preparing release 2.6.14

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/ChangeLog b/ChangeLog
index a5dfa3704faf0c21021efedd385590b499be1ea6..8948b7e1d36450e884e062c65feab5b6536c5b45 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,20 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 
+2025.04.02 -- Version 2.6.14
+
+Arne Schwabe (1):
+      Allow tls-crypt-v2 to be setup only on initial packet of a session
+
+Frank Lichtenheld (3):
+      GHA: Drop Ubuntu 20.04 and other maintenance (2.6)
+      crypto_backend: fix type of enc parameter
+      Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
+
+Qingfang Deng (1):
+      dco: fix source IP selection when multihome
+
+
 2025.01.15 -- Version 2.6.13
 
 Arne Schwabe (2):

diff --git a/Changes.rst b/Changes.rst
index ab2b047d148ac80fa61db06d4ab2cd89b86d9e45..b7aeeac4bf5e04f24121e931c950fe57c61dad27 100644 (file)
--- a/Changes.rst
+++ b/Changes.rst
@@ -1,3 +1,40 @@
+Overview of changes in 2.6.14
+=============================
+Security fixes
+--------------
+- CVE-2025-2704 fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
+
+  Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using
+  --tls-crypt-v2 can be made to abort with an ASSERT() message by
+  sending a particular combination of authenticated and malformed packets.
+
+  To trigger the bug, a valid tls-crypt-v2 client key is needed, or
+  network observation of a handshake with a valid tls-crypt-v2 client key
+
+  No crypto integrity is violated, no data is leaked, and no remote
+  code execution is possible.
+
+  This bug does not affect OpenVPN clients.
+
+  (Bug found by internal QA at OpenVPN Inc)
+
+
+Code maintenance
+----------------
+- fix compatibility with mbedTLS 2.28.10+ and 3.6.3+: security "hardening"
+  on the mbedTLS side (adding verification of the server certificate
+  *hostname* inside mbedTLS) broke OpenVPN, as OpenVPN does not use
+  hostname-based verification.  Disable mbedTLS "feature".
+
+- fix compilation warnings for mbedTLS builds related to "enc"
+  enum/integer mismatch.
+
+- Github Action builds: drop Ubuntu 20.04 builds, upgrade various packages
+
+Bug fixes
+---------
+- Linux DCO: repair source IP selection for --multihome (Qingfang Deng)
+
 Overview of changes in 2.6.13
 =============================
 New features

diff --git a/version.m4 b/version.m4
index ea3a7e4de1f433d306ddd65f1da7415250fc36ff..518fc67c9bd43ddc0fd0245c2b4586c9e1bb39e6 100644 (file)
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.13])
+define([PRODUCT_VERSION_PATCH], [.14])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,6,13,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,14,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])