14 files changed, 178 insertions, 31 deletions

diff --git a/debian/README.Debian b/debian/README.Debian
index 517cf02..29b15fe 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -186,11 +186,13 @@ from now on.
 plugin support
 --------------
 
-Plugins are now included in the package. They get installed in /usr/lib/openvpn.
+Plugins are now included in the package. They get installed in
+/usr/lib/<DEB_HOST_MULTIARCH>/openvpn/plugins.
 Info on what they are and what they do in README.auth-pam and README.down-root.
-Append /usr/lib/openvpn/ to the plugin name in the plugin option. 
-i.e. 
-	plugin /usr/lib/openvpn/openvpn-auth-pam.so [service-type]
+Append /usr/lib/<DEB_HOST_MULTIARCH>/openvpn/plugins to the plugin name in
+the plugin option.
+i.e.
+	plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so [service-type]
 
 Using resolvconf
 ----------------
diff --git a/debian/README.source b/debian/README.source
deleted file mode 100644
index 44b33ce..0000000
--- a/debian/README.source
+++ /dev/null
@@ -1,2 +0,0 @@
-Please refer to /usr/share/doc/quilt/README.source before making changes to
-the source package.
diff --git a/debian/changelog b/debian/changelog
index 5b81e3e..bdf5384 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,43 @@
-openvpn (2.4.3-4~bpo9+1) stretch-backports; urgency=medium
+openvpn (2.4.4-2) unstable; urgency=medium
 
-  * Rebuild for stretch-backports.
+  * Build against OpenSSL 1.1.0 (Closes: #828447)
+  * Bump Standards-Version to 4.1.2, no changes necessary
 
- -- Patrick Matthäi <pmatthaei@debian.org>  Wed, 12 Jul 2017 10:26:14 +0200
+ -- Bernhard Schmidt <berni@debian.org>  Mon, 11 Dec 2017 00:22:11 +0100
+
+openvpn (2.4.4-1) unstable; urgency=medium
+
+  [ Jörg Frings-Fürst ]
+  * New Upstream release:
+    - Fix bounds check in read_key() (CVE-2017-12166) (Closes: #877089).
+  * Declare compliance with Debian Policy 4.1.1. (No changes needed).
+  * Drop dh-systemd from both Build-Depends and dh command line as
+    it is enabled by default for dh compat level 10.
+  * New debian/openvpn.lintian-overrides:
+    - Override duplicate upstream changelog warning.
+  * Remote obsolete directory /usr/lib/openvpn (The plugins directory are now
+      /usr/lib/*/openvpn/plugins):
+    - Remove /usr/lib/openvpn from debian/dirs.
+    - Add debian/postrm to remove /usr/lib/openvpn on purge and remove.
+    - Rewrite plugin section at README.Debian
+  * Use pathfind() instead hard coded path for invoke-rc.d at debian/prerm
+    and debian/postinst.
+  * Remove outdated debian/README.source.
+  * Remove obsolete syslog.target from debian/openvpn@.service.
+  * Update Catalan translation (Closes: #870351).
+    - Thanks to Alytidae <alytidae@riseup.net>.
+  * New directory /var/log/openvpn for log and status files
+      (Closes: #444431, #553303):
+    - Add var/log/openvpn into debian/dirs.
+    - New debian/patches/move_log_dir.patch to change the conf files
+      to the new log directory.
+
+  [ Bernhard Schmidt ]
+  * Further changes to debian/openvpn@.service copied from upstream
+    - Enable Restart=on-failure
+    - Use KillMode=process
+
+ -- Bernhard Schmidt <berni@debian.org>  Wed, 25 Oct 2017 08:14:12 +0200
 
