diff -pruN 2.6.14-2/debian/changelog 2.6.14-2ubuntu1/debian/changelog --- 2.6.14-2/debian/changelog 2025-09-05 20:13:12.000000000 +0000 +++ 2.6.14-2ubuntu1/debian/changelog 2025-09-06 06:40:39.000000000 +0000 @@ -1,3 +1,15 @@ +openvpn (2.6.14-2ubuntu1) questing; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/t/control: Move to isolation-container to enable armhf/LXD coverage. + (LP #2104146) + - d/p/handle_intentional_route_push_float_ip.patch + + -- Gianfranco Costamagna Sat, 06 Sep 2025 08:40:39 +0200 + openvpn (2.6.14-2) unstable; urgency=medium * Cherry-pick upstream fix to build with Kernel 6.16+ (Closes: #1114249) @@ -5,6 +17,35 @@ openvpn (2.6.14-2) unstable; urgency=med -- Bernhard Schmidt Fri, 05 Sep 2025 22:13:12 +0200 +openvpn (2.6.14-1ubuntu2) questing; urgency=medium + + * d/p/handle_intentional_route_push_float_ip.patch: Fix floating IP due + to "route VPN_IP net_gateway", which can lead to incorrect blocking of + a source IP switch for 60 seconds immediately after connection setup. + (LP: #2108860) + + -- Bryce Harrington Thu, 28 Aug 2025 15:34:24 -0700 + +openvpn (2.6.14-1ubuntu1) questing; urgency=medium + + * Merge from Debian Unstable (LP: #2110417). Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/t/control: Move to isolation-container to enable armhf/LXD coverage. + (LP #2104146) + * Dropped Changes: + - SECURITY UPDATE: denial of service issue + + debian/patches/CVE-2025-2704.patch: allow tls-crypt-v2 to be setup + only on initial packet of a session in src/openvpn/ssl.c, + src/openvpn/ssl_common.h, src/openvpn/ssl_pkt.c, + src/openvpn/ssl_pkt.h, src/openvpn/tls_crypt.c, + src/openvpn/tls_crypt.h, tests/unit_tests/openvpn/test_tls_crypt.c. + + CVE-2025-2704 + [ Fixed upstream in 2.6.14 ] + + -- Lena Voytek Wed, 21 May 2025 13:13:19 -0400 + openvpn (2.6.14-1) unstable; urgency=medium [ Aquila Macedo ] @@ -17,12 +58,49 @@ openvpn (2.6.14-1) unstable; urgency=med -- Bernhard Schmidt Wed, 02 Apr 2025 20:56:44 +0200 +openvpn (2.6.13-1ubuntu3) plucky; urgency=medium + + * SECURITY UPDATE: denial of service issue + - debian/patches/CVE-2025-2704.patch: allow tls-crypt-v2 to be setup + only on initial packet of a session in src/openvpn/ssl.c, + src/openvpn/ssl_common.h, src/openvpn/ssl_pkt.c, + src/openvpn/ssl_pkt.h, src/openvpn/tls_crypt.c, + src/openvpn/tls_crypt.h, tests/unit_tests/openvpn/test_tls_crypt.c. + - CVE-2025-2704 + + -- Marc Deslauriers Tue, 01 Apr 2025 12:03:56 -0400 + +openvpn (2.6.13-1ubuntu2) plucky; urgency=medium + + * d/t/control: Move to isolation-container to enable armhf/LXD coverage. + (LP: #2104146) + + -- Lukas Märdian Tue, 25 Mar 2025 14:47:41 +0100 + +openvpn (2.6.13-1ubuntu1) plucky; urgency=medium + + * Merge from Debian Unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Simon Quigley Mon, 10 Feb 2025 22:24:50 -0600 + openvpn (2.6.13-1) unstable; urgency=medium * New upstream version 2.6.13 (Closes: #1095675) -- Bernhard Schmidt Mon, 10 Feb 2025 22:09:11 +0100 +openvpn (2.6.12-1ubuntu1) oracular; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Fri, 19 Jul 2024 17:47:31 +0200 + openvpn (2.6.12-1) unstable; urgency=medium * New upstream version 2.6.12 @@ -32,6 +110,15 @@ openvpn (2.6.12-1) unstable; urgency=med -- Bernhard Schmidt Thu, 18 Jul 2024 23:30:00 +0200 +openvpn (2.6.11-1ubuntu1) oracular; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Mon, 08 Jul 2024 15:42:17 +0200 + openvpn (2.6.11-1) unstable; urgency=medium * New upstream version 2.6.11 (Closes: #1074488) @@ -45,6 +132,53 @@ openvpn (2.6.11-1) unstable; urgency=med -- Bernhard Schmidt Mon, 08 Jul 2024 00:06:59 +0200 +openvpn (2.6.10-0ubuntu1) oracular; urgency=medium + + * New upstream version 2.6.10 (LP: #2064436) + - Updates: + + t_client.sh can now run pre-tests and skip a test block if needed. + + Remove license warnings about mbedTLS linking. + + Update documentation references in systemd unit files. + + Remove obsolete tls-*.conf sample files. + + document that auth-user-pass may be inlined. + - Bug fixes: + + Fix checking option consistency for compiled-in compression algorithm + support. + + Remove obsolete syslog.target in systemd unit files. + + Additional Windows bug fixes. + - See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26 for + additional bug fixes and information. + * d/p/systemd.patch: Remove - Fixed upstream + + -- Lena Voytek Wed, 01 May 2024 10:02:39 -0700 + +openvpn (2.6.9-1ubuntu4) noble; urgency=high + + * No change rebuild against libssl3t64. + + -- Julian Andres Klode Mon, 08 Apr 2024 16:47:03 +0200 + +openvpn (2.6.9-1ubuntu3) noble; urgency=medium + + * No-change rebuild for CVE-2024-3094 + + -- Steve Langasek Sun, 31 Mar 2024 09:23:46 +0000 + +openvpn (2.6.9-1ubuntu2) noble; urgency=medium + + * No-change rebuild against libssl3t64 + + -- Steve Langasek Mon, 04 Mar 2024 20:31:57 +0000 + +openvpn (2.6.9-1ubuntu1) noble; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Thu, 29 Feb 2024 17:22:31 +0100 + openvpn (2.6.9-1) unstable; urgency=medium * New upstream version 2.6.9 @@ -53,6 +187,15 @@ openvpn (2.6.9-1) unstable; urgency=medi -- Bernhard Schmidt Wed, 28 Feb 2024 08:43:25 +0100 +openvpn (2.6.7-1ubuntu1) noble; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Mon, 13 Nov 2023 18:36:03 +0100 + openvpn (2.6.7-1) unstable; urgency=medium [ Aquila Macedo ] @@ -77,6 +220,16 @@ openvpn (2.6.7-1) unstable; urgency=medi -- Bernhard Schmidt Sat, 11 Nov 2023 22:01:15 +0100 +openvpn (2.6.5-0ubuntu1) mantic; urgency=medium + + * New Upstream release 2.6.5 (LP: #2018095) + * d/p/fix-dangling-pointer-in-pkcs11.patch: + Remove - fixed upstream in 2.6.4 + * d/p/fix-memleak-in-dco_get_peer_stats_multi.patch: + Remove - fixed upstream in 2.6.5 + + -- Lena Voytek Tue, 11 Jul 2023 09:36:08 -0700 + openvpn (2.6.3-2.1) unstable; urgency=medium * Non-maintainer upload. @@ -86,6 +239,15 @@ openvpn (2.6.3-2.1) unstable; urgency=me -- Jochen Sprickerhof Fri, 27 Oct 2023 16:26:34 +0200 +openvpn (2.6.3-2ubuntu1) mantic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Mon, 22 May 2023 09:28:33 +0200 + openvpn (2.6.3-2) unstable; urgency=medium * Cherry-pick two bugfix commits from upstream @@ -94,6 +256,15 @@ openvpn (2.6.3-2) unstable; urgency=medi -- Bernhard Schmidt Sat, 20 May 2023 17:43:32 +0200 +openvpn (2.6.3-1ubuntu1) mantic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Tue, 02 May 2023 08:48:22 +0200 + openvpn (2.6.3-1) unstable; urgency=medium * New upstream version 2.6.2 @@ -105,6 +276,15 @@ openvpn (2.6.3-1) unstable; urgency=medi -- Bernhard Schmidt Thu, 13 Apr 2023 09:19:40 +0200 +openvpn (2.6.1-1ubuntu1) lunar; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Mon, 27 Mar 2023 07:50:09 +0200 + openvpn (2.6.1-1) unstable; urgency=medium * Upload to unstable targetting bookworm @@ -122,6 +302,15 @@ openvpn (2.6.1-1~exp1) experimental; urg -- Bernhard Schmidt Fri, 10 Mar 2023 09:02:22 +0100 +openvpn (2.6.0-1ubuntu1) lunar; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Thu, 26 Jan 2023 22:11:25 +0100 + openvpn (2.6.0-1) unstable; urgency=medium * New upstream version 2.6.0 @@ -130,6 +319,15 @@ openvpn (2.6.0-1) unstable; urgency=medi -- Bernhard Schmidt Wed, 25 Jan 2023 22:27:04 +0100 +openvpn (2.6.0~rc2-1ubuntu1) lunar; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Mon, 16 Jan 2023 09:28:16 +0100 + openvpn (2.6.0~rc2-1) unstable; urgency=medium * New upstream version 2.6.0~rc2 @@ -137,6 +335,15 @@ openvpn (2.6.0~rc2-1) unstable; urgency= -- Bernhard Schmidt Fri, 13 Jan 2023 19:02:01 +0100 +openvpn (2.6.0~rc1-1ubuntu1) lunar; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Thu, 29 Dec 2022 14:05:47 +0100 + openvpn (2.6.0~rc1-1) unstable; urgency=medium * New upstream version 2.6.0~rc1 (Closes: #1014376) @@ -144,6 +351,15 @@ openvpn (2.6.0~rc1-1) unstable; urgency= -- Bernhard Schmidt Wed, 28 Dec 2022 22:51:31 +0100 +openvpn (2.6.0~git20221222-1ubuntu1) lunar; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Sat, 24 Dec 2022 15:56:10 +0100 + openvpn (2.6.0~git20221222-1) unstable; urgency=medium * New upstream version 2.6.0~git20221222 @@ -159,6 +375,15 @@ openvpn (2.6.0~git20221215+beta2-1) unst -- Bernhard Schmidt Fri, 16 Dec 2022 11:54:27 +0100 +openvpn (2.6.0~git20221201-1ubuntu1) lunar; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Tue, 06 Dec 2022 15:47:55 +0100 + openvpn (2.6.0~git20221201-1) unstable; urgency=medium * New upstream version 2.6.0~git20221201, also known as 2.6_beta1 @@ -168,6 +393,15 @@ openvpn (2.6.0~git20221201-1) unstable; -- Bernhard Schmidt Sun, 04 Dec 2022 21:32:37 +0100 +openvpn (2.6.0~git20221116-1ubuntu1) lunar; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Wed, 23 Nov 2022 14:50:31 +0100 + openvpn (2.6.0~git20221116-1) unstable; urgency=medium * New upstream version 2.6.0~git20221116 @@ -175,6 +409,15 @@ openvpn (2.6.0~git20221116-1) unstable; -- Bernhard Schmidt Tue, 22 Nov 2022 11:50:13 +0100 +openvpn (2.6.0~git20220818-1ubuntu1) kinetic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + + -- Gianfranco Costamagna Mon, 22 Aug 2022 09:44:45 +0200 + openvpn (2.6.0~git20220818-1) unstable; urgency=medium * New upstream version 2.6.0~git20220818 @@ -215,6 +458,18 @@ openvpn (2.6.0~git20220808-1) unstable; -- Bernhard Schmidt Tue, 09 Aug 2022 11:31:12 +0200 +openvpn (2.6.0~git20220518+dco-3ubuntu2) kinetic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/t/server-setup-with-ca: + - cherry-pick change in easy-rsa autopkgtests to remove conflicting + "vars" file. + + -- Gianfranco Costamagna Thu, 28 Jul 2022 08:58:35 +0200 + openvpn (2.6.0~git20220518+dco-3) unstable; urgency=medium [ Lucas Kanashiro ] @@ -229,6 +484,43 @@ openvpn (2.6.0~git20220518+dco-3) unstab -- Bernhard Schmidt Sun, 24 Jul 2022 17:13:47 +0200 +openvpn (2.6.0~git20220518+dco-2ubuntu3) kinetic; urgency=medium + + * d/t/control: add allow-stderr restriction. With 'set -x' in place some + messages are printed out in stderr. + + -- Lucas Kanashiro Thu, 14 Jul 2022 11:47:23 -0300 + +openvpn (2.6.0~git20220518+dco-2ubuntu2) kinetic; urgency=medium + + * d/t/server-setup-with-static-key: set cipher to be DES-EDE3-CBC. The + default BF-CBC is deprecated, also CAST and RC2. For more information + check the upstream documentation. + * d/t/server-setup-with-static-key: use 'secret' instead of '--secret' when + generating a key to fix a deprecation warning. + * d/t/server-setup-with-*: use 'set -x' in the test scripts. This will + facilitate future debugging. + * d/p/openssl-3-support.patch: Translate OpenSSL 3.0 digest names to OpenSSL + 1.1 digest names (LP: #1975574). + + -- Lucas Kanashiro Mon, 11 Jul 2022 17:56:18 -0300 + +openvpn (2.6.0~git20220518+dco-2ubuntu1) kinetic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + * Drop changes fixed in new upstream release: + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. + - d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between + the OpenSSL3 branch and the OpenVPN 2.5 branch (LP #1945980) + - debian/patches/CVE-2022-0547.patch: disallow multiple deferred + authentication plug-ins in doc/man-sections/plugin-options.rst, + src/openvpn/plugin.c. + + -- Gianfranco Costamagna Tue, 07 Jun 2022 11:51:28 +0200 + openvpn (2.6.0~git20220518+dco-2) unstable; urgency=medium * Add d/NEWS entry about the release notes and DCO (Closes: #1011372) @@ -268,6 +560,36 @@ openvpn (2.5.6-1) unstable; urgency=high -- Bernhard Schmidt Sun, 20 Mar 2022 21:42:05 +0100 +openvpn (2.5.5-1ubuntu3) jammy; urgency=medium + + * debian/patches/CVE-2022-0547.patch: updated to properly patch actual + manpage file in doc/openvpn.8. + + -- Marc Deslauriers Tue, 22 Mar 2022 13:22:27 -0400 + +openvpn (2.5.5-1ubuntu2) jammy; urgency=medium + + * SECURITY UPDATE: authentication bypass via multiple deferred + authentication plug-ins + - debian/patches/CVE-2022-0547.patch: disallow multiple deferred + authentication plug-ins in doc/man-sections/plugin-options.rst, + src/openvpn/plugin.c. + - CVE-2022-0547 + + -- Marc Deslauriers Tue, 22 Mar 2022 10:37:55 -0400 + +openvpn (2.5.5-1ubuntu1) jammy; urgency=medium + + * Merge with Debian unstable (LP: #1946884). Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. + - d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between + the OpenSSL3 branch and the OpenVPN 2.5 branch (LP #1945980) + + -- Sergio Durigan Junior Wed, 23 Feb 2022 10:14:27 -0500 + openvpn (2.5.5-1) unstable; urgency=medium [ Jörg Frings-Fürst ] @@ -283,6 +605,44 @@ openvpn (2.5.5-1) unstable; urgency=medi -- Bernhard Schmidt Mon, 21 Feb 2022 12:05:55 +0100 +openvpn (2.5.1-3ubuntu5) jammy; urgency=medium + + * No-change rebuild to update maintainer scripts, see LP: 1959054 + + -- Dave Jones Wed, 16 Feb 2022 17:16:30 +0000 + +openvpn (2.5.1-3ubuntu4) jammy; urgency=medium + + * d/p/OpenSSL3.patch: work around the deprecated algorithm mismatch between + the OpenSSL3 branch and the OpenVPN 2.5 branch (LP: #1945980) + + -- Simon Chopin Thu, 18 Nov 2021 15:05:21 +0100 + +openvpn (2.5.1-3ubuntu3) jammy; urgency=medium + + * No-change rebuild against openssl3 + + -- Simon Chopin Wed, 01 Dec 2021 16:09:52 +0000 + +openvpn (2.5.1-3ubuntu2) impish; urgency=medium + + * No-change rebuild to build packages with zstd compression. + + -- Matthias Klose Thu, 07 Oct 2021 12:21:59 +0200 + +openvpn (2.5.1-3ubuntu1) impish; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. + * Dropped changes: + - d/t/server-setup-*: adapt tests to output of v2.5.0 + [Included in 2.5.1-3] + + -- Utkarsh Gupta Mon, 17 May 2021 14:38:17 +0530 + openvpn (2.5.1-3) unstable; urgency=medium * Fix autopkgtest (Closes: #983662) @@ -292,6 +652,17 @@ openvpn (2.5.1-3) unstable; urgency=medi -- Bernhard Schmidt Fri, 14 May 2021 09:40:04 +0200 +openvpn (2.5.1-2ubuntu1) impish; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. + - d/t/server-setup-*: adapt tests to output of v2.5.0 + + -- Athos Ribeiro Mon, 03 May 2021 17:56:39 -0300 + openvpn (2.5.1-2) unstable; urgency=high * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix @@ -300,12 +671,47 @@ openvpn (2.5.1-2) unstable; urgency=high -- Bernhard Schmidt Wed, 28 Apr 2021 14:41:58 +0200 +openvpn (2.5.1-1ubuntu1) hirsute; urgency=medium + + * Merge with Debian unstable (LP: #1917438). Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. + + d/t/server-setup-*: adapt tests to output of v2.5.0 + + -- Utkarsh Gupta Tue, 02 Mar 2021 16:35:37 +0530 + openvpn (2.5.1-1) unstable; urgency=medium * New upstream version 2.5.1 (bugfix release) -- Bernhard Schmidt Wed, 24 Feb 2021 19:54:34 +0100 +openvpn (2.5.0-1ubuntu1) hirsute; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. + [updated to match 2.5.0] + * Dropped changes [in Debian since 2.5~beta3-1] + - d/tests: add two DEP-8 test cases + + d/t/server-setup-with-static-key: test the OpenVPN server side setup + using a static key. + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a + CA built with easy-rsa. + - d/openvpn*.service: Drop reload support from systemd unit files + (LP #1868127). The current reload implementation (sending a SIGHUP + signal to the process) fails, and the difference between reload and + restart is not clear. Systemd does not require an implementation for + reload. + * Added Changes: + - d/t/server-setup-*: adapt tests to output of v2.5.0 + + -- Christian Ehrhardt Tue, 01 Dec 2020 16:15:12 +0100 + openvpn (2.5.0-1) unstable; urgency=medium * New upstream version 2.5.0 - final release @@ -361,6 +767,26 @@ openvpn (2.5~beta1-1) experimental; urge -- Bernhard Schmidt Sat, 15 Aug 2020 21:32:49 +0200 +openvpn (2.4.9-3ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP #1454725) + - d/p/openvpn-fips-2.4.patch: Allow MD5 for PRF in FIPS mode openssl. + - d/tests: add two DEP-8 test cases + + d/t/server-setup-with-static-key: test the OpenVPN server side setup + using a static key. + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a + CA built with easy-rsa. + - d/openvpn*.service: Drop reload support from systemd unit files + (LP #1868127). The current reload implementation (sending a SIGHUP + signal to the process) fails, and the difference between reload and + restart is not clear. Systemd does not require an implementation for + reload. + + -- Lucas Kanashiro Tue, 18 Aug 2020 08:42:11 -0300 + openvpn (2.4.9-3) unstable; urgency=medium [ Jörg Frings-Fürst ] @@ -379,6 +805,28 @@ openvpn (2.4.9-3) unstable; urgency=medi -- Jörg Frings-Fürst Sat, 02 May 2020 18:14:36 +0200 +openvpn (2.4.9-2ubuntu2) groovy; urgency=medium + + * Drop reload support from systemd unit files (LP: #1868127) + + -- Lucas Kanashiro Tue, 26 May 2020 19:04:33 -0300 + +openvpn (2.4.9-2ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what + got added to debian/openvpn.init.d ages ago (LP 1454725) + - Allow MD5 for PRF in FIPS mode openssl. + * Added changes: + - d/tests: add two DEP-8 test cases + + d/t/server-setup-with-static-key: test the OpenVPN server side setup + using a static key. + + d/t/server-setup-with-ca: test the OpenVPN server side setup using a + CA built with easy-rsa. + + -- Lucas Kanashiro Wed, 29 Apr 2020 15:35:56 -0300 + openvpn (2.4.9-2) unstable; urgency=medium * Cherry-Pick upstream patch to fix ssl_do_config error with @@ -414,6 +862,28 @@ openvpn (2.4.9-1) unstable; urgency=medi -- Bernhard Schmidt Sun, 19 Apr 2020 15:52:57 +0200 +openvpn (2.4.7-1ubuntu2) eoan; urgency=medium + + * No-change upload with strops.h and sys/strops.h removed in glibc. + + -- Matthias Klose Thu, 05 Sep 2019 11:05:25 +0000 + +openvpn (2.4.7-1ubuntu1) eoan; urgency=medium + + * Merge with Debian unstable (LP: #1828771). Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what got + added to debian/openvpn.init.d ages ago (LP 1454725) + - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. + (LP 1807439) + * Dropped changes: + - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout + scripts breaking due to sudo/pam being unable to audit the action. + Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208) + [in Debian now] + + -- Christian Ehrhardt Mon, 13 May 2019 15:55:22 +0200 + openvpn (2.4.7-1) unstable; urgency=medium [ Bernhard Schmidt ] @@ -433,6 +903,30 @@ openvpn (2.4.7-1) unstable; urgency=medi -- Bernhard Schmidt Wed, 20 Feb 2019 14:50:03 +0100 +openvpn (2.4.6-1ubuntu3) disco; urgency=medium + + * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF. + (LP: #1807439) + + -- Joy Latten Wed, 09 Jan 2019 12:25:59 -0600 + +openvpn (2.4.6-1ubuntu2) cosmic; urgency=medium + + * d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout + scripts breaking due to sudo/pam being unable to audit the action. + Fixed in upstream issue #918, suggested to Debian in #868806 (LP: #1787208) + + -- Christian Ehrhardt Mon, 03 Sep 2018 10:57:35 +0200 + +openvpn (2.4.6-1ubuntu1) cosmic; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - d/control: Demote easy-rsa to Suggests (universe package). + - debian/openvpn@.service: Add '--script-security 2' similar to what got + added to debian/openvpn.init.d ages ago (LP 1454725) + + -- Christian Ehrhardt Mon, 20 Aug 2018 13:30:20 +0200 + openvpn (2.4.6-1) unstable; urgency=medium [ Jörg Frings-Fürst ] @@ -476,6 +970,15 @@ openvpn (2.4.5-1) unstable; urgency=medi -- Bernhard Schmidt Sun, 04 Mar 2018 22:23:47 +0100 +openvpn (2.4.4-2ubuntu1) bionic; urgency=low + + * Sync with Debian. Remaining changes: + - debian/openvpn@.service: Add "--script-security 2" similar to what got + added