---
- branch: MAIN
  date: Mon Oct  2 15:54:24 UTC 2017
  files:
  - new: '1.12'
    old: '1.11'
    path: pkgsrc/net/openvpn/Makefile.common
    pathrev: pkgsrc/net/openvpn/Makefile.common@1.12
    type: modified
  - new: '1.20'
    old: '1.19'
    path: pkgsrc/net/openvpn/PLIST
    pathrev: pkgsrc/net/openvpn/PLIST@1.20
    type: modified
  - new: '1.39'
    old: '1.38'
    path: pkgsrc/net/openvpn/distinfo
    pathrev: pkgsrc/net/openvpn/distinfo@1.39
    type: modified
  - new: '1.17'
    old: '1.16'
    path: pkgsrc/net/openvpn-acct-wtmpx/distinfo
    pathrev: pkgsrc/net/openvpn-acct-wtmpx/distinfo@1.17
    type: modified
  - new: '1.14'
    old: '1.13'
    path: pkgsrc/net/openvpn-nagios/distinfo
    pathrev: pkgsrc/net/openvpn-nagios/distinfo@1.14
    type: modified
  id: 20171002T155424Z.c9365fe400c28e75c37cf55587e6a71b5f58a3b0
  log: |
    openvpn: update to 2.4.4

    Version 2.4.4
    =============
    This is primarily a maintenance release, with further improved OpenSSL 1.1
    integration, several minor bug fixes and other minor improvements.

    Bug fixes
    ---------
    - Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is
      rejected by the remote side

    - Ignore ``--keysize`` when NCP have resulted in a changed cipher.

    - Configurations using ``--auth-nocache`` and the management interface to provide
      user credentials (like NetworkManager on Linux) on client side with servers
      implementing authentication tokens (for example, using ``--auth-gen-token``)
      will now behave correctly and not query the user for an, to them, unknown
      authentication token on renegotiations of the tunnel.

    - Fix bug causing invalid or corrupt SOCKS port number when changing the
      proxy via the management interface.

    - The man page should now have proper escaping of hyphens/minus characters
      and have seen some minor corrections.

    User-visible Changes
    --------------------
    - Linux servers with systemd which uses the ``openvpn-server@.service`` unit
      file for server configurations will now utilize the automatic restart feature
      in systemd.  If the OpenVPN server process dies unexpectedly, systemd will
      ensure the OpenVPN configuration will be restarted without any user interaction.

    Deprecated features
    -------------------
    - ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
    - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6

    Security
    --------
    - CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``.
      Before this fix, it could allow an attacker to send a malformed packet to
      trigger a stack overflow.  This is considered to be a low risk issue, as
      ``--key-method 2`` has been the default since OpenVPN 2.0 (released on
      2005-04-17).  This option is already deprecated in v2.4 and will be
      completely removed in v2.5.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/net'
  unixtime: '1506959664'
  user: wiz