Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ocserv for openSUSE:Factory checked in at 2023-09-02 22:07:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ocserv (Old) and /work/SRC/openSUSE:Factory/.ocserv.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ocserv" Sat Sep 2 22:07:48 2023 rev:21 rq:1108560 version:1.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes 2023-03-07 16:51:23.057916405 +0100 +++ /work/SRC/openSUSE:Factory/.ocserv.new.1766/ocserv.changes 2023-09-02 22:08:32.553170775 +0200 @@ -1,0 +2,33 @@ +Tue Aug 29 12:37:56 UTC 2023 - Martin Hauke <mar...@gmx.de> + +- Update to version 1.2.1 + * Accept the Clavister OneConnect VPN Android client. + * No longer require to set device name per vhost. + * Account the correct number of points when proxyproto is in use + * nuttcp tests were replaced with iperf3 that is available + in more environments + * occtl: fix duplicate key in `occtl --json show users` output +- Update to version 1.2.0 + * Add support for Cisco Enterprise phones to authenticate via + the /svc endpoint and the 'cisco-svc-client-compat' config + option. + * Enhanced radius group support to enable radius servers send + multiple group class attributes + See doc/README-radius.md for more information. + * Enhanced the seccomp filters to open files related to FIPS + compliance on SuSe. + * Added "Camouflage" functionality that makes ocserv look like a + web server to unauthorized parties. + * Avoid login failure when the end point of server URI + contains a query string. + * Make sure we print proper JSON with `occtl --debug --json` + * Eliminated the need for using the gnulib portability library. +- Update to version 1.1.7 + * Emit a LOG_ERR error message with plain authentication fails + * The bundled inih was updated to r56. + * The bundled protobuf-c was updated to 1.4.1. + * Enhanced the seccomp filters for ARMv7 compatibility and musl + libc + * HTTP headers always capitalised as in RFC 9110 + +------------------------------------------------------------------- Old: ---- ocserv-1.1.6.tar.xz ocserv-1.1.6.tar.xz.sig New: ---- ocserv-1.2.1.tar.xz ocserv-1.2.1.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ocserv.spec ++++++ --- /var/tmp/diff_new_pack.cpwnpW/_old 2023-09-02 22:08:35.641281123 +0200 +++ /var/tmp/diff_new_pack.cpwnpW/_new 2023-09-02 22:08:35.693282981 +0200 @@ -17,7 +17,7 @@ Name: ocserv -Version: 1.1.6 +Version: 1.2.1 Release: 0 Summary: OpenConnect VPN Server License: GPL-2.0-only @@ -149,7 +149,7 @@ %files %defattr(-,root,root) %doc AUTHORS NEWS README.md -%license COPYING LICENSE +%license COPYING %config %{_sysconfdir}/ocserv %if 0%{suse_version} >= 1500 %dir %{_prefix}/lib/firewalld ++++++ ocserv-1.1.6.tar.xz -> ocserv-1.2.1.tar.xz ++++++ ++++ 83353 lines of diff (skipped) ++++++ ocserv.config.patch ++++++ --- /var/tmp/diff_new_pack.cpwnpW/_old 2023-09-02 22:08:36.737320288 +0200 +++ /var/tmp/diff_new_pack.cpwnpW/_new 2023-09-02 22:08:36.741320431 +0200 @@ -1,5 +1,5 @@ diff --git a/doc/sample.config b/doc/sample.config -index 0e33484f..60ab3e93 100644 +index 4c8c8c6..7a4697f 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -48,7 +48,7 @@ @@ -22,18 +22,19 @@ # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this -@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket +@@ -126,9 +126,8 @@ socket-file = /var/run/ocserv-socket #server-cert = /etc/ocserv/server-cert.pem #server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem +- +server-cert = /etc/ocserv/certificates/server-cert.pem +server-key = /etc/ocserv/certificates/server-key.pem - # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 # versions of GnuTLS for supporting DHE ciphersuites. -@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem + # Can be generated using: +@@ -154,7 +153,7 @@ server-key = ../tests/certs/server-key.pem # client certificates (public keys) if certificate authentication # is set. #ca-cert = /etc/ocserv/ca.pem @@ -42,16 +43,7 @@ # The number of sub-processes to use for the security module (authentication) # processes. Typically this should not be set as the number of processes -@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem - # the isolation was tested at. If you get random failures on worker processes, try - # disabling that option and report the failures you, along with system and debugging - # information at: https://gitlab.com/ocserv/ocserv/issues --isolate-workers = true -+isolate-workers = false - - # A banner to be displayed on clients after connection - #banner = "Welcome" -@@ -249,7 +249,7 @@ mobile-dpd = 1800 +@@ -249,7 +248,7 @@ mobile-dpd = 1800 switch-to-tcp-timeout = 25 # MTU discovery (DPD must be enabled) @@ -60,78 +52,4 @@ # To enable load-balancer connection draining, set server-drain-ms to a value # higher than your load-balancer health probe interval. -@@ -415,8 +415,8 @@ rekey-method = ssl - # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes - # output from the tun device, and the duration of the session in seconds. - --#connect-script = /usr/bin/myscript --#disconnect-script = /usr/bin/myscript -+#connect-script = /usr/bin/ocserv-script -+#disconnect-script = /usr/bin/ocserv-script - - # This script is to be called when the client's advertised hostname becomes - # available. It will contain REASON with "host-update" value and the -@@ -506,7 +506,8 @@ ipv4-netmask = 255.255.255.0 - # The advertised DNS server. Use multiple lines for - # multiple servers. - # dns = fc00::4be0 --dns = 192.168.1.2 -+dns = 8.8.8.8 -+dns = 8.8.4.4 - - # The NBNS server (if any) - #nbns = 192.168.1.3 -@@ -545,8 +546,8 @@ ping-leases = false - # comment out all routes from the server, or use the special keyword - # 'default'. - --route = 10.10.10.0/255.255.255.0 --route = 192.168.0.0/255.255.0.0 -+#route = 10.10.10.0/255.255.255.0 -+#route = 192.168.0.0/255.255.0.0 - #route = fef4:db8:1000:1001::/64 - #route = default - -@@ -719,18 +720,18 @@ client-bypass-protocol = false - # An example virtual host with different authentication methods serviced - # by this server. - --[vhost:www.example.com] --auth = "certificate" -+#[vhost:www.example.com] -+#auth = "certificate" - --ca-cert = ../tests/certs/ca.pem -+#ca-cert = ../tests/certs/ca.pem - - # The certificate set here must include a 'dns_name' corresponding to - # the virtual host name. - --server-cert = ../tests/certs/server-cert-secp521r1.pem --server-key = ../tests/certs/server-key-secp521r1.pem -+#server-cert = ../tests/certs/server-cert-secp521r1.pem -+#server-key = ../tests/certs/server-key-secp521r1.pem - --ipv4-network = 192.168.2.0 --ipv4-netmask = 255.255.255.0 -+#ipv4-network = 192.168.2.0 -+#ipv4-netmask = 255.255.255.0 - --cert-user-oid = 0.9.2342.19200300.100.1.1 -+#cert-user-oid = 0.9.2342.19200300.100.1.1 -diff --git a/doc/systemd/socket-activated/ocserv.socket b/doc/systemd/socket-activated/ocserv.socket -index 9444f190..a0ac362a 100644 ---- a/doc/systemd/socket-activated/ocserv.socket -+++ b/doc/systemd/socket-activated/ocserv.socket -@@ -2,8 +2,8 @@ - Description=OpenConnect SSL VPN server Socket - - [Socket] --ListenStream=443 --ListenDatagram=443 -+ListenStream=9000 -+ListenDatagram=9001 - BindIPv6Only=default - Accept=false - ReusePort=true