OpenVPN ChangeLog
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
+2024.02.11 -- Version 2.6.9
+
+Arne Schwabe (15):
+ Remove unused function prototype crypto_adjust_frame_parameters
+ Log SSL alerts more prominently
+ Document tls-exit option mainly as test option
+ Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
+ Fix check_session_buf_not_used using wrong index
+ Add missing check for nl_socket_alloc failure
+ Add check for nice in cmake config
+ Remove compat versionhelpers.h and remove cmake/configure check for it
+ Extend the error message when TLS 1.0 PRF fails
+ Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
+ Check PRF availability on initialisation and add --force-tls-key-material-export
+ Make it more explicit and visible when pkg-config is not found
+ Clarify that the tls-crypt-v2-verify has a very limited env set
+ Implement the --tls-export-cert feature
+ Remove conditional text for Apache2 linking exception
+
+David Sommerseth (2):
+ Remove --tls-export-cert
+ Remove superfluous x509_write_pem()
+
+Frank Lichtenheld (14):
+ sample-keys: renew for the next 10 years
+ GHA: clean up libressl builds with newer libressl
+ configure.ac: Remove unused AC_TYPE_SIGNAL macro
+ documentation: remove reference to removed option --show-proxy-settings
+ unit_tests: remove includes for mock_msg.h
+ documentation: improve documentation of --x509-track
+ NTLM: add length check to add_security_buffer
+ NTLM: increase size of phase 2 response we can handle
+ proxy-options.rst: Add proper documentation for --http-proxy-user-pass
+ buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
+ --http-proxy-user-pass: allow to specify in either order with --http-proxy
+ README.cmake.md: Document minimum required CMake version for --preset
+ documentation: Update and fix documentation for --push-peer-info
+ documentation: Fixes for previous fixes to --push-peer-info
+
+Gert Doering (4):
+ OpenBSD: repair --show-gateway
+ get_default_gateway() HWADDR overhaul
+ fix uncrustify complaints about previous patch
+ preparing release 2.6.9
+
+Kristof Provost (1):
+ dco-freebsd: dynamically re-allocate buffer if it's too small
+
+Lev Stipakov (1):
+ tun.c: don't attempt to delete DNS and WINS servers if they're not set
+
+Marc Becker (1):
+ vcpkg-ports/pkcs11-helper: bump to version 1.30
+
+Max Fillinger (4):
+ Add support for mbedtls 3.X.Y
+ Update README.mbedtls
+ Disable TLS 1.3 support with mbed TLS
+ Enable key export with mbed TLS 3.x.y
+
+Reynir Bjoernsson (1):
+ protocol_dump: tls-crypt support
+
+Steffan Karger (1):
+ Fix IPv6 route add/delete message log level
+
+yatta (1):
+ fix(ssl): init peer_id when init tls_multi
+
+
2023.11.17 -- Version 2.6.8
Aquila Macedo (1):
+Overview of changes in 2.6.9
+============================
+
+Security fixes
+--------------
+- Windows Installer: fix CVE 2023-7235 where installing to a non-default
+ directory could lead to a local privilege escalation.
+ Reported by Will Dormann <will.dormann@analygence.com>.
+
+New features
+------------
+- add support for building with mbedTLS 3.x.x
+
+- new option "--force-tls-key-material-export" to only accept clients
+ that can do TLS keying material export to generate session keys
+ (mostly an internal option to better deal with TLS 1.0 PRF failures).
+
+- Windows: bump vcpkg-ports/pkcs11-helper to 1.30
+
+- Log incoming SSL alerts in easier to understand form and move logging
+ from "--verb 8" to "--verb 3".
+
+- protocol_dump(): add support for printing "--tls-crypt" packets
+
+
+User visible changes
+--------------------
+- license change is now complete, and all code has been re-licensed
+ under the new license (still GPLv2, but with new linking exception
+ for Apache2 licensed code). See COPYING for details.
