From: Gert Doering Date: Sun, 21 Sep 2025 13:50:10 +0000 (+0200) Subject: preparing release 2.6.15 X-Git-Tag: v2.6.15^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=90bdd59a95170169585a171d4993ba0b1851a3f9;p=thirdparty%2Fopenvpn.git preparing release 2.6.15 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- diff --git a/ChangeLog b/ChangeLog index 8948b7e1d..9627b552c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,55 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.09.22 -- Version 2.6.15 + +Antonio Quartulli (1): + dco: add standard mi prefix handling to multi_process_incoming_dco() + +Arne Schwabe (1): + Check message id/acked ids too when doing sessionid cookie checks + +Frank Lichtenheld (6): + GHA: Pin version of CMake for MinGW build + GHA: Dependency and Actions update April 2025 (2.6) + GHA: Update dependencies July 2025 (2.6) + Fix compiler warning in reliable.c with --disable-debug + dco linux: avoid redefining ovpn enums (2.6) + Update text of GPL to latest version from FSF + +Gert Doering (7): + unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42 + Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file + replace assert() calls with ASSERT() + remove newline characters at the end of msg() calls + fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds + Fix t_net.sh / networking_testdriver after 'broadcast' change + preparing release 2.6.15 + +Klemens Nanni (1): + Fix tmp-dir documentation + +Kristof Provost (1): + dco: support float notifications on FreeBSD + +Lev Stipakov (6): + dco-win: Ensure correct OVERLAPPED scope + win: replace wmic invocation with powershell + openvpnserv: Fix writing messages to the event log + Validate DNS domain name before powershell invocation + Makefile: fix 'make dist' + GHA: collect more artifacts for mingw builds + +Ralf Lici (1): + dco: backport OS-independent part of peer float support + +Sebastian Marsching (1): + Bugfix: Set broadcast address on interface. + +rein.vanbaaren (1): + Fix MBEDTLS_DEPRECATED_REMOVED build errors + + 2025.04.02 -- Version 2.6.14 Arne Schwabe (1): diff --git a/Changes.rst b/Changes.rst index b7aeeac4b..df9cf8903 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,73 @@ +Overview of changes in 2.6.15 +============================= +New features / User visible changes +----------------------------------- +- on Windows, do not use "wmic.exe" any longer to set DNS search domain + (discontinued by Microsoft), use "powershell" fragment instead. + +- on Windows, logging to the windows event log has been improved + (and logging of GetLastError() strings repaired). To make this work, + a new "openvpnmsgserv.dll" library is now installed and registered. + +- DNS domain names are now strictly validated with a positive-list of + allowed characters (including UTF-8 high-bit-set bytes) before being + handed to powershell. + +- Apply more checks to incoming TLS handshake packets before creating + new state - namely, verify message ID / acked ID for "valid range for + an initial packet". This fixes a problem with clients that float + very early but send control channel packet from the pre-float IP + (Github: OpenVPN/openvpn#704), backported from 2.7_beta1. + +- backport handling of client float notifications on FreeBSD 14/STABLE DCO + (see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303) + +- update GPL license text to latest version from FSF + +- on Linux, on interfaces where applicable, OpenVPN explicitly configures + the broadcast address again. This was dropped for 2.6.0 "because + computers are smart and can do it themselves", but the kernel netlink + interface isn't, and will install "0.0.0.0". This does not normally + matter, but for broadcast-based applications that get the address to + use from "ifconfig", this change repairs functionality. + + +Code maintenance +---------------- +- remove a few extra newline characters at the end of rarely-seen log lines + +- replace assert() calls in the code with OpenVPN ASSERT() calls + (not subject to -DNDEBUG, plus better logging on the actual cause) + +- remove "dh 20248.pem" from all sample configurations, remove "dh2048.pem" + file from source tree - OpenSSL 3.5 Seclevel=3 considers this "not + secure enough" and OpenVPN has not needed an explit DH file in a long while. + +- properly handle "old Linux DCO" enum definitions conflicting with + "new Linux DCO" kernel headers (uapi/linux/if_link.h) + +- fix stdint.h related build errors on Fedora 42 + +- GHA: update dependencies, pin CMake version + +- fix MBEDTLS_DEPRECATED_REMOVED build errors (improve compatibility with + recent versions of mbedTLS) + + +Documentation Updates +--------------------- +- improve ``--tmp-dir`` documentation + + +Bugfixes +-------- +- dco-win: fix a possible "out of scope" access on access to the + "OVERLAPPED" Structure (backport of master commit f60a493) + +- bring back configuring of broadcast address on Linux tun/tap interface + (see above) + + Overview of changes in 2.6.14 ============================= Security fixes diff --git a/version.m4 b/version.m4 index 518fc67c9..885539104 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [.14]) +define([PRODUCT_VERSION_PATCH], [.15]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,6,14,0]) +define([PRODUCT_VERSION_RESOURCE], [2,6,15,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])