Updates to the latest upstream OpenVPN 2.4.3, containing security updates for CVE-2017-7508, CVE-2017-7520 and CVE-2017-7521. This update also re-enables automatic restart of OpenVPN on the next updates. For this update, the restart needs to be done manually.
Please login to add feedback.
This update has been submitted for testing by dsommers.
This update has been pushed to testing.
Tested as VPN server
This update has been submitted for stable by bodhi.
Is there a specific reason you enabled auto restart (again)? Will it restart all server profiles from /etc/openvpn-server that are enabled with systemctl?
It may be a bit tricky for us, as we generally install updates, but then choose a later time to restart the OpenVPN server processes... Is it possible to disable this behavior?
In any case, thanks for the heads up, will consider this on the next update.
This update has been pushed to stable.
@fkooman, Fun fact: I got complaints that updates didn't restart the openvpn services.
Yes, it should restart all profiles on the server. It is not something we can change now; the cat is already out of the bag. So the next update will restart the service anyhow, also if we add some "tunable feature" in the next update - it will be restarted regardless.
But I can look at adding a "don't restart" feature. For example something like checking if a file named /etc/openvpn/server/.update-no-restart exists or not. I'm not saying that's how it will be, but that is one plausible solution.
So to the longer answer why this was changed. When I cleaned up the .spec file, a lot of moving parts had to be changed at the same time (otherwise we wouldn't be finished with the clean up until after the next 5-6 updates). A lot of the changes involved moving over to standardized RPM macros for doing a lot of things. So I chose to ensure we don't break running services needlessly on automated updates until the dust had settled a bit. And now it felt like the right time to do what most users expects.
That would be cool, but maybe you don't need to invest time in this if I'm to only one who wants this, something can be said for both approaches. I think also Debian always restarts daemons on update, but not completely sure...
Fair enough. I guess installing updates outside maintenance windows without rebooting/restarting can be unstable/dangerous anyway. So we'll live :-)
Thanks for the explanation!