stable

openvpn-2.4.3-1.el7

FEDORA-EPEL-2017-79e30f9d33 created by dsommers 7 years ago for Fedora EPEL 7

Updates to the latest upstream OpenVPN 2.4.3, containing security updates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521. This update also re-enables automatic restart of OpenVPN on the next updates. For this update, the restart needs to be done manually.

This update has been submitted for testing by dsommers.

7 years ago

This update has been pushed to testing.

7 years ago
User Icon dwille provided feedback 7 years ago
karma
BZ#1463647 openvpn-2.4.3 is available
User Icon greenfeld commented & provided feedback 7 years ago
karma

Tested as VPN server

This update has been submitted for stable by bodhi.

7 years ago
User Icon fkooman commented & provided feedback 7 years ago

Is there a specific reason you enabled auto restart (again)? Will it restart all server profiles from /etc/openvpn-server that are enabled with systemctl?

It may be a bit tricky for us, as we generally install updates, but then choose a later time to restart the OpenVPN server processes... Is it possible to disable this behavior?

In any case, thanks for the heads up, will consider this on the next update.

This update has been pushed to stable.

7 years ago
User Icon dsommers commented & provided feedback 7 years ago

@fkooman, Fun fact: I got complaints that updates didn't restart the openvpn services.

Yes, it should restart all profiles on the server. It is not something we can change now; the cat is already out of the bag. So the next update will restart the service anyhow, also if we add some "tunable feature" in the next update - it will be restarted regardless.

But I can look at adding a "don't restart" feature. For example something like checking if a file named /etc/openvpn/server/.update-no-restart exists or not. I'm not saying that's how it will be, but that is one plausible solution.

So to the longer answer why this was changed. When I cleaned up the .spec file, a lot of moving parts had to be changed at the same time (otherwise we wouldn't be finished with the clean up until after the next 5-6 updates). A lot of the changes involved moving over to standardized RPM macros for doing a lot of things. So I chose to ensure we don't break running services needlessly on automated updates until the dust had settled a bit. And now it felt like the right time to do what most users expects.

User Icon fkooman commented & provided feedback 7 years ago

But I can look at adding a "don't restart" feature.

That would be cool, but maybe you don't need to invest time in this if I'm to only one who wants this, something can be said for both approaches. I think also Debian always restarts daemons on update, but not completely sure...

And now it felt like the right time to do what most users expects.

Fair enough. I guess installing updates outside maintenance windows without rebooting/restarting can be unstable/dangerous anyway. So we'll live :-)

Thanks for the explanation!


Please login to add feedback.

Metadata
Type
security
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-1
Stable by Karma
2
Stable by Time
disabled
Dates
submitted
7 years ago
in testing
7 years ago
in stable
7 years ago
BZ#1463644 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 [epel-all]
0
0
BZ#1463647 openvpn-2.4.3 is available
0
1

Automated Test Results