From 65fb8bc335ef51daef048e40f2a573a896e38df0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Mon, 2 Oct 2017 06:58:48 +0200 Subject: New upstream release --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 2ca34ec..50e762b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openvpn (2.4.4-1) UNRELEASED; urgency=medium + + * New Upstream release. + + -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 + openvpn (2.4.3-4) unstable; urgency=medium * fix FTBFS on kfreebsd -- cgit v1.2.3 From 6981bb81eb962317ecccc4b8c5a3f13243b069fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 06:50:04 +0200 Subject: Declare compliance with Debian Policy 4.1.1 --- debian/changelog | 1 + debian/control | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 50e762b..4d2c7b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium * New Upstream release. + * Declare compliance with Debian Policy 4.1.1. (No changes needed). -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/control b/debian/control index 89d4656..47cbd47 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,7 @@ Build-Depends: net-tools [!linux-any], pkg-config, systemd [linux-any] -Standards-Version: 4.0.0 +Standards-Version: 4.1.1 Homepage: https://openvpn.net/ Vcs-Git: https://anonscm.debian.org/git/collab-maint/openvpn.git Vcs-Browser: https://anonscm.debian.org/git/collab-maint/openvpn.git -- cgit v1.2.3 From 47935976f8f49f169de35f8f6fa44aaa5f648b55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 06:57:54 +0200 Subject: Drop dh-systemd from both Build-Depends and dh command line --- debian/changelog | 2 ++ debian/control | 3 +-- debian/rules | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 4d2c7b0..6b56477 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium * New Upstream release. * Declare compliance with Debian Policy 4.1.1. (No changes needed). + * Drop dh-systemd from both Build-Depends and dh command line as + it is enabled by default for dh compat level 10. -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/control b/debian/control index 47cbd47..529ca0d 100644 --- a/debian/control +++ b/debian/control @@ -15,8 +15,7 @@ Build-Depends: libssl1.0-dev, libsystemd-dev [linux-any], net-tools [!linux-any], - pkg-config, - systemd [linux-any] + pkg-config Standards-Version: 4.1.1 Homepage: https://openvpn.net/ Vcs-Git: https://anonscm.debian.org/git/collab-maint/openvpn.git diff --git a/debian/rules b/debian/rules index c8c0dca..603d9a0 100755 --- a/debian/rules +++ b/debian/rules @@ -13,7 +13,7 @@ endif export DEB_BUILD_MAINT_OPTIONS = hardening=+all %: - dh $@ --with systemd + dh $@ override_dh_auto_configure: -test -f tests/t_client.sh.not || mv tests/t_client.sh tests/t_client.sh.not -- cgit v1.2.3 From 61168812a0d9663737107f64ad5d84274497dbcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 07:51:46 +0200 Subject: correct the last commit --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 529ca0d..14be23f 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,6 @@ Maintainer: Bernhard Schmidt Uploaders: Jörg Frings-Fürst Build-Depends: debhelper (>= 10), - dh-systemd (>= 1.5), dpkg-dev (>= 1.16.1), iproute2 [linux-any], liblz4-dev, @@ -15,7 +14,8 @@ Build-Depends: libssl1.0-dev, libsystemd-dev [linux-any], net-tools [!linux-any], - pkg-config + pkg-config, + systemd [linux-any] Standards-Version: 4.1.1 Homepage: https://openvpn.net/ Vcs-Git: https://anonscm.debian.org/git/collab-maint/openvpn.git -- cgit v1.2.3 From 6543da4b81c14a995d4b8c81d311554376b71054 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 08:29:18 +0200 Subject: New debian/openvpn.lintian-overrides --- debian/changelog | 2 ++ debian/openvpn.lintian-overrides | 4 ++++ 2 files changed, 6 insertions(+) create mode 100644 debian/openvpn.lintian-overrides (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 6b56477..ca3f0be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,8 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium * Declare compliance with Debian Policy 4.1.1. (No changes needed). * Drop dh-systemd from both Build-Depends and dh command line as it is enabled by default for dh compat level 10. + * New debian/openvpn.lintian-overrides: + - Override duplicate upstream