%define auth_ldap_version 2.0.3 %define easy_rsa_version 2.2.0_master %define develname %mklibname %{name} -d %define plugindir %{_libdir}/%{name}/plugins %bcond_without ldap # There is an issue with gcc, so disable for amd64 # waiting reply/fix %ifarch amd64 %bcond_without ldap %endif Summary: A Secure TCP/UDP Tunneling Daemon Name: openvpn Version: 2.4.4 %define subrel 1 Release: %mkrel 1 URL: http://openvpn.net/ Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}.tar.xz Source2: http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-%{auth_ldap_version}.tar.gz Source3: dhcp.sh Source4: openvpn-tmpfile.conf Source5: openvpn@.service Source6: openvpn.target Source7: https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-%{easy_rsa_version}.tar.gz Patch1: openvpn-2.3.openvpn_user.patch Patch2: openvpn-auth-ldap-2.0.3-disable-tests.patch #Patch3: openvpn-2.3.1_rc15-wformat.patch Patch4: auth-ldap-rfc2307.patch Patch1001: openvpn-auth-ldap-2.0.3-objc.patch #Patch2000: openvpn-2.4.0-CVE-2017-7478.patch #Patch2001: openvpn-2.4.0-CVE-2017-7479-prereq.patch #Patch2002: openvpn-2.4.0-CVE-2017-7479.patch Patch2003: CVE-2018-9336.patch License: GPLv2 Group: Networking/Other BuildRequires: liblzo-devel BuildRequires: pkgconfig(openssl) BuildRequires: pam-devel BuildRequires: pkgconfig(libpkcs11-helper-1) BuildRequires: automake1.8 BuildRequires: pkgconfig(systemd) %if %with ldap BuildRequires: gcc-objc BuildRequires: openldap-devel BuildRequires: re2c %endif Requires(post): systemd >= %{systemd_required_version} Requires(post): rpm-helper >= 0.24.8-1 Requires(preun): rpm-helper >= 0.24.8-1 %description OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port. %package -n %{develname} Summary: Development package for OpenVPN plugins Group: System/Libraries Requires: %{name} = %{version}-%{release} %description -n %{develname} OpenVPN .h files. %if %with ldap This package contains the auth-ldap plugin %endif %prep %setup -q -n openvpn-%{version} -a 7 %if %with ldap %setup -q -n openvpn-%{version} -a 2 -a 7 %{__mv} auth-ldap-%{auth_ldap_version}/README auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap pushd auth-ldap-%{auth_ldap_version} %patch1001 -p1 %patch2 -p1 %patch4 -p1 popd %endif %patch1 -p1 #%patch3 -p1 #%patch2000 -p1 #%patch2001 -p1 #%patch2002 -p1 %patch2003 -p1 %build %serverbuild #./pre-touch libtoolize --copy --force --install aclocal automake -a -c -f -i autoreconf -fi %configure2_5x \ --enable-systemd \ --enable-pthread \ --with-lzo-headers=%{_includedir}/lzo \ --enable-password-save || cat config.log %make # plugins %make -C src/plugins/down-root %make -C src/plugins/auth-pam %if %with ldap pushd auth-ldap-%{auth_ldap_version} %configure2_5x \ --with-openvpn=`pwd`/../include \ --libdir=%{plugindir} \ --with-objc-runtime=GNU # workaround parallel build problem with generated header %make -C tools make -C src TRConfigParser.h %make popd %endif pushd easy-rsa-%{easy_rsa_version} %configure2_5x \ --with-easyrsadir=%{_datadir}/%{name}/easy-rsa %make popd %install %make_install %make_install -C easy-rsa-%{easy_rsa_version} install -d %{buildroot}%{_sysconfdir}/%{name} # (cg) NB The sample config file is needed for drakvpn cp -pr sample/sample-{config-file,key,script}s %{buildroot}%{_datadir}/%{name} mkdir -p %{buildroot}%{_datadir}/%{name} install -d %{buildroot}%{_localstatedir}/lib/%{name} # (cg) Nuke sysvinit script rm -f %{buildroot}%{_datadir}/%{name}/sample-scripts/openvpn.init # (cg) Add systemd units install -D -m 644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/openvpn.conf install -D -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/openvpn@.service install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/openvpn.target # and remove wrongly generated ones %ifarch x86_64 rm -f %{buildroot}/%{_libdir}/systemd/system/%{name}*.service rm -f %{buildroot}/%{_libdir}/tmpfiles.d/%{name}.conf %endif #plugins mkdir -p %{buildroot}%{plugindir} %if %with ldap pushd auth-ldap-%{auth_ldap_version} %make_install popd %endif install -m755 %{SOURCE3} %{buildroot}%{_datadir}/%{name} %pre %_pre_useradd %{name} %{_localstatedir}/lib/%{name} /bin/true %post # (cg) This is a templated unit, so we have to manually convert to systemd if [ ! -f %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name} ]; then if [ -f %{_sysconfdir}/rc3.d/S??%{name} ]; then for conf in %{_sysconfdir}/%{name}/*.conf; do [ "$conf" = "%{_sysconfdir}/%{name}/*.conf" ] && continue conf=$(basename $conf .conf) mkdir -p %{_sysconfdir}/systemd/system/%{name}.target.wants ln -s %{_unitdir}/%{name}@.service %{_sysconfdir}/systemd/system/%{name}.target.wants/%{name}@$conf.service done systemctl --quiet enable %{name}.target fi mkdir -p %{_localstatedir}/lib/rpm-helper/systemd-migration touch %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name} else # (cg) Older versions were not controlled by their own target UNITS= for unit in %{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service; do [ "$unit" = "%{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service" ] && continue UNITS="$UNITS $unit" done if [ -n "$UNITS" ]; then mkdir %{_sysconfdir}/systemd/system/%{name}.target.wants mv $UNITS %{_sysconfdir}/systemd/system/%{name}.target.wants systemctl --quiet enable %{name}.target fi fi %_tmpfilescreate %{name} %_post_service %{name} %{name}.target %preun %_preun_service %{name} %{name}.target %postun %_postun_userdel %{name} %files %doc AUTHORS INSTALL PORTS README %doc COPYING COPYRIGHT.GPL README* doc/management-notes.txt Changes.rst %doc src/plugins/*/README.* %if %with ldap %doc auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap %endif %{_mandir}/man8/%{name}.8* %{_sbindir}/%{name} %{_datadir}/%{name} %dir %{_sysconfdir}/%{name} #{_datadir}/%%{name}/dhcp.sh %{_unitdir}/%{name}*.service %{_unitdir}/%{name}.target %{_tmpfilesdir}/%{name}.conf %dir %{_localstatedir}/lib/%{name} %dir %{plugindir} %{plugindir}/* %exclude %{_docdir}/easy-rsa/COPYING %exclude %{_docdir}/easy-rsa/COPYRIGHT.GPL %exclude %{_docdir}/easy-rsa/README-2.0 %files -n %{develname} %{_includedir}/openvpn-plugin.h %{_includedir}/openvpn-msg.h %changelog * Sat Jul 07 2018 bcornec <bcornec> 2.4.4-1.1.mga6 (not released yet) + Revision: 1242399 - Fix CVE-2018-9336 by modifying upstream patch for 2.4.4 in mga6 - Update openvpn to upstream 2.4.4 to fix #21780 * Mon Jun 26 2017 bcornec <bcornec> 2.4.3-1.mga6 + Revision: 1108487 - Remove systemd files only on x86_64 where the delivery is wrong - Update to upstream 2.4.3 * Mon May 15 2017 neoclust <neoclust> 2.4.0-2.mga6 + Revision: 1101662 - Add P200{0,1,2} from debian - Fixes CVE-2017-7478 and CVE-2017-7479 (mga#20845) * Mon Jan 02 2017 bcornec <bcornec> 2.4.0-1.mga6 + Revision: 1079787 - update to upstream openvpn 2.4.0 * Mon Dec 12 2016 luigiwalser <luigiwalser> 2.3.14-1.mga6 + Revision: 