preparing release 2.6.13

version.m4, ChangeLog, Changes.rst

diff --git a/ChangeLog b/ChangeLog
index df1e2eea1272dcebe00fc2680c4f3003fce66f1b..a5dfa3704faf0c21021efedd385590b499be1ea6 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,47 @@
 OpenVPN ChangeLog
-Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
+Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
+
+2025.01.15 -- Version 2.6.13
+
+Arne Schwabe (2):
+      Refuse clients if username or password is longer than USER_PASS_LEN
+      Improve peer fingerprint documentation
+
+Ben Boeckel (1):
+      console_systemd: remove the timeout when using 'systemd-ask-password'
+
+Frank Lichtenheld (5):
+      Fix missing spaces in various messages
+      GHA: Update macOS runners
+      GHA: Simplify macOS builds
+      Various typo fixes
+      forward: Fix potential unaligned access in drop_if_recursive_routing
+
+Gert Doering (2):
+      send uname() release as IV_PLAT_VER= on non-windows versions
+      preparing release 2.6.13
+
+Gianmarco De Gregori (1):
+      Route: remove incorrect routes on exit
+
+Lev Stipakov (1):
+      Use a more robust way to get dco-win version
+
+Ralf Lici (1):
+      Fix check_addr_clash argument order
+
+Rémi Farault (1):
+      Add calls to nvlist_destroy to avoid leaks
+
+Selva Nair (3):
+      proxy.c: Clear sensitive data after use
+      Protect cached username, password and token on client
+      Fix more of uninitialized struct user_pass local vars
+
+corubba (2):
+      Fix IPv6 in port-share journal
+      Fix port-share journal doc
+
 
 2024.07.17 -- Version 2.6.12
 

diff --git a/Changes.rst b/Changes.rst
index 3d5ec7636358043455289e6e9999f83ef642b9c1..ab2b047d148ac80fa61db06d4ab2cd89b86d9e45 100644 (file)
--- a/Changes.rst
+++ b/Changes.rst
@@ -1,3 +1,70 @@
+Overview of changes in 2.6.13
+=============================
+New features
+------------
+- on non-windows clients (MacOS, Linux, Unix) send "release" string from
+  uname() call as IV_PLAT_VER= to server - while highly OS specific this
+  is still helpful to keep track of OS versions used on the client side
+  (GH #637)
+
+- Windows: protect cached username, password and token in client memory
+  (using the CryptProtectMemory() windows API
+
+- Windows: use new API to get dco-win driver version from driver
+  (newly introduced non-exclusive control device)  (GH: ovpn-dco-win #76)
+
+- Linux: pass --timeout=0 argument to systemd-ask-password, to avoid
+  default timeout of 90 seconds ("console prompting also has no timeout")
+  (GH #649)
+
+
+Bug fixes
+---------
+- fix potentially unaligned access in drop_if_recursive_routing on
+  Linux (ASAN)
+
+- correct documentation for port-share journal
+
+- fix logging of IPv6 addresses in port-share journal
+
+- fix various typos in messages, documentation, comments and examples
+  (GH #442, GH #644)
+
+- FreeBSD DCO: fix memory leaks in nvlist handling (GH #636)
+
+- route handling: correctly handle case of "route installation fails"
+  in the face of an already-existing route - previously, OpenVPN would
+  remove the "other" route on exit, incorrectly changing system state.
+
+- fix generation of warning messages for overlapping --local/--remote
+  and --ifconfig addresses
+
+- purge proxy authentication credentials from memory after use
+  (if --auth-nocache is in use)
+
+- fix missing space in various (long and wrapped) msg() calls
+
+
+Code maintenance
+----------------
+- improve documentation/examples for <peer-fingerprint> feature
+
+- simplify Github Action macOS build setup
+
+- update Github Action macOS runners (remove macOS 12, add macOS 15)
+
+- fix a number of uninitialized "struct user_pass" local variables
+  (no impact beyond "compiler warning", but future-proofing the code)
+
+
+Security fixes
+--------------
+- improve server-side handling of clients sending usernames or passwords
+  longer than USER_PASS_LEN - this would not result in a crash, buffer
+  overflow or other security issues, but the server would then misparse
+  incoming IV_* variables and produce misleading error messages.
+
+
 Overview of changes in 2.6.12
 =============================
 Bug fixes

diff --git a/version.m4 b/version.m4
index a15077b6b186f887b21a7d2b24aad9d4e4659c3a..ea3a7e4de1f433d306ddd65f1da7415250fc36ff 100644 (file)
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.12])
+define([PRODUCT_VERSION_PATCH], [.13])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,6,12,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,13,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])