changelog warning. -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/openvpn.lintian-overrides b/debian/openvpn.lintian-overrides new file mode 100644 index 0000000..91ae65a --- /dev/null +++ b/debian/openvpn.lintian-overrides @@ -0,0 +1,4 @@ +# ChangeLog and Changes.rst are not the same. +# ChangeLog contains the source changes and Changes.rst describes +# the program development. +duplicate-changelog-files -- cgit v1.2.3 From 576d45b309817097c004e9bb347513629cddcffb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 09:56:53 +0200 Subject: Remove obsolete directory /usr/lib/openvpn --- debian/README.Debian | 10 ++++++---- debian/changelog | 4 ++++ debian/dirs | 1 - debian/postrm | 17 +++++++++++++++++ 4 files changed, 27 insertions(+), 5 deletions(-) create mode 100644 debian/postrm (limited to 'debian') diff --git a/debian/README.Debian b/debian/README.Debian index 517cf02..29b15fe 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -186,11 +186,13 @@ from now on. plugin support -------------- -Plugins are now included in the package. They get installed in /usr/lib/openvpn. +Plugins are now included in the package. They get installed in +/usr/lib//openvpn/plugins. Info on what they are and what they do in README.auth-pam and README.down-root. -Append /usr/lib/openvpn/ to the plugin name in the plugin option. -i.e. - plugin /usr/lib/openvpn/openvpn-auth-pam.so [service-type] +Append /usr/lib//openvpn/plugins to the plugin name in +the plugin option. +i.e. + plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so [service-type] Using resolvconf ---------------- diff --git a/debian/changelog b/debian/changelog index ca3f0be..f5f2a3d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,10 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium it is enabled by default for dh compat level 10. * New debian/openvpn.lintian-overrides: - Override duplicate upstream changelog warning. + * debian/dirs: + - Remove empty directory /usr/lib/openvpn. The plugins are now in + /usr/lib/*/openvpn/plugins. + - Add debian/postrm to remove /usr/lib/openvpn on purge. -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/dirs b/debian/dirs index c715297..e26aab3 100644 --- a/debian/dirs +++ b/debian/dirs @@ -8,5 +8,4 @@ usr/sbin usr/share/man/man8 usr/share/doc/openvpn usr/share/openvpn -usr/lib/openvpn usr/include/openvpn diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..c19a935 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,17 @@ +#!/bin/sh +set -e + + +if [ "$1" = purge ] ; then + +# remove obsolete directory + if [ -d /usr/lib/openvpn ]; then + rmdir --ignore-fail-on-non-empty /usr/lib/openvpn + fi + +fi + +#DEBHELPER# + +exit 0 + -- cgit v1.2.3 From 46aa869cd4bbb466e9d02322898ccbe7a895ab45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 10:18:13 +0200 Subject: Rewrite d/changelog and d/postrm --- debian/changelog | 9 +++++---- debian/postrm | 16 +++++++++++----- 2 files changed, 16 insertions(+), 9 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index f5f2a3d..a49323f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,10 +6,11 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium it is enabled by default for dh compat level 10. * New debian/openvpn.lintian-overrides: - Override duplicate upstream changelog warning. - * debian/dirs: - - Remove empty directory /usr/lib/openvpn. The plugins are now in - /usr/lib/*/openvpn/plugins. - - Add debian/postrm to remove /usr/lib/openvpn on purge. + * Remote obsolete directory /usr/lib/openvpn (The plugins direcotoy are now + /usr/lib/*/openvpn/plugins): + - Remove /usr/lib/openvpn from debian/dirs. + - Add debian/postrm to remove /usr/lib/openvpn on purge and remove. + - Rewrite plugin section at README.Debian -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/postrm b/debian/postrm index c19a935..970a802 100644 --- a/debian/postrm +++ b/debian/postrm @@ -2,14 +2,20 @@ set -e -if [ "$1" = purge ] ; then +case "$1" in + purge|remove) + +# # remove obsolete directory - if [ -d /usr/lib/openvpn ]; then - rmdir --ignore-fail-on-non-empty /usr/lib/openvpn - fi +# new at release 2.4.4-1 +# + if [ -d /usr/lib/openvpn ]; then + rmdir --ignore-fail-on-non-empty /usr/lib/openvpn + fi + ;; -fi +esac #DEBHELPER# -- cgit v1.2.3 From cacc0153486c22c406fefb18f9edb625c8c26b70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 11:03:34 +0200 Subject: Use pathfind() instead hard coded path for invoke-rc.d --- debian/changelog | 2 ++ debian/postinst | 22 +++++++++++++++++++++- debian/prerm | 34 +++++++++++++++++++++++++++------- 3 files changed, 50 insertions(+), 8 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index a49323f..87ad6c7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,8 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium - Remove /usr/lib/openvpn from debian/dirs. - Add debian/postrm to remove /usr/lib/openvpn on purge and remove. - Rewrite plugin section at README.Debian + * Use pathfind() instead hard coded path for invoke-rc.d at debian/prerm + and debian/postinst. -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/postinst b/debian/postinst index 3776449..648e671 100644 --- a/debian/postinst +++ b/debian/postinst @@ -9,6 +9,25 @@ test $DEBIAN_SCRIPT_DEBUG && set -v -x # use debconf . /usr/share/debconf/confmodule +# +# POSIX-compliant shell function +# to check for the existence of a command +# Return 0 if found +# +pathfind() { + OLDIFS="$IFS" + IFS=: + for p in $PATH; do + if [ -x "$p/$*" ]; then + IFS="$OLDIFS" + return 0 + fi + done + IFS="$OLDIFS" + return 1 +} + + case "$1" in configure) db_get openvpn/create_tun || RET="false" @@ -34,7 +53,8 @@ case "$1" in esac if [ -x "/etc/init.d/openvpn" ]; then - if [ -x /usr/sbin/invoke-rc.d ]; then + pathfind invoke-rc.d + if [ $? = 0 ]; then invoke-rc.d openvpn cond-restart || invoke-rc.d openvpn restart else /etc/init.d/openvpn cond-restart || /etc/init.d/openvpn restart diff --git a/debian/prerm b/debian/prerm index b888ef8..ec08b7b 100644 --- a/debian/prerm +++ b/debian/prerm @@ -7,14 +7,34 @@ set -e test $DEBIAN_SCRIPT_DEBUG && set -v -x +# +# POSIX-compliant shell function +# to check for the existence of a command +# Return 0 if found +# +pathfind() { + OLDIFS="$IFS" + IFS=: + for p in $PATH; do + if [ -x "$p/$*" ]; then + IFS="$OLDIFS" + return 0 + fi + done + IFS="$OLDIFS" + return 1 +} + + stop_vpn () { - if [ -x "/etc/init.d/openvpn" ]; then - if [ -x /usr/sbin/invoke-rc.d ] ; then - invoke-rc.d openvpn stop - else - /etc/init.d/openvpn stop - fi - fi + if [ -x "/etc/init.d/openvpn" ]; then + pathfind invoke-rc.d + if [ $? = 0 ]; then + invoke-rc.d openvpn stop + else + /etc/init.d/openvpn stop + fi + fi } -- cgit v1.2.3 From b5fc2d89aae93f0fb644584bf39e3e29c147bad8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 11:08:56 +0200 Subject: Remove outdated debian/README.source --- debian/README.source | 2 -- debian/changelog | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 debian/README.source (limited to 'debian') diff --git a/debian/README.source b/debian/README.source deleted file mode 100644 index 44b33ce..0000000 --- a/debian/README.source +++ /dev/null @@ -1,2 +0,0 @@ -Please refer to /usr/share/doc/quilt/README.source before making changes to -the source package. diff --git a/debian/changelog b/debian/changelog index 87ad6c7..4d39beb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,7 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium - Rewrite plugin section at README.Debian * Use pathfind() instead hard coded path for invoke-rc.d at debian/prerm and debian/postinst. + * Remove outdated debian/README.source. -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 -- cgit v1.2.3 From 4ca1764c51128c98ab8b0161a9677bc284723740 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 11:45:14 +0200 Subject: Remove obsolete syslog.target from debian/openvpn@.service --- debian/changelog | 1 + debian/openvpn@.service | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 4d39beb..1e3cc3b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,7 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium * Use pathfind() instead hard coded path for invoke-rc.d at debian/prerm and debian/postinst. * Remove outdated debian/README.source. + * Remove obsolete syslog.target from debian/openvpn@.service. -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/openvpn@.service b/debian/openvpn@.service index 53ff5a5..2cda6cd 100644 --- a/debian/openvpn@.service +++ b/debian/openvpn@.service @@ -3,7 +3,7 @@ Description=OpenVPN connection to %i PartOf=openvpn.service ReloadPropagatedFrom=openvpn.service Before=systemd-user-sessions.service -After=syslog.target network-online.target +After=network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage -- cgit v1.2.3 From 0b7f9eeffaaa5889d4ab151150e45c8856fa49b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 13:27:54 +0200 Subject: Fix bounds check in read_key() (CVE-2017-12166) --- debian/changelog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 1e3cc3b..1df3559 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium - * New Upstream release. + * New Upstream release: + - Fix bounds check in read_key() (CVE-2017-12166) (Closes: #877089). * Declare compliance with Debian Policy 4.1.1. (No changes needed). * Drop dh-systemd from both Build-Depends and dh command line as it is enabled by default for dh compat level 10. -- cgit v1.2.3 From 5cdfd749325d2633506635e6e994a9a36f0d918b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 3 Oct 2017 19:54:36 +0200 Subject: Update Catalan translation --- debian/changelog | 2 ++ debian/po/ca.po | 17 +++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 1df3559..a2b9065 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,8 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium and debian/postinst. * Remove outdated debian/README.source. * Remove obsolete syslog.target from debian/openvpn@.service. + * Update Catalan translation (Closes: #870351). + - Thanks to Alytidae . -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/po/ca.po b/debian/po/ca.po index 10ea58b..a671ef9 100644 --- a/debian/po/ca.po +++ b/debian/po/ca.po @@ -1,15 +1,15 @@ -# openvpn (debconf) translation to Catalan. +# OpenVPN (debconf) translation to Catalan. # Copyright (C) 2004 Free Software Foundation, Inc. # Aleix Badia i Bosch , 2004 # Josep Lladonosa i Capell , 2004 -# +# Alytidae , 2017 msgid "" msgstr "" -"Project-Id-Version: openvpn_1.5.0-2_templates\n" +"Project-Id-Version: openvpn_2.4.3-4\n" "Report-Msgid-Bugs-To: openvpn@packages.debian.org\n" "POT-Creation-Date: 2011-05-10 17:48+0200\n" -"PO-Revision-Date: 2004-04-08 20:24+0200\n" -"Last-Translator: Aleix Badia i Bosch \n" +"PO-Revision-Date: 2017-07-23 16:53+0200\n" +"Last-Translator: Alytidae \n" "Language-Team: Catalan \n" "Language: ca\n" "MIME-Version: 1.0\n" @@ -20,7 +20,7 @@ msgstr "" #. Description #: ../templates:2001 msgid "Create the TUN/TAP device?" -msgstr "" +msgstr "Crear un dispositiu TUN/TAP?" #. Type: boolean #. Description @@ -28,13 +28,14 @@ msgstr "" msgid "" "If you choose this option, the /dev/net/tun device needed by OpenVPN will be " "created." -msgstr "" +msgstr "Si tries aquesta opció es crearà el dispositiu /dev/net/tun, que és " +"necessari per a OpenVPN." #. Type: boolean #. Description #: ../templates:2001 msgid "You should not choose this option if you're using devfs." -msgstr "" +msgstr "No hauries de triar aquesta opció si estàs utilitzant devfs." #~ msgid "Would you like to start openvpn sooner?" #~ msgstr "Voldríeu iniciar l'openvpn abans?" -- cgit v1.2.3 From abb6ab3918792141a92a8e5b91074b66153b2eb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Wed, 4 Oct 2017 00:07:15 +0200 Subject: New directory /var/log/openvpn for log and status files --- debian/changelog | 5 +++++ debian/dirs | 1 + debian/patches/move_log_dir.patch | 41 +++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 48 insertions(+) create mode 100644 debian/patches/move_log_dir.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index a2b9065..ee80ed5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -18,6 +18,11 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium * Remove obsolete syslog.target from debian/openvpn@.service. * Update Catalan translation (Closes: #870351). - Thanks to Alytidae . + * New directory /var/log/openvpn for log and status files + (Closes: #444431, #553303): + - Add var/log/openvpn into debian/dirs. + - New debian/patches/move_log_dir.patch to change the conf files + to the new log directory. -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 diff --git a/debian/dirs b/debian/dirs index e26aab3..2823844 100644 --- a/debian/dirs +++ b/debian/dirs @@ -9,3 +9,4 @@ usr/share/man/man8 usr/share/doc/openvpn usr/share/openvpn usr/include/openvpn +var/log/openvpn diff --git a/debian/patches/move_log_dir.patch b/debian/patches/move_log_dir.patch new file mode 100644 index 0000000..4518461 --- /dev/null +++ b/debian/patches/move_log_dir.patch @@ -0,0 +1,41 @@ +Description: Set default logdir to /var/log/openvpn +Author: Jörg Frings-Fürst +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444431 + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553303 +Forwarded: not-needed +Last-Update: 2017-10-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/sample/sample-config-files/server.conf +=================================================================== +--- trunk.orig/sample/sample-config-files/server.conf ++++ trunk/sample/sample-config-files/server.conf +@@ -105,7 +105,7 @@ server 10.8.0.0 255.255.255.0 + # is restarted, reconnecting clients can be assigned + # the same virtual IP address from the pool that was + # previously assigned. +-ifconfig-pool-persist ipp.txt ++ifconfig-pool-persist /var/log/openvpn/ipp.txt + + # Configure server mode for ethernet bridging. + # You must first use your OS's bridging capability +@@ -284,7 +284,7 @@ persist-tun + # Output a short status file showing + # current connections, truncated + # and rewritten every minute. +-status openvpn-status.log ++status /var/log/openvpn/openvpn-status.log + + # By default, log messages will go to the syslog (or + # on Windows, if running as a service, they will go to +@@ -293,8 +293,8 @@ status openvpn-status.log + # "log" will truncate the log file on OpenVPN startup, + # while "log-append" will append to it. Use one + # or the other (but not both). +-;log openvpn.log +-;log-append openvpn.log ++;log /var/log/openvpn/openvpn.log ++;log-append /var/log/openvpn/openvpn.log + + # Set the appropriate level of log + # file verbosity. diff --git a/debian/patches/series b/debian/patches/series index 50b527d..156ff6f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +move_log_dir.patch auth-pam_libpam_so_filename.patch debian_nogroup_for_sample_files.patch openvpn-pkcs11warn.patch -- cgit v1.2.3 From 8b66a35385f4350db57d6a9d4f40ad732267e6b9 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Mon, 9 Oct 2017 21:25:52 +0200 Subject: openvpn@.service: Copy Restart=on-failure from upstream systemd unit --- debian/openvpn@.service | 2 ++ 1 file changed, 2 insertions(+) (limited to 'debian') diff --git a/debian/openvpn@.service b/debian/openvpn@.service index 2cda6cd..992cc3b 100644 --- a/debian/openvpn@.service +++ b/debian/openvpn@.service @@ -22,6 +22,8 @@ DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true +RestartSec=5s +Restart=on-failure [Install] WantedBy=multi-user.target -- cgit v1.2.3 From 1a0cdf35d6f7e3a80eaf3989e415baf23f879488 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Mon, 9 Oct 2017 21:26:31 +0200 Subject: openvpn@.service: Use KillMode=process This copies a change in the upstream systemd unit into the Debian-specific one === systemd: Ensure systemd shuts down OpenVPN in a proper way By default, when systemd is stopping OpenVPN it will send the SIGTERM to all processes within the same process control-group. This can come as a surprise to plug-ins which may have fork()ed out child processes. So we tell systemd to only send the SIGTERM signal to the main OpenVPN process and let OpenVPN take care of the shutdown process on its own. If the main OpenVPN process does not stop within 90 seconds (unless changed), it will send SIGKILL to all remaining processes within the same process control-group. This issue have been reported in both Debian and Fedora. Trac: 581 Message-Id: <20170906234705.26202-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html Signed-off-by: David Sommerseth [DS: Applied lazy-ack policy] === --- debian/openvpn@.service | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/openvpn@.service b/debian/openvpn@.service index 992cc3b..7f0134b 100644 --- a/debian/openvpn@.service +++ b/debian/openvpn@.service @@ -15,6 +15,7 @@ PrivateTmp=true WorkingDirectory=/etc/openvpn ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid +KillMode=process