+
+ Code that could not be re-licensed has been removed or rewritten.
+
+- the original code for the "--tls-export-cert" feature has been removed
+ (due to the re-licensing effort) and rewritten without looking at the
+ original code. Feature-compatibility has been tested by other developers,
+ looking at both old and new code and documentation, so there *should*
+ not be a user-visible change here.
+
+- IPv6 route addition/deletion are now logged on the same level (3) as
+ for IPv4. Previously IPv6 was always logged at "--verb 1".
+
+- better handling of TLS 1.0 PRF failures in the underlying SSL library
+ (e.g. on some FIPS builds) - this is now reported on startup, and
+ clients before 2.6.0 that can not use TLS EKM to generate key material
+ are rejected by the server. Also, error messages are improved to see
+ what exactly failed.
+
+- packaged sample-keys renewed (old keys due to expire in October 2024)
+
+
+Bug fixes / Code cleanup
+------------------------
+- Windows GUI: always update tray icon on state change (Github: #669)
+ (for persistent connection profiles, "connecting" state would not show)
+
+- FreeBSD: for servers with multiple clients, reporting of peer traffic
+ statistics would fail due to insufficient buffer space (Github: #487)
+
+- make interaction between "--http-proxy-user-pass" and "--http-proxy"
+ more consistent
+
+- doc: improve documentation on "--http-proxy-user-pass"
+
+- doc: improve documentation for IV_ variables and IV_PROTO bits
+
+- doc: improve documentation on CMake requirements
+
+- fix various coverity-reported complains (signed/unsigned comparison etc),
+ none of them actual bugs
+
+- NTLMv2: increase phase 2 buffers so things actually work
+
+- NTLM: add extra buffer size verification checks
+
+- doc: improve documentation on "--tls-crypt-v2-verify"
+
+- autoconf on Linux: improve error reporting for missing libraries - in
+ case the problem came due to missing "pkg-config" the previous error
+ was misleading. Now clearly report that Linux builds require "pkg-config"
+ and abort if not found.
+
+- MacOS X: fix "undefined behaviour" found by UBSAN in get_default_gateway()
+ (IV_HWADDR), using getifaddrs(3) instead of old and convoluted
+ SIOCGIFCONF API.
+
+- OpenSolaris: correctly implement get_default_gateway() (IV_HWADDR), using
+ SIOCGIFHWADDR instead of SIOCGIFCONF API.
+
+- OpenBSD: work around route socket issue in get_default_gateway()
+ ("--show-gateway") where RA_IFP must not be set on the query message,
+ otherwise kernel will return EINVAL.
+
+- doc: improve documentation of --x509-track
+
+- bugfix: in UDP mode when exceeding "--max-clients", OpenVPN would
+ incorrectly close the connection to "peer-id 0". Fix by correctly
+ initializing peer_id with MAX_PEER_ID.
+
+- Windows: do not attempt to delete DNS or WINS servers if they are not set
+
+- configure: get rid of AC_TYPE_SIGNAL macro (unused)
+
+- Linux DCO: add missing check for nl_socket_alloc() failure
+
+- bugfix: check_session_buf_not_used() was not working as planned
+
+- remove dead test code for TEST_GET_DEFAULT_GATEWAY (use "--show-gateway")
+
+- doc: better document "--tls-exit" option
+
+- Github Actions: clean up LibreSSL builds
+
+
+
Overview of changes in 2.6.8
============================
DCO/Linux robustness fixes.
DCO/Linux TCP crashbug (recvfrom(-1) endless loop) worked around - root
- cause has not been found, but the condition is detected and the
+ cause has not been found, but the condition is detected and the
offending client is removed, instead of crashing the server.
Rename internal TLS state TM_UNTRUSTED to TM_INITIAL, always start new
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION_MAJOR], [2])
define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.8])
+define([PRODUCT_VERSION_PATCH], [.9])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,6,8,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,9,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
projects / thirdparty / openvpn.git / commitdiff