to debian/openvpn.init.d ages ago (LP: #1454725) + - Demote easy-rsa to Suggests (universe package). + + -- Dimitri John Ledkov Sat, 10 Feb 2018 20:27:56 +0000 + openvpn (2.4.4-2) unstable; urgency=medium * Build against OpenSSL 1.1.0 (Closes: #828477) @@ -483,6 +986,15 @@ openvpn (2.4.4-2) unstable; urgency=medi -- Bernhard Schmidt Mon, 11 Dec 2017 00:22:11 +0100 +openvpn (2.4.4-1ubuntu1) bionic; urgency=medium + + * Sync with Debian. Remaining changes: + - debian/openvpn@.service: Add "--script-security 2" similar to what got + added to debian/openvpn.init.d ages ago (LP: #1454725) + - Demote easy-rsa to Suggests (universe package). + + -- Jeremy Bicha Sat, 28 Oct 2017 15:13:58 -0400 + openvpn (2.4.4-1) unstable; urgency=medium [ Jörg Frings-Fürst ] @@ -604,6 +1116,65 @@ openvpn (2.4.0-5) unstable; urgency=high -- Alberto Gonzalez Iniesta Thu, 11 May 2017 14:15:21 +0200 +openvpn (2.4.0-4ubuntu1.3) zesty-security; urgency=medium + + * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet + - debian/patches/CVE-2017-7508.patch: remove assert in + src/openvpn/mss.c. + - CVE-2017-7508 + * SECURITY UPDATE: Remote-triggerable memory leaks + - debian/patches/CVE-2017-7512.patch: fix leaks in + src/openvpn/ssl_verify_openssl.c. + - CVE-2017-7512 + * SECURITY UPDATE: Pre-authentication remote crash/information disclosure + for clients + - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer + OOB reads and a crash for invalid input data in src/openvpn/ntlm.c. + - CVE-2017-7520 + * SECURITY UPDATE: Potential double-free in --x509-alt-username and + memory leaks + - debian/patches/CVE-2017-7521.patch: fix double-free in + src/openvpn/ssl_verify_openssl.c. + - CVE-2017-7521 + * SECURITY UPDATE: DoS in establish_http_proxy_passthru() + - debian/patches/establish_http_proxy_passthru_dos.patch: fix + null-pointer dereference in src/openvpn/proxy.c. + - No CVE number + + -- Marc Deslauriers Thu, 22 Jun 2017 08:37:49 -0400 + +openvpn (2.4.0-4ubuntu1.2) zesty-security; urgency=medium + + * SECURITY UPDATE: pre-authentication denial-of-service vulnerability + (both client and server) from a too-large control packet. + - debian/patches/CVE-2017-7478.patch: Do not assert on too-large + control packet + - CVE-2017-7478 + * SECURITY UPDATE: authenticated remote DoS vulnerability due to + packet ID rollover + - debian/patches/CVE-2017-7479-prereq.patch: merge + packet_id_alloc_outgoing() into packet_id_write() + - debian/patches/CVE-2017-7478.patch: do not assert when packet ID + rollover occurs + - CVE-2017-7478 + * SECURITY UPDATE: auth tokens left in memory after de-auth + - debian/patches/wipe_tokens_on_de-auth.patch: always wipe token + as soon as a TLS session is considered broken. + + -- Steve Beattie Wed, 10 May 2017 15:21:05 -0700 + +openvpn (2.4.0-4ubuntu1) zesty; urgency=medium + + * Merge with Debian unstable. Remaining Ubuntu changes: + - debian/openvpn@.service: Add "--script-security 2" similar to what got + added to debian/openvpn.init.d ages ago (LP: #1454725) + - Demote easy-rsa to Suggests (universe package). + * Drop: + - debian/control: Actually drop the initscripts dependency. + (Closes: #804968). Already in Debian + + -- Jon Grimm Fri, 10 Feb 2017 12:16:57 -0600 + openvpn (2.4.0-4) unstable; urgency=medium * Add NEWS entries on possible 2.4 migration issues. @@ -673,6 +1244,24 @@ openvpn (2.3.11-2) unstable; urgency=med -- Alberto Gonzalez Iniesta Mon, 23 May 2016 09:55:30 +0200 +openvpn (2.3.11-1ubuntu2) yakkety; urgency=medium + + * debian/control: Actually drop the initscripts dependency. + (Closes: #804968) + + -- Martin Pitt Wed, 22 Jun 2016 16:54:51 +0200 + +openvpn (2.3.11-1ubuntu1) yakkety; urgency=medium + + * Merge with Debian unstable. Remaining Ubuntu changes: + - debian/openvpn@.service: Add "--script-security 2" similar to what got + added to debian/openvpn.init.d ages ago (see LP: #260291). + - Demote easy-rsa to Suggests (universe package). + * Drop intrusive changes (showing per-VPN result messages) from + debian/openvpn.init.d. This isn't being used under systemd. + + -- Martin Pitt Fri, 20 May 2016 17:30:27 +0200 + openvpn (2.3.11-1) unstable; urgency=medium * New upstream release. @@ -684,6 +1273,25 @@ openvpn (2.3.11-1) unstable; urgency=med -- Alberto Gonzalez Iniesta Tue, 10 May 2016 17:41:53 +0200 +openvpn (2.3.10-1ubuntu2) xenial; urgency=medium + + * debian/openvpn@.service: Add --script-security similar to what got added + to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725) + + -- Martin Pitt Tue, 02 Feb 2016 13:33:39 +0100 + +openvpn (2.3.10-1ubuntu1) xenial; urgency=medium + + * Merge with Debian unstable (LP: #1536568). Remaining Ubuntu changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Thu, 21 Jan 2016 11:37:08 +0100 + openvpn (2.3.10-1) unstable; urgency=medium * New upstream release. (Closes: #804368) @@ -702,6 +1310,21 @@ openvpn (2.3.10-1) unstable; urgency=med -- Alberto Gonzalez Iniesta Wed, 20 Jan 2016 12:01:36 +0100 +openvpn (2.3.8-1ubuntu1) xenial; urgency=medium + + * Merge with Debian unstable. Remaining Ubuntu changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Mon, 04 Jan 2016 11:48:31 +0100 + openvpn (2.3.8-1) unstable; urgency=medium * New upstream release. Drop patch from 2.3.7-2. @@ -715,6 +1338,21 @@ openvpn (2.3.8-1) unstable; urgency=medi -- Alberto Gonzalez Iniesta Wed, 28 Oct 2015 17:34:26 +0100 +openvpn (2.3.7-2ubuntu1) xenial; urgency=medium + + * Merge with Debian unstable. Remaining Ubuntu changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Mon, 26 Oct 2015 09:32:31 +0100 + openvpn (2.3.7-2) unstable; urgency=medium * Move libsystemd-daemon-dev Build-Dep to libsystemd-dev. @@ -725,6 +1363,20 @@ openvpn (2.3.7-2) unstable; urgency=medi -- Alberto Gonzalez Iniesta Tue, 08 Sep 2015 08:23:19 +0000 +openvpn (2.3.7-1ubuntu1) wily; urgency=medium + + * Merge with Debian unstable. Remaining Ubuntu changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Wed, 08 Jul 2015 12:28:54 +0200 + openvpn (2.3.7-1) unstable; urgency=medium * New upstream version @@ -746,6 +1398,20 @@ openvpn (2.3.5-1) unstable; urgency=medi -- Alberto Gonzalez Iniesta Wed, 29 Oct 2014 17:44:06 +0100 +openvpn (2.3.4-5ubuntu1) wily; urgency=medium + + * Merge with Debian unstable. Remaining Ubuntu changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Thu, 07 May 2015 15:35:52 +0200 + openvpn (2.3.4-5) unstable; urgency=high * Apply upstream patch that fixes possible DoS by authenticated @@ -804,6 +1470,52 @@ openvpn (2.3.3-1) experimental; urgency= -- Alberto Gonzalez Iniesta Mon, 17 Mar 2014 19:40:12 +0100 +openvpn (2.3.2-9ubuntu4) vivid; urgency=medium + + * Run openvpn@.service before systemd-user-sessions.service to avoid gettys + and lightdm starting on top of possible password prompts. This provides + the equivalent of the init.d script's X-Start-Before:. + + -- Martin Pitt Mon, 13 Apr 2015 16:09:01 -0500 + +openvpn (2.3.2-9ubuntu3) vivid; urgency=medium + + * Add better_systemd_detection.patch to avoid calling systemd-ask-password + under upstart. Backported from upstream. (Closes: #747265) + * Add systemd unit and generator from current Debian package. This avoids + using the init.d script, which unnecessarily blocks lightdm startup on the + network becoming online even if there are no auto-start connections + (LP: #1443489). + + -- Martin Pitt Mon, 13 Apr 2015 11:22:56 -0500 + +openvpn (2.3.2-9ubuntu2) vivid; urgency=medium + + * SECURITY UPDATE: server denial of service via too-short control channel + packets + - debian/patches/CVE-2014-8104.patch: drop too-short control channel + packets instead of asserting out in src/openvpn/ssl.c. + - CVE-2014-8104 + * debian/patches/update_certs.patch: update test certs to fix FTBFS. + + -- Marc Deslauriers Mon, 01 Dec 2014 15:26:58 -0500 + +openvpn (2.3.2-9ubuntu1) utopic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Fri, 02 May 2014 16:00:55 -0400 + openvpn (2.3.2-9) unstable; urgency=medium * Create /run/openvpn in init script even if no VPN is @@ -819,6 +1531,33 @@ openvpn (2.3.2-8) unstable; urgency=medi -- Alberto Gonzalez Iniesta Fri, 14 Mar 2014 12:59:57 +0100 +openvpn (2.3.2-7ubuntu3) trusty; urgency=medium + + [ Simon Deziel ] + * Refresh delta with debian/openvpn.init.d: + - Make stop action reliable by killing if needed + (LP: #1274254, LP: #1200519) + - Use new path for status file (LP: #1261088) + + -- Stéphane Graber Tue, 04 Feb 2014 09:31:39 -0500 + +openvpn (2.3.2-7ubuntu2) trusty; urgency=medium + + * Patch libtool.m4 and configure to support ppc64el. + + -- Matthias Klose Mon, 30 Dec 2013 12:32:35 +0100 + +openvpn (2.3.2-7ubuntu1) trusty; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Mon, 02 Dec 2013 18:14:42 -0500 + openvpn (2.3.2-7) unstable; urgency=low * Fix postinst when no *.pid files exist in /run/sendsigs.omit.d/. @@ -835,6 +1574,17 @@ openvpn (2.3.2-6) unstable; urgency=low -- Alberto Gonzalez Iniesta Wed, 27 Nov 2013 13:58:33 +0100 +openvpn (2.3.2-5ubuntu1) trusty; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Mon, 21 Oct 2013 13:07:37 -0400 + openvpn (2.3.2-5) unstable; urgency=low * Patch init script to fix race conditions on restarts. @@ -844,6 +1594,16 @@ openvpn (2.3.2-5) unstable; urgency=low -- Alberto Gonzalez Iniesta Mon, 15 Jul 2013 16:10:59 +0200 +openvpn (2.3.2-4ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Tue, 09 Jul 2013 17:20:31 -0400 + openvpn (2.3.2-4) unstable; urgency=low * Fix depends on iproute to iproute2. @@ -876,6 +1636,23 @@ openvpn (2.3.2-1) unstable; urgency=low -- Alberto Gonzalez Iniesta Mon, 03 Jun 2013 18:48:44 +0200 +openvpn (2.3.1-2ubuntu2) saucy; urgency=low + + * Move easy-rsa from Recommends to Suggests as it's not in main and isn't + actually required to operate an openvpn server. + + -- Stéphane Graber Wed, 19 Jun 2013 14:37:54 -0400 + +openvpn (2.3.1-2ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/openvpn.init.d: + + Do not use start-stop-daemon and Fri, 24 May 2013 17:42:45 -0400 + openvpn (2.3.1-2) unstable; urgency=low * Add net-tools to Build-Depends. (Closes: #709108) @@ -903,6 +1680,32 @@ openvpn (2.3~rc1-1) experimental; urgenc -- Alberto Gonzalez Iniesta Mon, 05 Nov 2012 16:31:15 +0100 +openvpn (2.2.1-8ubuntu3) raring; urgency=low + + [ Marc Gariépy ] + * Add --script-security to the init.d script (was generated but not passed + to openvpn). (LP: #1124398) + + -- Stéphane Graber Wed, 13 Feb 2013 16:10:48 -0500 + +openvpn (2.2.1-8ubuntu2) quantal; urgency=low + + * Rebuild for new armel compiler default of ARMv5t. + + -- Colin Watson Mon, 08 Oct 2012 08:36:47 +0100 + +openvpn (2.2.1-8ubuntu1) precise; urgency=low + + * Merge at Simon Deziel's request to build with PIE. + * Merge from Debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + -- Stéphane Graber Fri, 30 Mar 2012 13:19:09 -0400 + openvpn (2.2.1-8) unstable; urgency=low * Enable "PIE" and "BINDOW" hardening flags. @@ -927,6 +1730,17 @@ openvpn (2.2.1-6) unstable; urgency=low -- Alberto Gonzalez Iniesta Fri, 09 Mar 2012 13:44:50 +0100 +openvpn (2.2.1-5ubuntu1) precise; urgency=low + + * Merge from Debian unstable. Remaining changes: (LP: #907828) + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + -- Stéphane Graber Sat, 25 Feb 2012 21:08:48 -0500 + openvpn (2.2.1-5) unstable; urgency=low * Avoid sending ICMP redirects when using tun devices and "subnet" @@ -949,6 +1763,20 @@ openvpn (2.2.1-4) unstable; urgency=low -- Alberto Gonzalez Iniesta Wed, 08 Feb 2012 16:31:32 +0100 +openvpn (2.2.1-3ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + debian/update-resolv-conf: Support multiple domains. + + fix bug where '--script-security 2' would be passed for all + daemons after the first. (LP: #794916) + + -- Chuck Short Sat, 31 Dec 2011 04:55:56 +0000 + openvpn (2.2.1-3) unstable; urgency=low * The iproute fiasco release. @@ -977,6 +1805,20 @@ openvpn (2.2.1-1) unstable; urgency=low -- Alberto Gonzalez Iniesta Tue, 13 Dec 2011 11:04:22 +0100 +openvpn (2.2.0-2ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + debian/update-resolv-conf: Support multiple domains. + + fix bug where '--script-security 2' would be passed for all + daemons after the first. (LP: #794916 + + -- Chuck Short Thu, 16 Jun 2011 18:33:37 +0100 + openvpn (2.2.0-2) unstable; urgency=low * Upload to unstable @@ -1011,6 +1853,45 @@ openvpn (2.1.3-5) experimental; urgency= -- Alberto Gonzalez Iniesta Tue, 22 Mar 2011 10:57:18 +0100 +openvpn (2.1.3-4.1ubuntu2) oneiric; urgency=low + + [Alexander Zielke] + * fix bug where '--script-security 2' would be passed for all + daemons after the first. (LP: #794916) + + -- Scott Moser Thu, 09 Jun 2011 13:59:08 -0400 + +openvpn (2.1.3-4.1ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + debian/update-resolv-conf: Support multiple domains. + + -- Chuck Short Tue, 17 May 2011 02:14:39 +0100 + +openvpn (2.1.3-4.1) unstable; urgency=low + + * Non-maintainer upload. + * Drop hard-coded dependency on