1074399 - 2.3.14 * Sat Nov 12 2016 luigiwalser <luigiwalser> 2.3.13-1.mga6 + Revision: 1066632 - 2.3.13 * Fri Aug 26 2016 luigiwalser <luigiwalser> 2.3.12-1.mga6 + Revision: 1049113 - 2.3.12 (fixes CVE-2016-6329) * Tue May 17 2016 luigiwalser <luigiwalser> 2.3.11-1.mga6 + Revision: 1016537 - 2.3.11 * Thu Mar 03 2016 umeabot <umeabot> 2.3.10-2.mga6 + Revision: 983855 - Rebuild for openssl * Wed Jan 06 2016 luigiwalser <luigiwalser> 2.3.10-1.mga6 + Revision: 920141 - 2.3.10 * Fri Dec 18 2015 luigiwalser <luigiwalser> 2.3.9-1.mga6 + Revision: 911651 - 2.3.9 * Fri Oct 23 2015 tv <tv> 2.3.6-2.mga6 + Revision: 894412 - fix build: add some doc * Sat Dec 27 2014 dlucio <dlucio> 2.3.6-1.mga5 + Revision: 806680 - systemd-devel as BR - 2.3.6 - P5 merged upstream - P6 fixes an assertion when there is not crypto * Tue Dec 02 2014 luigiwalser <luigiwalser> 2.3.2-6.mga5 + Revision: 800333 - add patch from ubuntu to fix CVE-2014-8104 * Wed Oct 15 2014 umeabot <umeabot> 2.3.2-5.mga5 + Revision: 743394 - Second Mageia 5 Mass Rebuild * Tue Sep 16 2014 umeabot <umeabot> 2.3.2-4.mga5 + Revision: 683259 - Mageia 5 Mass Rebuild * Mon Jan 27 2014 neoclust <neoclust> 2.3.2-3.mga4 + Revision: 568428 - Add P4: RFC2307 group support * Sat Oct 19 2013 umeabot <umeabot> 2.3.2-2.mga4 + Revision: 529088 - Mageia 4 Mass Rebuild * Wed Jul 03 2013 dlucio <dlucio> 2.3.2-1.mga4 + Revision: 449968 - 2.3.2 * Tue Apr 16 2013 colin <colin> 2.3.1-2.mga3 + Revision: 410213 - Drop patch5 properly (unapplied, but fix is in upstream) - Rediff and reenable patch3 (wformat) - Drop patch4 (systemd console input): fixed upstream - Ship the sample configs accidentally removed in r404203 (needed by drakvpn) * Sat Apr 13 2013 dlucio <dlucio> 2.3.1-1.mga3 + Revision: 409825 - 2.3.1 - P5 merged upstream * Sun Mar 24 2013 colin <colin> 2.3.0-2.mga3 + Revision: 404859 - Add systemd requires and general post/pre fixes (mga#9302) * Wed Mar 20 2013 dlucio <dlucio> 2.3.0-1.mga3 + Revision: 404203 - 2.3.0 - new devel subpackage - easy-rsa is now anothe project, S7 added - P1 and P5 rediffed - P3 and P4 no needed - lets move plugins to its plugins directory - multiple spec cleanups * Sun Jan 27 2013 pterjan <pterjan> 2.2.2-13.mga3 + Revision: 392746 - Fix parallel build * Sun Jan 13 2013 umeabot <umeabot> 2.2.2-12.mga3 + Revision: 362181 - Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild * Wed Jan 09 2013 cjw <cjw> 2.2.2-11.mga3 + Revision: 343413 - patch5: fix build with automake 1.13 * Tue Nov 27 2012 colin <colin> 2.2.2-10.mga3 + Revision: 322422 - Renumber patches - Do not package /var/run/openvpn dir (tmpfiles takes care of it) - Completely drop sysvinit script (including patches to it) - Minor configure tidyup - No need to explicitly enable -fPIC (it's enabled by default) - Enable systemd input for authentication (via upstream + Fred Crozat @ suse) * Sun Nov 25 2012 colin <colin> 2.2.2-9.mga3 + Revision: 321721 - Switch to an openvpn.target setup with PartOf= support in .service units - Run systemd-tmpfiles --create on install to ensure pid file dir creation (mga#8200) - Package tmpfiles.d snippet in the /usr tree, not /etc as config * Sat Aug 18 2012 nanardon <nanardon> 2.2.2-8.mga3 + Revision: 281954 - kill initscripts * Fri Aug 17 2012 nanardon <nanardon> 2.2.2-7.mga3 + Revision: 281885 - fix startup with systemd - fix initscript * Mon Aug 13 2012 dlucio <dlucio> 2.2.2-6.mga3 + Revision: 281004 - P13 to