From 0fb5a00549be6b065f9a4d61940ee06786d9fa61 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Wed, 24 Sep 2025 22:35:52 +0200 Subject: [PATCH] OpenVPN Release 2.7_beta2 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_beta2" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta releases it's better to look at git log to see what has been added/fixed. Notable changes beta1 -> beta2 are: - even more of signed/unsigned related warnings have been fixed - #pragmas have been added to all to-be-fixed source files, so we can now always enable -Wconversion to see if new code brings new warnings (and the CI infra builds with -Werror) - add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call) - greatly improved event log handling for the Windows interactive service - this brings build system changes and a new openvpnservmsg.dll - bugfixes when using multi-socket on windows (properly recognize that TCP server mode does not work with DCO, properly handle TCP multi-socket server setups without DCO) - bring back configuring of IPv4 broadcast addresses on Linux (also backported to 2.6.15) - Rename Fox Crypto to Sentyron in copyright notices - Switch test_ssl certificate from RSA 2048 to secp384r1 (so "make check" runs with OpenSSL set to @SECLEVEL=3) - repair "--dhcp-option DNS" setting in combination with DHCP (TAP) or --up scripts (GH issue #839, #840) - clean up MI prefix handling - replace all assert() calls with OpenVPN ASSERT() --- ChangeLog | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ Changes.rst | 13 ++++++++++++ version.m4 | 2 +- 3 files changed, 74 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f89c784cb..5cb6d17ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,66 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.09.25 -- Version 2.7_beta2 + +Antonio Quartulli (1): + dco: add standard mi prefix handling to multi_process_incoming_dco() + +Arne Schwabe (1): + Switch test_ssl certificate from RSA 2048 to secp384r1 + +Frank Lichtenheld (22): + openvpn_PRF: Change API to use size_t for lengths + ssl_common: Make sure ssl flags are treated as unsigned + options: Factor out usages of strtoll and atoll + ps: Clean up conversion warnings in journal_add function + events: Make sure rwflags are treated as unsigned + manage: Change command_line_* API to use size_t for lengths + Introduce msglvl_t to unify msglevel type handling + socket: Change resolve flags to unsigned int + list: Make types of hash elements consistent + ssl: Fix -Wconversion warnings in pem_password_callback + ssl_verify: Change backend_x509_* functions to size_t for lengths + Handle return type of EVP_MD_size + Clean up conversion warnings related to base64_{en, de}code + configure.ac: Make ACL_CHECK_ADD_COMPILE_FLAGS append instead of prepend + Enable a subset of -Wextra + socks: factor out socks_proxy_recv_char() + multi_io_init: simplify + dns: Fix bug in error handling when talking to script + Enable -Wconversion -Wno-sign-conversion by default + Make unit tests -Wconversion clean + ps: Fix conversion warnings related to send/recv return values + event: Silence conversion warning in tv_to_ms_timeout + +Gert Doering (5): + replace assert() calls with ASSERT() + remove newline characters at the end of msg() calls + dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message + fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds + Fix t_net.sh / networking_testdriver after 'broadcast' change + +Gianmarco De Gregori (2): + Multi-socket win: avoid repeated socket_set() + Fix multi-socket and dco-win interaction + +Lev Stipakov (5): + Preserve --dhcp-option values from local config + win: replace wmic invocation with powershell + openvpnserv: Fix writing messages to the event log + GHA: collect more artifacts for mingw builds + Validate DNS parameters + +Marco Baffo (1): + push-update-server: comment about buf_string_compare_advance() usage in send_single_push_update() + +Max Fillinger (1): + Rename Fox Crypto to Sentyron in copyright notices + +Sebastian Marsching (1): + Bugfix: Set broadcast address on interface. + + 2025.09.04 -- Version 2.7_beta1 Arne Schwabe (1): diff --git a/Changes.rst b/Changes.rst index e27294ece..a8b160587 100644 --- a/Changes.rst +++ b/Changes.rst @@ -45,6 +45,9 @@ Windows network adapters are now generated on demand Windows automatic service now runs as an unpriviledged user All tasks that need privileges are now delegated to the interactive service. + **NOTE** this has the risk of breaking existing setups if the + Windows certificate store is used (cryptoapi), and the certificates + are not readable for ``NT SERVICE\OpenVPNService``. Support for new version of Linux DCO module OpenVPN DCO module is moving upstream and being merged into the @@ -148,6 +151,8 @@ Two new environment variables have been introduced to communicate desired ``route_redirect_gateway_ipv4`` and ``route_redirect_gateway_ipv6``. See the "Environmental Variables" section in the man page +Improved logging of service events/errors to event log on Windows. + Deprecated features ------------------- @@ -265,6 +270,14 @@ User-visible Changes to ``clang-format``. This reformatted quite a bit of code, and requires that regular committers change their pre-commit checks accordingly. +- on Linux, on interfaces where applicable, OpenVPN explicitly configures + the broadcast address again. This was dropped for 2.6.0 "because + computers are smart and can do it themselves", but the kernel netlink + interface isn't, and will install "0.0.0.0". This does not normally + matter, but for broadcast-based applications that get the address to + use from "ifconfig", this change repairs functionality (this has + been backported to 2.6.15, but is not in earlier 2.6 versions). + Overview of changes in 2.6 ========================== diff --git a/version.m4 b/version.m4 index 8594535e5..3b889b2e8 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_beta1]) +define([PRODUCT_VERSION_PATCH], [_beta2]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- 2.47.3