libssl0.9.8. (Closes: #623503) + + -- Philipp Kern Mon, 09 May 2011 23:20:03 +0200 + +openvpn (2.1.3-4ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + debian/update-resolv-conf: Support multiple domains. + + -- Chuck Short Tue, 22 Mar 2011 23:28:26 +0000 + openvpn (2.1.3-4) unstable; urgency=low * Updated JuanJo's IPv6 patch. Now really fixes use from xinetd. @@ -1033,6 +1914,31 @@ openvpn (2.1.3-3) unstable; urgency=low -- Alberto Gonzalez Iniesta Fri, 11 Mar 2011 13:08:12 +0100 +openvpn (2.1.3-2ubuntu3) natty; urgency=low + + * update-resolv-conf: Correctly handle multiple dns search domains, + using the same logic as nameservers. Patch courtesy of Jeremy + Zawodny. (LP: #662847) + + -- Dave Walker (Daviey) Fri, 11 Mar 2011 00:23:59 +0000 + +openvpn (2.1.3-2ubuntu2) natty; urgency=low + + * update-resolv-conf: Support mulitple domains (LP: #714358) + + -- Chuck Short Mon, 14 Feb 2011 15:21:46 -0500 + +openvpn (2.1.3-2ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + -- Chuck Short Sat, 23 Oct 2010 01:59:28 +0100 + openvpn (2.1.3-2) unstable; urgency=low * Applied upstream patch to solve random routes added when using @@ -1040,6 +1946,24 @@ openvpn (2.1.3-2) unstable; urgency=low -- Alberto Gonzalez Iniesta Thu, 21 Oct 2010 12:21:33 +0200 +openvpn (2.1.3-1ubuntu2) natty; urgency=low + + * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in + corner cases where ! host && addr (LP: #627973) + + -- Thierry Carrez (ttx) Wed, 20 Oct 2010 16:22:25 +0200 + +openvpn (2.1.3-1ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and = 3.2-14 to allow status_of_proc() + + -- Chuck Short Tue, 05 Oct 2010 06:21:14 +0100 + openvpn (2.1.3-1) unstable; urgency=low * New upstream release (Closes: #595684) @@ -1051,6 +1975,17 @@ openvpn (2.1.3-1) unstable; urgency=low -- Alberto Gonzalez Iniesta Wed, 29 Sep 2010 13:07:37 +0200 +openvpn (2.1.0-3ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and use = 3.2-14 to allow status_of_proc() + + -- Chuck Short Mon, 12 Jul 2010 09:39:43 -0400 + openvpn (2.1.0-3) unstable; urgency=low * The 'happy birthday to me' release @@ -1060,6 +1995,24 @@ openvpn (2.1.0-3) unstable; urgency=low -- Alberto Gonzalez Iniesta Fri, 09 Jul 2010 12:22:09 +0200 +openvpn (2.1.0-2ubuntu2) maverick; urgency=low + + * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging + on PUSH_REQUEST when server does not push any option (LP: #579737) + + -- Thierry Carrez Mon, 28 Jun 2010 10:45:23 +0200 + +openvpn (2.1.0-2ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and use = 3.2-14 to allow status_of_proc() + + -- Chuck Short Wed, 05 May 2010 03:06:19 +0100 + openvpn (2.1.0-2) unstable; urgency=low * Patched ssl.[ch] to fix integer overflow. (Closes: #576827) @@ -1072,6 +2025,17 @@ openvpn (2.1.0-2) unstable; urgency=low -- Alberto Gonzalez Iniesta Sat, 10 Apr 2010 17:26:42 +0200 +openvpn (2.1.0-1ubuntu1) lucid; urgency=low + + * Merge from debian testing (LP: #509078), remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot + - Show per-VPN result messages + - Add "--script-security 2" by default for backwards compatibility + + debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc() + + -- Jan Brinkmann Fri, 22 Jan 2010 00:47:33 +0100 + openvpn (2.1.0-1) unstable; urgency=low * New upstream release @@ -1109,6 +2073,20 @@ openvpn (2.1~rc20-3) unstable; urgency=l -- Alberto Gonzalez Iniesta Wed, 04 Nov 2009 17:18:03 +0100 +openvpn (2.1~rc20-2ubuntu1) lucid; urgency=low + + * Merge from debian testing, remaining changes: + + debian/openvpn.init.d: + - Do not use start-stop-daemon and use < /dev/null to avoid blocking + boot. + - show per-VPN result messages + - add "--script-security 2" by default for backwards compatibility + - Add lab-base >= 3.2-14 to allow status_of_proc() + + Dropped debian/patches/redirect-gateway.patch: Already applied + upstream. + + -- Chuck Short Fri, 06 Nov 2009 01:36:35 +0000 + openvpn (2.1~rc20-2) unstable; urgency=low * init.d script: Added X-Interactive header. (Closes: #549424) @@ -1133,6 +2111,25 @@ openvpn (2.1~rc19-2) unstable; urgency=l -- Alberto Gonzalez Iniesta Sun, 30 Aug 2009 20:20:11 +0200 +openvpn (2.1~rc19-1ubuntu2) karmic; urgency=low + + * debian/patches/redirect-gateway.patch: Fix regression introduced in + 2.1rc17 that makes redirect-gateway (without options) to be ignored. + Patch cherrypicked from upstream 2.1rc20 (SVN r5011), LP: #445695 + + -- Thierry Carrez Tue, 13 Oct 2009 09:31:20 +0200 + +openvpn (2.1~rc19-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable (LP: #404099), remaining changes: + - debian/openvpn.init.d: + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot + - show per-VPN result messages + - add "--script-security 2" by default for backwards compatibility + - Added lsb-base>=3.2-14 depend to allow status_of_proc() + + -- Bhavani Shankar Fri, 24 Jul 2009 19:22:13 +0530 + openvpn (2.1~rc19-1) unstable; urgency=low * New upstream version @@ -1142,6 +2139,17 @@ openvpn (2.1~rc19-1) unstable; urgency=l -- Alberto Gonzalez Iniesta Tue, 21 Jul 2009 17:00:56 +0200 +openvpn (2.1~rc15-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable (LP: #372358), remaining changes: + - debian/openvpn.init.d: + - Do not use start-stop-daemon and use < /dev/null to avoid blocking boot + - show per-VPN result messages + - add "--script-security 2" by default for backwards compatibility + - Added lsb-base>=3.2-14 depend to allow status_of_proc() + + -- Andres Rodriguez Tue, 05 May 2009 14:25:37 -0500 + openvpn (2.1~rc15-1) unstable; urgency=low * New upstream version (Closes: #515575) @@ -1161,6 +2169,33 @@ openvpn (2.1~rc15-1) unstable; urgency=l -- Alberto Gonzalez Iniesta Thu, 30 Apr 2009 12:35:05 +0200 +openvpn (2.1~rc11-1ubuntu3) jaunty; urgency=low + + * debian/openvpn.init.d: + - Fix unexpected operator on startup (LP: #340120) + + -- Michael Jeanson Mon, 09 Mar 2009 16:02:50 -0400 + +openvpn (2.1~rc11-1ubuntu2) intrepid; urgency=low + + * debian/openvpn.init.d: + - Revert fix from #454371 that was merged at 2.1~rc7-4 to prevent + openvpn prompts from blocking the boot (LP: #280428) + - Fix VPNs always reported started [ OK ] + + -- Thierry Carrez Wed, 15 Oct 2008 17:12:54 +0200 + +openvpn (2.1~rc11-1ubuntu1) intrepid; urgency=low + + * Merge with Debian (LP: #279655), remaining diffs: + - debian/openvpn.init.d: Added 'status' action to init script, show + per-VPN result messages and add "--script-security 2" by default for + backwards compatibility + - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() + * Fixes regression when calling commands with arguments (LP: #277447) + + -- Thierry Carrez Tue, 07 Oct 2008 16:30:44 +0200 + openvpn (2.1~rc11-1) unstable; urgency=low * New upstream version @@ -1181,6 +2216,23 @@ openvpn (2.1~rc10-1) unstable; urgency=l -- Alberto Gonzalez Iniesta Thu, 11 Sep 2008 16:58:37 +0200 +openvpn (2.1~rc9-3ubuntu2) intrepid; urgency=low + + * debian/openvpn.init.d: + - Added 'status' action to init script (LP: #251641) + - Restored per-VPN result messages by using log_action_begin_msg and + one log_daemon_msg per VPN instead of log_progress_msg (LP: #264966) + * debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc() + + -- Thierry Carrez Tue, 09 Sep 2008 10:45:45 +0200 + +openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low + + * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility + (LP: #260291) + + -- Chuck Short Mon, 25 Aug 2008 10:20:31 -0400 + openvpn (2.1~rc9-3) unstable; urgency=low * debian/rules: run ./configure with path to 'route', for diff -pruN 2.6.14-2/debian/control 2.6.14-2ubuntu1/debian/control --- 2.6.14-2/debian/control 2025-09-05 20:13:12.000000000 +0000 +++ 2.6.14-2ubuntu1/debian/control 2025-09-06 04:20:36.000000000 +0000 @@ -1,7 +1,8 @@ Source: openvpn Section: net Priority: optional -Maintainer: Bernhard Schmidt +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Bernhard Schmidt Uploaders: Jörg Frings-Fürst Build-Depends: debhelper-compat (= 13), @@ -37,7 +38,7 @@ Suggests: resolvconf, openvpn-dco-dkms, openvpn-systemd-resolved, -Recommends: easy-rsa + easy-rsa Description: virtual private network daemon OpenVPN is an application to securely tunnel IP networks over a single UDP or TCP port. It can be used to access remote sites, make diff -pruN 2.6.14-2/debian/openvpn@.service 2.6.14-2ubuntu1/debian/openvpn@.service --- 2.6.14-2/debian/openvpn@.service 2025-09-05 20:13:12.000000000 +0000 +++ 2.6.14-2ubuntu1/debian/openvpn@.service 2025-09-06 04:20:36.000000000 +0000 @@ -12,7 +12,7 @@ Documentation=https://community.openvpn. Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid KillMode=process CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE diff -pruN 2.6.14-2/debian/patches/handle_intentional_route_push_float_ip.patch 2.6.14-2ubuntu1/debian/patches/handle_intentional_route_push_float_ip.patch --- 2.6.14-2/debian/patches/handle_intentional_route_push_float_ip.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.6.14-2ubuntu1/debian/patches/handle_intentional_route_push_float_ip.patch 2025-08-28 22:34:24.000000000 +0000 @@ -0,0 +1,281 @@ +Description: Fix floating IP due to "route VPN_IP net_gateway" +Origin: https://github.com/OpenVPN/openvpn/commit/518e122b42739b0dbb54e7169a8a3aadb4773125.patch +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2108860 +Forwarded: https://github.com/OpenVPN/openvpn/issues/704 +Last-Update: 2025-08-26 +--- +Patch by: Arne Schwabe +Reported by: Walter Doekes (also patch backport) + +When you're connected to a VPN which is used as the default gateway, a +connection to a second VPN will cause a tunnel-in-tunnel. If the +administrator of the second VPN wants to avoid that, by pushing its IP +as net_gateway, this means that the client's source IP switches right +after connect: + + the source IP switches from the first-VPN-exit-IP to the + regular-ISP-exit-IP + +In openvpn 2.5 and below, this worked fine. Since openvpn 2.6, this +triggers the "Disallow float to an address taken by another client" +code. The root cause for this change of behaviour is "stateless HMAC-based +sesssion-id three-way-handshake (b364711486dc6371ad2659a5aa190941136f4f04). + +This patch fixes the supposedly rare circumstance that was not accounted +for. + +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- +--- a/src/openvpn/mudp.c ++++ b/src/openvpn/mudp.c +@@ -153,7 +153,8 @@ do_pre_decrypt_check(struct multi_contex + * need to contain the peer id */ + struct gc_arena gc = gc_new(); + +- bool ret = check_session_id_hmac(state, from, hmac, handwindow); ++ bool pkt_is_ack = (verdict == VERDICT_VALID_ACK_V1); ++ bool ret = check_session_hmac_and_pkt_id(state, from, hmac, handwindow, pkt_is_ack); + + const char *peer = print_link_socket_actual(&m->top.c2.from, &gc); + uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf); +@@ -161,7 +162,8 @@ do_pre_decrypt_check(struct multi_contex + + if (!ret) + { +- msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from %s", ++ msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from" ++ " %s or wrong packet id", + packet_opcode_name(op), peer); + } + else +--- a/src/openvpn/ssl_pkt.c ++++ b/src/openvpn/ssl_pkt.c +@@ -527,10 +527,11 @@ calculate_session_id_hmac(struct session + } + + bool +-check_session_id_hmac(struct tls_pre_decrypt_state *state, +- const struct openvpn_sockaddr *from, +- hmac_ctx_t *hmac, +- int handwindow) ++check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state, ++ const struct openvpn_sockaddr *from, ++ hmac_ctx_t *hmac, ++ int handwindow, ++ bool pkt_is_ack) + { + if (!from) + { +@@ -545,6 +546,36 @@ check_session_id_hmac(struct tls_pre_dec + return false; + } + ++ /* Check if the packet ID of the packet or ACKED packet is <= 1 */ ++ for (int i = 0; i < ack.len; i++) ++ { ++ /* This packet ACKs a packet that has a higher packet id than the ++ * ones expected in the three-way handshake, consider it as invalid ++ * for the session */ ++ if (ack.packet_id[i] > 1) ++ { ++ return false; ++ } ++ } ++ ++ if (!pkt_is_ack) ++ { ++ packet_id_type message_id; ++ /* Extract the packet ID from the packet */ ++ if (!reliable_ack_read_packet_id(&buf, &message_id)) ++ { ++ return false; ++ } ++ ++ /* similar check. Anything larger than 1 is not considered part of the ++ * three-way handshake */ ++ if (message_id > 1) ++ { ++ return false; ++ } ++ } ++ ++ + /* check adjacent timestamps too */ + for (int offset = -2; offset <= 1; offset++) + { +--- a/src/openvpn/ssl_pkt.h ++++ b/src/openvpn/ssl_pkt.h +@@ -182,17 +182,24 @@ calculate_session_id_hmac(struct session + /** + * Checks if a control packet has a correct HMAC server session id + * ++ * This will also consider packets that have a packet id higher ++ * than 1 or ack packets higher than 1 to be invalid as they are ++ * not part of the initial three way handshake of OpenVPN and should ++ * not create a new connection. ++ * + * @param client_sid session id of the client + * @param from