 openvpn (2.4.3-4) unstable; urgency=medium
 
diff --git a/debian/control b/debian/control
index 89d4656..b3770a9 100644
--- a/debian/control
+++ b/debian/control
@@ -5,19 +5,18 @@ Maintainer: Bernhard Schmidt <berni@debian.org>
 Uploaders: Jörg Frings-Fürst <debian@jff-webhosting.net>
 Build-Depends:
  debhelper (>= 10),
- dh-systemd (>= 1.5),
  dpkg-dev (>= 1.16.1),
  iproute2 [linux-any],
  liblz4-dev,
  liblzo2-dev,
  libpam0g-dev,
  libpkcs11-helper1-dev,
- libssl1.0-dev,
+ libssl-dev,
  libsystemd-dev [linux-any],
  net-tools [!linux-any],
  pkg-config,
  systemd [linux-any]
-Standards-Version: 4.0.0
+Standards-Version: 4.1.2
 Homepage: https://openvpn.net/
 Vcs-Git: https://anonscm.debian.org/git/collab-maint/openvpn.git
 Vcs-Browser: https://anonscm.debian.org/git/collab-maint/openvpn.git
diff --git a/debian/dirs b/debian/dirs
index c715297..2823844 100644
--- a/debian/dirs
+++ b/debian/dirs
@@ -8,5 +8,5 @@ usr/sbin
 usr/share/man/man8
 usr/share/doc/openvpn
 usr/share/openvpn
-usr/lib/openvpn
 usr/include/openvpn
+var/log/openvpn
diff --git a/debian/openvpn.lintian-overrides b/debian/openvpn.lintian-overrides
new file mode 100644
index 0000000..91ae65a
--- /dev/null
+++ b/debian/openvpn.lintian-overrides
@@ -0,0 +1,4 @@
+# ChangeLog and Changes.rst are not the same.
+# ChangeLog contains the source changes and Changes.rst describes 
+# the program development.
+duplicate-changelog-files
diff --git a/debian/openvpn@.service b/debian/openvpn@.service
index 53ff5a5..7f0134b 100644
--- a/debian/openvpn@.service
+++ b/debian/openvpn@.service
@@ -3,7 +3,7 @@ Description=OpenVPN connection to %i
 PartOf=openvpn.service
 ReloadPropagatedFrom=openvpn.service
 Before=systemd-user-sessions.service
-After=syslog.target network-online.target
+After=network-online.target
 Wants=network-online.target
 Documentation=man:openvpn(8)
 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
@@ -15,6 +15,7 @@ PrivateTmp=true
 WorkingDirectory=/etc/openvpn
 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
 PIDFile=/run/openvpn/%i.pid
+KillMode=process
 ExecReload=/bin/kill -HUP $MAINPID
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
@@ -22,6 +23,8 @@ DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
 ProtectSystem=true
 ProtectHome=true
+RestartSec=5s
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target
diff --git a/debian/patches/move_log_dir.patch b/debian/patches/move_log_dir.patch
new file mode 100644
index 0000000..4518461
--- /dev/null
+++ b/debian/patches/move_log_dir.patch
@@ -0,0 +1,41 @@
+Description: Set default logdir to /var/log/openvpn
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444431
+            https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553303
+Forwarded: not-needed
+Last-Update: 2017-10-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/sample/sample-config-files/server.conf
+===================================================================
+--- trunk.orig/sample/sample-config-files/server.conf
++++ trunk/sample/sample-config-files/server.conf
+@@ -105,7 +105,7 @@ server 10.8.0.0 255.255.255.0
+ # is restarted, reconnecting clients can be assigned
+ # the same virtual IP address from the pool that was
+ # previously assigned.
+-ifconfig-pool-persist ipp.txt
++ifconfig-pool-persist /var/log/openvpn/ipp.txt
+ 
+ # Configure server mode for ethernet bridging.
+ # You must first use your OS's bridging capability
+@@ -284,7 +284,7 @@ persist-tun
+ # Output a short status file showing
+ # current connections, truncated
+ # and rewritten every minute.
+-status openvpn-status.log
++status /var/log/openvpn/openvpn-status.log
+ 
+ # By default, log messages will go to the syslog (or
+ # on Windows, if running as a service, they will go to
+@@ -293,8 +293,8 @@ status openvpn-status.log
+ # "log" will truncate the log file on OpenVPN startup,
+ # while "log-append" will append to it.  Use one
+ # or the other (but not both).
+-;log         openvpn.log
+-;log-append  openvpn.log
++;log         /var/log/openvpn/openvpn.log
++;log-append  /var/log/openvpn/openvpn.log
+ 
+ # Set the appropriate level of log
+ # file verbosity.
diff --git a/debian/patches/series b/debian/patches/series
index 50b527d..156ff6f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+move_log_dir.patch
 auth-pam_libpam_so_filename.patch
 debian_nogroup_for_sample_files.patch
 openvpn-pkcs11warn.patch
diff --git a/debian/po/ca.po b/debian/po/ca.po
index 10ea58b..a671ef9 100644
--- a/debian/po/ca.po
+++ b/debian/po/ca.po
@@ -1,15 +1,15 @@
-# openvpn (debconf) translation to Catalan.
+# OpenVPN (debconf) translation to Catalan.
 # Copyright (C) 2004 Free Software Foundation, Inc.
 # Aleix Badia i Bosch <abadia@ica.es>, 2004
 # Josep Lladonosa i Capell <jep@veinat.net>, 2004
-#
+# Alytidae <alytidae@riseup.net>, 2017
 msgid ""
 msgstr ""
-"Project-Id-Version: openvpn_1.5.0-2_templates\n"
+"Project-Id-Version: openvpn_2.4.3-4\n"
 "Report-Msgid-Bugs-To: openvpn@packages.debian.org\n"
 "POT-Creation-Date: 2011-05-10 17:48+0200\n"
-"PO-Revision-Date: 2004-04-08 20:24+0200\n"
-"Last-Translator: Aleix Badia i Bosch <abadia@ica.es>\n"
+"PO-Revision-Date: 2017-07-23 16:53+0200\n"
+"Last-Translator: Alytidae <alytidae@riseup.net>\n"
 "Language-Team: Catalan <debian-l10n-catalan@lists.debian.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@@ -20,7 +20,7 @@ msgstr ""
 #. Description
 #: ../templates:2001
 msgid "Create the TUN/TAP device?"
-msgstr ""
+msgstr "Crear un dispositiu TUN/TAP?"
 