fix gcc47 issues, from debian - rebuild for new libs * Sat Apr 28 2012 tmb <tmb> 2.2.2-5.mga2 + Revision: 233831 - Require rpm-helper >= 0.24.8-1 for systemd support * Sat Apr 21 2012 colin <colin> 2.2.2-4.mga2 + Revision: 232371 - Use macros in post script. * Sat Apr 21 2012 colin <colin> 2.2.2-3.mga2 + Revision: 232360 - Handle systemd template unit migration and mask sysvinit script. * Wed Apr 18 2012 guillomovitch <guillomovitch> 2.2.2-2.mga2 + Revision: 231466 - spec cleanup - systemd support * Fri Mar 16 2012 dlucio <dlucio> 2.2.2-1.mga2 + Revision: 223673 - Update to 2.2.2 - New dhcp.sh script that lets to handle dynamic dns with dhcp environments * Fri Dec 09 2011 wally <wally> 2.2.1-1.2.mga2 + Revision: 179681 - fix build + dmorgan <dmorgan> - Rebuild against gcc 4.6.2 + dlucio <dlucio> - more synced patches - P3 synced from Mandriva - 2.2.1 * Wed Jun 15 2011 mikala <mikala> 2.1.4-2.mga2 + Revision: 107896 - Add --enable-save-password switch (Allow --askpass and --auth-user-pass passwords to be read from a file) * Thu Mar 03 2011 ennael <ennael> 2.1.4-1.mga1 + Revision: 63137 - imported package openvpn * Tue Nov 09 2010 Luis Daniel Lucio Quiroz <dlucio@mandriva.org> 2.1.4-1mdv2011.0 + Revision: 595489 - 2.1.4 Fix summary * Tue Oct 19 2010 Luis Daniel Lucio Quiroz <dlucio@mandriva.org> 2.1.3-1mdv2011.0 + Revision: 586743 - 2.1.3 * Wed Aug 18 2010 Luis Daniel Lucio Quiroz <dlucio@mandriva.org> 2.1.2-1mdv2011.0 + Revision: 571120 - 2.1.2 * Thu Apr 08 2010 Eugeni Dodonov <eugeni@mandriva.com> 2.1.1-3mdv2010.1 + Revision: 533059 - Rebuild for openssl 1.0.0. * Fri Feb 26 2010 Oden Eriksson <oeriksson@mandriva.com> 2.1.1-2mdv2010.1 + Revision: 511606 - rebuilt against openssl-0.9.8m * Sat Dec 12 2009 Frederik Himpe <fhimpe@mandriva.org> 2.1.1-1mdv2010.1 + Revision: 477774 - update to new version 2.1.1 * Fri Dec 11 2009 Funda Wang <fwang@mandriva.org> 2.1.0-1mdv2010.1 + Revision: 476390 - new version 2.1.0 * Mon Nov 23 2009 Luis Daniel Lucio Quiroz <dlucio@mandriva.org> 2.1-0.rc22.2mdv2010.1 + Revision: 469177 - Source2 URL updated * Sat Nov 21 2009 Luis Daniel Lucio Quiroz <dlucio@mandriva.org> 2.1-0.rc22.1mdv2010.1 + Revision: 468162 - New rc22 * Thu Nov 12 2009 Frederik Himpe <fhimpe@mandriva.org> 2.1-0.rc20.1mdv2010.1 + Revision: 465276 - Update to new version 2.1-rc21 * Mon Oct 05 2009 Luis Daniel Lucio Quiroz <dlucio@mandriva.org> 2.1-0.rc20.1mdv2010.0 + Revision: 454239 - P7 to let compillation work because buf_printf() function - RC20, it fixes several bugs * Thu Jul 23 2009 Frederik Himpe <fhimpe@mandriva.org> 2.1-0.rc19.1mdv2010.0 + Revision: 399003 - Update to new version 2.1-rc19 + Christophe Fergeau <cfergeau@mandriva.com> - fix -Wformat warnings * Sat Nov 22 2008 Frederik Himpe <fhimpe@mandriva.org> 2.1-0.rc15.1mdv2009.1 + Revision: 305704 - Update to new version 2.1-rc15, drop UDP ssl/tls negotiation patch integrated upstream in 2.1-rc11 * Mon Nov 17 2008 Funda Wang <fwang@mandriva.org> 2.1-0.rc10.3mdv2009.1 + Revision: 303875 - BR libpkcs11-helper-devel (bug#45813) * Thu Sep 18 2008 Frederik Himpe <fhimpe@mandriva.org> 2.1-0.rc10.2mdv2009.0 + Revision: 285720 - Fix license - Add 2.1-rc11 patch fixing TLS/SSL negotiations if UDP packets are dropped * Sat Sep 13 2008 Frederik Himpe <fhimpe@mandriva.org> 2.1-0.rc10.1mdv2009.0 + Revision: 284564 - Update to 2.1 RC 10 * Tue Aug 05 2008 Frederik Himpe <fhimpe@mandriva.org> 2.1-0.rc9.1mdv2009.0 + Revision: 263636 - Update to new version 2.1-rc9: fixes security problem CVE-2008-3459 + Pixel <pixel@mandriva.com> - adapt to %%_localstatedir now being /var instead of /var/lib (#22312) * Mon May 19 2008 David Walluck <walluck@mandriva.org> 2.1-0.rc7.1mdv2009.0 + Revision: 209098 - BuildRequires: re2c for ldap support - 2.1_rc7 - auth_ldap 2.0.3 * Wed Jan 23 2008 Thierry Vignaud <tv@mandriva.org> 2.0.9-4mdv2008.1 + Revision: 157261 - rebuild with fixed %%serverbuild macro + Olivier Blin <oblin@mandriva.com> - restore BuildRoot * Mon Dec 24 2007 Oden Eriksson <oeriksson@mandriva.com> 2.0.9-3mdv2008.1 + Revision: 137470 - rebuilt against openldap-2.4.7 libs + Thierry Vignaud <tv@mandriva.org> - kill re-definition of %%buildroot on Pixel's request * Wed Jun 27 2007 Andreas Hasenack <andreas@mandriva.com> 2.0.9-2mdv2008.0 + Revision: 45193 - using serverbuild macro (-fstack-protector-all) * Wed May 09 2007 Olivier Thauvin <nanardon@mandriva.org> 2.0.9-1mdv2008.0 + Revision: 25697 - 2.0.9 - don't bzip2 source, add gpg sig into source pkg * Thu Mar 15 2007 Olivier Thauvin <nanardon@mandriva.org> 2.0.7-4mdv2007.1 + Revision: 144578 - rebuild * Wed Jan 31 2007 Olivier Thauvin <nanardon@mandriva.org> 2.1-0.rc2.2mdv2007.1 + Revision: 115645 - merge patch no-user/group from 2.1 branches (Yves-Gwenael Bourhis) * Sun Aug 13 2006 Olivier Thauvin <nanardon@mandriva.org> 2.0.7-2mdv2007.0 + Revision: 55734 - rebuild - add openvpn * Thu Apr 20 2006 Olivier Thauvin <nanardon@mandriva.org> 2.0.7-1mdk - 2.0.7 * Mon Jan 09 2006 Olivier Blin <oblin@mandriva.com> 2.0.5-5mdk - fix typo in initscript * Mon Jan 09 2006 Olivier Blin <oblin@mandriva.com> 2.0.5-4mdk - convert parallel init to LSB * Tue Jan 03 2006 Per Ãyvind Karlsen <pkarlsen@mandriva.com> 2.0.5-3mdk - add parallel init support - fix executable-marked-as-config-file - be sure to wipe out buildroot at the beginning of %%install - don't ship copyright notice as the package is GPL (see common-licenses) * Sun Nov 13 2005 Oden Eriksson <oeriksson@mandriva.com> 2.0.5-2mdk - rebuilt against openssl-0.9.8a * Thu Nov 10 2005 Olivier Thauvin <nanardon@mandriva.org> 2.0.5-1mdk - 2.0.5 * Mon Oct 17 2005 Olivier Thauvin <nanardon@mandriva.org> 2.0.2-1mdk - 2.0.2 * Wed Aug 31 2005 Oden Eriksson <oeriksson@mandriva.com> 2.0.1-2mdk - rebuilt against new openldap-2.3.6 libs * Thu Aug 25 2005 Olivier Thauvin <nanardon@mandriva.org> 2.0.1-1mdk - 2.0.1 - ldap patch version 1.0.1 - remove patch3, fix upstream * Sun Jul 10 2005 Olivier Thauvin <nanardon@mandriva.org> 2.0-4mdk - rebuild for lzo (#16777) - add patch3: fix -lzo2 calls * Thu Jun 23 2005 Olivier Thauvin <nanardon@mandriva.org> 2.0-3mdk - rebuild for lzo (Thanks Michar) * Thu May 12 2005 Olivier Thauvin <nanardon@mandriva.org> 2.0-2mdk - Request by Luis Daniel Lucio Quiroz <dlucio@okay.com.mx> - add native plugin - add openvpn-auth-ldap plugin (except for amd64) * Wed Apr 20 2005 Olivier Thauvin <nanardon@mandriva.org> 2.0-1mdk - 2.0 final * Fri Apr 08 2005 Olivier Thauvin <thauvin@aerov.jussieu.fr> 2.0-0.rc20.1mdk - 2.0-rc20 * Thu Jan 13 2005 Per Ãyvind Karlsen <peroyvind@linux-mandrake.com> 1.6.0-2mdk - rebuild - cosmetics * Tue Jun 01 2004 Per Ãyvind Karlsen <peroyvind@linux-mandrake.com> 1.6.0-1mdk - 1.6.0 - fix buildrequires (lib64..) - drop GPL license file, there's no reason for us to ship such common license files in packages, as we ship them with the common-licenses package!