Fedora EPEL 6 Update: openvpn-2.1.4-1.el6

updates at fedoraproject.org updates at fedoraproject.org
Tue May 10 18:58:02 UTC 2011 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-3155
2011-04-25 18:35:42
--------------------------------------------------------------------------------

Name        : openvpn
Product     : Fedora EPEL 6
Version     : 2.1.4
Release     : 1.el6
URL         : http://openvpn.net/
Summary     : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port.  It can use the Marcus Franz Xaver Johannes Oberhumer's LZO library
for compression.

--------------------------------------------------------------------------------
Update Information:

This update includes the following upstream fixes and changes:


2010.11.09 -- Version 2.1.4
===========================

  * Fix problem with special case route targets ('remote_host'): The init_route() function will leave &netlist untouched for get_special_addr() routes ("remote_host" being one of them). netlist is on stack,  contains random garbage, and netlist.len will not be 0 - thus, random stack data is copied from netlist.data[] until the route_list is full. Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.


2010.08.20 -- Version 2.1.3
===========================

  * Windows build fixes: Attempt to fix issue where domake-win build system was not properly signing drivers and .exe files.  This change is only affecting the Windows build scripts and not the OpenVPN code base.


2010.08.09 -- Version 2.1.2
===========================

  * Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService.  A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service.  However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit:  Scott Laurie, MWR InfoSecurity
  * Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory).
  * When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted.
  * Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication.
  * Don't advance to the next connection profile on AUTH_FAILED errors.
  * Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried.
  * Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds.  In this case, the correct window period should be the handshake window period.
  * Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string: ">PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']"
  * Enable exponential backoff in reliability layer retransmits.
  * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen.
  * Management interface performance optimizations:
    * Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth
    * man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o
  * Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly.
  * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in.
  * Proxy improvements:
    * Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy.
    * Added http-auth "auto-nct" flag to reject weak proxy auth methods.
    * Added HTTP proxy digest authentication method.
    * Removed extraneous openvpn_sleep calls from proxy.c.
  * Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails.
  * Implemented a key/value auth channel from client to server.
  * Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds.
  * Added support for MSVC debugging of openvpn.exe in settings.in: "# Build debugging version of openvpn.exe", "!define PRODUCT_OPENVPN_DEBUG"
  * Implemented multi-address DNS expansion on the network field of route commands: When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection.
  * Added --register-dns option for Windows.
  * Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection.
  * Fixed an issue where application payload transmissions on the TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped. 
  * Added warning about tls-remote option in man page.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update openvpn' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list