    adding openvpn-fips140-AES-cipher-in-config-template.patch
  - remove gpg-offline signature verification, now a source service
* Tue May 10 2016 idonmez@suse.com
  - Update to version 2.3.11
    * Fixed port-share bug with DoS potential
    * Fix buffer overflow by user supplied data
    * Fix undefined signed shift overflow
    * Ensure input read using systemd-ask-password is null terminated
    * Support reading the challenge-response from console
    * hardening: add safe FD_SET() wrapper openvpn_fd_set()
    * Restrict default TLS cipher list
  - Add BuildRequires on xz for SLE11
* Mon Jan 04 2016 idonmez@suse.com
  - Update to version 2.3.10
    * Warn user if their certificate has expired
    * Fix regression in setups without a client certificate
* Wed Dec 16 2015 idonmez@suse.com
  - Update to version 2.3.9
    * Show extra-certs in current parameters.
    * Do not set the buffer size by default but rely on the operation system default.
    * Remove --enable-password-save option
    * Detect config lines that are too long and give a warning/error
    * Log serial number of revoked certificate
    * Avoid partial authentication state when using --disabled in CCD configs
    * Replace unaligned 16bit access to TCP MSS value with bytewise access
    * Fix possible heap overflow on read accessing getaddrinfo() result.
    * Fix isatty() check for good. (obsoletes revert-daemonize.patch)
    * Client-side part for server restart notification
    * Fix privilege drop if first connection attempt fails
    * Support for username-only auth file.
    * Increase control channel packet size for faster handshakes
    * hardening: add insurance to exit on a failed ASSERT()
    * Fix memory leak in auth-pam plugin
    * Fix (potential) memory leak in init_route_list()
    * Fix unintialized variable in plugin_vlog()
    * Add macro to ensure we exit on fatal errors
    * Fix memory leak in add_option() by simplifying get_ipv6_addr
    * openssl: properly check return value of RAND_bytes()
    * Fix rand_bytes return value checking
    * Fix "White space before end tags can break the config parser"
* Thu Dec 03 2015 mt@suse.com
  - Adjust /var/run to _rundir macro value in openvpn@.service too.
* Thu Aug 20 2015 mt@suse.com
  - Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS.
  - Moved openvpn-plugin.h into a devel package, removed .gitignore
* Thu Aug 13 2015 idonmez@suse.com
  - Add revert-daemonize.patch, looks like under systemd the stdin
    and stdout are not TTYs by default. This reverts to previous
    behaviour fixing bsc#941569
* Wed Aug 05 2015 idonmez@suse.com
  - Update to version 2.3.8
    * Report missing endtags of inline files as warnings
    * Fix commit e473b7c if an inline file happens to have a
      line break exactly at buffer limit
    * Produce a meaningful error message if --daemon gets in the way of
      asking for passwords.
    * Document --daemon changes and consequences (--askpass, --auth-nocache)
    * Del ipv6 addr on close of linux tun interface
    * Fix --askpass not allowing for password input via stdin
    * Write pid file immediately after daemonizing
    * Fix regression: query password before becoming daemon
    * Fix using management interface to get passwords
    * Fix overflow check in openvpn_decrypt()
* Tue Jun 09 2015 idonmez@suse.com
  - Update to version 2.3.7
    * down-root plugin: Replaced system() calls with execve()
    * sockets: Remove the limitation of --tcp-nodelay to be server-only
    * pkcs11: Load p11-kit-proxy.so module by default
    * New approach to handle peer-id related changes to link-mtu
    * Fix incorrect use of get_ipv6_addr() for iroute options
    * Print helpful error message on --mktun/--rmtun if not available
    * Explain effect of --topology subnet on --ifconfig
    * Add note about file permissions and --crl-verify to manpage
    * Repair --dev null breakage caused by db950be85d37
    * Correct note about DNS randomization in openvpn.8
    * Disallow usage of --server-poll-timeout in --secret key mode
    * Slightly enhance documentation about --cipher
    * On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo()
    * Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo()
    * Fix --redirect-private in --dev tap mode
    * Updated manpage for --rport and --lport
    * Properly escape dashes on the man-page
    * Improve documentation in --script-security section of the man-page
    * Really fix '--cipher none' regression
    * Set tls-version-max to 1.1 if cryptoapicert is used
    * Account for peer-id in frame size calculation
    * Disable SSL compression
    * Fix frame size calculation for non-CBC modes.
    * Allow for CN/username of 64 characters (fixes off-by-one)
    * Re-enable TLS version negotiation by default
    * Remove size limit for files inlined in config
    * Improve --tls-cipher and --show-tls man page description
    * Re-read auth-user-pass file on (re)connect if required
    * Clarify --capath option in manpage
    * Call daemon() before initializing crypto library
* Mon Mar 02 2015 mt@suse.de
  - Fixed to use correct sha digest data length and in fips mode,
    use aes instead of the disallowed blowfish crypto (boo#914166).
  - Fixed to provide actual plugin/doc dirs in openvpn(8) man page.
* Mon Dec 01 2014 mt@suse.de
  - Update to version 2.3.6 fixing a denial-of-service vulnerability
    where an authenticated client could stop the server by triggering
    a server-side ASSERT (bnc#907764,CVE-2014-8104).
    See ChangeLog file for a complete list of changes.
* Thu Oct 30 2014 idonmez@suse.com
  - Update to version 2.3.5
    * See included changelog
  - Depend on systemd-devel for the daemon check functionality

Files

/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so


Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Mar 9 14:54:44 2024