link_socket from the client + * @param hmac the hmac context to use for the calculation + * @param handwindow the quantisation of the current time ++ * @param pkt_is_ack the packet being checked is a P_ACK_V1 + * @return the expected server session id + */ + bool +-check_session_id_hmac(struct tls_pre_decrypt_state *state, +- const struct openvpn_sockaddr *from, +- hmac_ctx_t *hmac, +- int handwindow); ++check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state, ++ const struct openvpn_sockaddr *from, ++ hmac_ctx_t *hmac, ++ int handwindow, ++ bool pkt_is_ack); + + /* + * Write a control channel authentication record. +--- a/tests/unit_tests/openvpn/test_pkt.c ++++ b/tests/unit_tests/openvpn/test_pkt.c +@@ -174,6 +174,27 @@ const uint8_t client_ack_none_random_id[ + 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e + }; + ++/* no tls-auth, P_ACK_V1, acks 0,1, and 2 */ ++const uint8_t client_ack_123_none_random_id[] = { ++ 0x28, ++ 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8, ++ 0x03, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x01, ++ 0x00, 0x00, 0x00, 0x02, ++ 0xdd, 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e ++}; ++ ++/* no tls-auth, P_CONTROL_V1, acks 0, msg-id 2 */ ++const uint8_t client_control_none_random_id[] = { ++ 0x20, ++ 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8, ++ 0x01, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x02 ++}; ++ ++ + struct tls_auth_standalone + init_tas_auth(int key_direction) + { +@@ -294,12 +315,10 @@ test_tls_decrypt_lite_auth(void **ut_sta + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); + /* The pre decrypt function should not modify the buffer, so calling it + * again should have the same result */ + verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); +- free_tls_pre_decrypt_state(&state); + + /* and buf memory should be equal */ + assert_memory_equal(BPTR(&buf), client_reset_v2_tls_auth, sizeof(client_reset_v2_tls_auth)); +@@ -317,7 +336,6 @@ test_tls_decrypt_lite_auth(void **ut_sta + assert_int_equal(verdict, VERDICT_INVALID); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); + /* Wrong key direction gives a wrong hmac key and should not validate */ + free_key_ctx_bi(&tas.tls_wrap.opt.key_ctx_bi); + free_tas(&tas); +@@ -357,15 +375,12 @@ test_tls_decrypt_lite_none(void **ut_sta + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); + buf_reset_len(&buf); + buf_write(&buf, client_reset_v2_tls_crypt, sizeof(client_reset_v2_none)); + verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); +- + /* This is not a reset packet and should trigger the other response */ + buf_reset_len(&buf); + buf_write(&buf, client_ack_tls_auth_randomid, sizeof(client_ack_tls_auth_randomid)); +@@ -443,7 +458,7 @@ test_verify_hmac_tls_auth(void **ut_stat + assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1); + + /* This is a valid packet but containing a random id instead of an HMAC id*/ +- bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30); ++ bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, false); + assert_false(valid); + + free_tls_pre_decrypt_state(&state); +@@ -474,7 +489,7 @@ test_verify_hmac_none(void **ut_state) + verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); + assert_int_equal(verdict, VERDICT_VALID_ACK_V1); + +- bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30); ++ bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); + assert_true(valid); + + free_tls_pre_decrypt_state(&state); +@@ -483,6 +498,51 @@ test_verify_hmac_none(void **ut_state) + hmac_ctx_free(hmac); + } + ++static void ++test_verify_hmac_none_out_of_range_ack(void **ut_state) ++{ ++ hmac_ctx_t *hmac = session_id_hmac_init(); ++ ++ struct link_socket_actual from = { 0 }; ++ from.dest.addr.sa.sa_family = AF_INET; ++ ++ struct tls_auth_standalone tas = { 0 }; ++ struct tls_pre_decrypt_state state = { 0 }; ++ ++ struct buffer buf = alloc_buf(1024); ++ enum first_packet_verdict verdict; ++ ++ tas.tls_wrap.mode = TLS_WRAP_NONE; ++ ++ buf_reset_len(&buf); ++ buf_write(&buf, client_ack_123_none_random_id, sizeof(client_ack_123_none_random_id)); ++ ++ ++ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); ++ assert_int_equal(verdict, VERDICT_VALID_ACK_V1); ++ ++ /* should fail because it acks 2 */ ++ bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); ++ assert_false(valid); ++ free_tls_pre_decrypt_state(&state); ++ ++ /* Try test with the control with a too high message id now */ ++ buf_reset_len(&buf); ++ buf_write(&buf, client_control_none_random_id, sizeof(client_control_none_random_id)); ++ ++ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); ++ assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1); ++ ++ /* should fail because it has message id 2 */ ++ valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); ++ assert_false(valid); ++ ++ free_tls_pre_decrypt_state(&state); ++ free_buf(&buf); ++ hmac_ctx_cleanup(hmac); ++ hmac_ctx_free(hmac); ++} ++ + static hmac_ctx_t * + init_static_hmac(void) + { +@@ -670,6 +730,7 @@ main(void) + cmocka_unit_test(test_calc_session_id_hmac_static), + cmocka_unit_test(test_verify_hmac_none), + cmocka_unit_test(test_verify_hmac_tls_auth), ++ cmocka_unit_test(test_verify_hmac_none_out_of_range_ack), + cmocka_unit_test(test_generate_reset_packet_plain), + cmocka_unit_test(test_generate_reset_packet_tls_auth), + cmocka_unit_test(test_extract_control_message) diff -pruN 2.6.14-2/debian/patches/series 2.6.14-2ubuntu1/debian/patches/series --- 2.6.14-2/debian/patches/series 2025-09-05 20:13:12.000000000 +0000 +++ 2.6.14-2ubuntu1/debian/patches/series 2025-09-06 06:40:20.000000000 +0000 @@ -3,3 +3,4 @@ auth-pam_libpam_so_filename.patch #debian_nogroup_for_sample_files.patch openvpn-pkcs11warn.patch avoid-redefining-ovpn-enums.patch +handle_intentional_route_push_float_ip.patch diff -pruN 2.6.14-2/debian/tests/control 2.6.14-2ubuntu1/debian/tests/control --- 2.6.14-2/debian/tests/control 2025-09-05 20:13:12.000000000 +0000 +++ 2.6.14-2ubuntu1/debian/tests/control 2025-09-06 04:20:36.000000000 +0000 @@ -1,9 +1,9 @@ Tests: server-setup-with-ca Depends: openvpn, easy-rsa -Restrictions: needs-root, isolation-machine, allow-stderr +Restrictions: needs-root, isolation-container, allow-stderr Tests: server-setup-with-static-key -Restrictions: needs-root, isolation-machine, allow-stderr +Restrictions: needs-root, isolation-container, allow-stderr Tests: unit-tests Depends: libcmocka-dev, @builddeps@