21:32 Matthias Andree (mandree) 

security/openvpn*: update to 2.6.0, keep openvpn25

- copy openvpn to openvpn25, mark as deprecated and to expire March 31

- update openvpn to openvpn 2.6.0, highlights from Frank Lichtenheld's
  release announcement e-mail, slightly edited:

 * Data Channel Offload (DCO) kernel acceleration support for Windows,
   Linux, and FreeBSD [14].
 * OpenSSL 3 support
 * Improved handling of tunnel MTU, including support for pushable MTU.
 * Outdated cryptographic algorithms disabled by default, but there are
   options to override if necessary.
 * Reworked TLS handshake, making OpenVPN immune to replay-packet state
   exhaustion attacks.
 * Added --peer-fingerprint mode for a more simplistic certificate setup
   and verification.
 * Improved protocol negotiation, leading to faster connection setup.

ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst

    6853ab1

16:28 mandree 

security/openvpn: reliability fixes cherry-picked from upstream

Arne Schwabe's OpenSSL fix for Debian Bug#958296
"Fix tls_ctx_client/server_new leaving error on OpenSSL error stack"
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958296> [1]

Selva Nair's auth-pam fixes
"Parse static challenge response in auth-pam plugin"
"Accept empty password and/or response in auth-pam plugin"

Re-diff (with make makepatch) older patches.

Reported by:	Jonas Andradas via Debian BTS
Obtained from:	Arne Schwabe, Selva Nair
<https://github.com/OpenVPN/openvpn/tree/release/2.4>
MFH:		2020Q2 (blanket for backporting reliability fixes)

 

18:16 mandree 

Fix a sed regexp from GNUism to POSIX.

Thanks!

Also sent upstream for inclusion today,
https://sourceforge.net/p/openvpn/mailman/message/36757480/ and
https://sourceforge.net/p/openvpn/mailman/message/36757481/

PR:		240306
Submitted by:	kevans@