ExecReload=/bin/kill -HUP $MAINPID CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 -- cgit v1.2.3 From 8e8859fac3c914c52b0c197409e4e506926df327 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Mon, 9 Oct 2017 21:29:06 +0200 Subject: Amend changelog --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index ee80ed5..7a0f18a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium + [ Jörg Frings-Fürst ] * New Upstream release: - Fix bounds check in read_key() (CVE-2017-12166) (Closes: #877089). * Declare compliance with Debian Policy 4.1.1. (No changes needed). @@ -24,6 +25,11 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium - New debian/patches/move_log_dir.patch to change the conf files to the new log directory. + [ Bernhard Schmidt ] + * Further changes to debian/openvpn@.service copied from upstream + - Enable Restart=on-failure + - Use KillMode=process + -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 openvpn (2.4.3-4) unstable; urgency=medium -- cgit v1.2.3 From f212a9a8061882b73f6b6902757031bcd596aef2 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Mon, 9 Oct 2017 21:30:19 +0200 Subject: Fix typo in changelog --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 7a0f18a..0c44351 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,7 +8,7 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium it is enabled by default for dh compat level 10. * New debian/openvpn.lintian-overrides: - Override duplicate upstream changelog warning. - * Remote obsolete directory /usr/lib/openvpn (The plugins direcotoy are now + * Remote obsolete directory /usr/lib/openvpn (The plugins directory are now /usr/lib/*/openvpn/plugins): - Remove /usr/lib/openvpn from debian/dirs. - Add debian/postrm to remove /usr/lib/openvpn on purge and remove. -- cgit v1.2.3 From 6455036094426dd68277aa025b58704b6d8e31aa Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Wed, 25 Oct 2017 08:14:33 +0200 Subject: Prepare for release --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 0c44351..ed4d300 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -openvpn (2.4.4-1) UNRELEASED; urgency=medium +openvpn (2.4.4-1) unstable; urgency=medium [ Jörg Frings-Fürst ] * New Upstream release: @@ -30,7 +30,7 @@ openvpn (2.4.4-1) UNRELEASED; urgency=medium - Enable Restart=on-failure - Use KillMode=process - -- Jörg Frings-Fürst Mon, 02 Oct 2017 06:57:42 +0200 + -- Bernhard Schmidt Wed, 25 Oct 2017 08:14:12 +0200 openvpn (2.4.3-4) unstable; urgency=medium -- cgit v1.2.3 From 36397b0f6ec08f0ae0155b57302a0dafd63fd940 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Mon, 11 Dec 2017 00:20:54 +0100 Subject: Build against OpenSSL 1.1.0 Closes: #828447 --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 14be23f..a81ee26 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,7 @@ Build-Depends: liblzo2-dev, libpam0g-dev, libpkcs11-helper1-dev, - libssl1.0-dev, + libssl-dev, libsystemd-dev [linux-any], net-tools [!linux-any], pkg-config, -- cgit v1.2.3 From 969554523b1dddd11dfefba47bec745cfd0eea31 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Mon, 11 Dec 2017 00:21:40 +0100 Subject: Bump Standards-Version to 4.1.2, no changes necessary --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/control b/debian/control index a81ee26..b3770a9 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Build-Depends: net-tools [!linux-any], pkg-config, systemd [linux-any] -Standards-Version: 4.1.1 +Standards-Version: 4.1.2 Homepage: https://openvpn.net/ Vcs-Git: https://anonscm.debian.org/git/collab-maint/openvpn.git Vcs-Browser: https://anonscm.debian.org/git/collab-maint/openvpn.git -- cgit v1.2.3 From 75286879ecd00a15e21cb9126643fef0316bd47f Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Mon, 11 Dec 2017 00:22:24 +0100 Subject: Changelog for 2.4.4-2 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index ed4d300..bdf5384 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openvpn (2.4.4-2) unstable; urgency=medium + + * Build against OpenSSL 1.1.0 (Closes: #828447) + * Bump Standards-Version to 4.1.2, no changes necessary + + -- Bernhard Schmidt Mon, 11 Dec 2017 00:22:11 +0100 + openvpn (2.4.4-1) unstable; urgency=medium [ Jörg Frings-Fürst ] -- cgit v1.2.3