 #. Type: boolean
 #. Description
@@ -28,13 +28,14 @@ msgstr ""
 msgid ""
 "If you choose this option, the /dev/net/tun device needed by OpenVPN will be "
 "created."
-msgstr ""
+msgstr "Si tries aquesta opció es crearà el dispositiu /dev/net/tun, que és "
+"necessari per a OpenVPN."
 
 #. Type: boolean
 #. Description
 #: ../templates:2001
 msgid "You should not choose this option if you're using devfs."
-msgstr ""
+msgstr "No hauries de triar aquesta opció si estàs utilitzant devfs."
 
 #~ msgid "Would you like to start openvpn sooner?"
 #~ msgstr "Voldríeu iniciar l'openvpn abans?"
diff --git a/debian/postinst b/debian/postinst
index 3776449..648e671 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -9,6 +9,25 @@ test $DEBIAN_SCRIPT_DEBUG && set -v -x
 # use debconf
 . /usr/share/debconf/confmodule
 
+#
+# POSIX-compliant shell function
+# to check for the existence of a command
+# Return 0 if found
+#
+pathfind() {
+    OLDIFS="$IFS"
+    IFS=:
+    for p in $PATH; do
+        if [ -x "$p/$*" ]; then
+            IFS="$OLDIFS"
+            return 0
+        fi
+    done
+    IFS="$OLDIFS"
+    return 1
+}
+
+
 case "$1" in
   configure)
     db_get openvpn/create_tun || RET="false"
@@ -34,7 +53,8 @@ case "$1" in
 esac
 
 if [ -x "/etc/init.d/openvpn" ]; then
-	if [ -x /usr/sbin/invoke-rc.d ]; then
+	pathfind invoke-rc.d
+	if [ $? = 0 ]; then
 	   invoke-rc.d openvpn cond-restart || invoke-rc.d openvpn restart
 	else
 	   /etc/init.d/openvpn cond-restart || /etc/init.d/openvpn restart
diff --git a/debian/postrm b/debian/postrm
new file mode 100644
index 0000000..970a802
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+
+
+case "$1" in
+    purge|remove)
+
+#
+# remove obsolete directory
+# new at release 2.4.4-1
+#
+	if [ -d /usr/lib/openvpn ]; then
+	    rmdir --ignore-fail-on-non-empty /usr/lib/openvpn
+	fi
+    ;;
+
+esac
+
+#DEBHELPER#
+
+exit 0
+
diff --git a/debian/prerm b/debian/prerm
index b888ef8..ec08b7b 100644
--- a/debian/prerm
+++ b/debian/prerm
@@ -7,14 +7,34 @@
 set -e
 test $DEBIAN_SCRIPT_DEBUG && set -v -x
 
+#
+# POSIX-compliant shell function
+# to check for the existence of a command
+# Return 0 if found
+#
+pathfind() {
+    OLDIFS="$IFS"
+    IFS=:
+    for p in $PATH; do
+        if [ -x "$p/$*" ]; then
+            IFS="$OLDIFS"
+            return 0
+        fi
+    done
+    IFS="$OLDIFS"
+    return 1
+}
+
+
 stop_vpn () {
-  if [ -x "/etc/init.d/openvpn" ]; then
-          if [ -x /usr/sbin/invoke-rc.d ] ; then
-                  invoke-rc.d openvpn stop
-          else
-                  /etc/init.d/openvpn stop
-          fi
-  fi
+    if [ -x "/etc/init.d/openvpn" ]; then
+	pathfind invoke-rc.d
+	if [ $? = 0 ]; then
+	    invoke-rc.d openvpn stop
+	else
+	    /etc/init.d/openvpn stop
+	fi
+    fi
 }
 
 
diff --git a/debian/rules b/debian/rules
index c8c0dca..603d9a0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,7 @@ endif
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
 %:
-	dh $@ --with systemd
+	dh $@
 
 override_dh_auto_configure:
 	-test -f tests/t_client.sh.not || mv tests/t_client.sh tests/t_client.sh.not