From ba0f62fb950c56a0f992b1f8269bdeac209d4e55 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Tue, 19 Mar 2024 22:19:14 +0100 Subject: [PATCH] preparing release 2.6.10 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- ChangeLog | 32 ++++++++++++++++++++++++++++++++ Changes.rst | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ version.m4 | 2 +- 3 files changed, 84 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5710b8ade..c0c06ffb4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,38 @@ OpenVPN ChangeLog Copyright (C) 2002-2024 OpenVPN Inc +2024.03.20 -- Version 2.6.10 + +Christoph Schug (1): + Update documentation references in systemd unit files + +Frank Lichtenheld (6): + Fix typo --data-cipher-fallback + samples: Remove tls-*.conf + check_compression_settings_valid: Do not test for LZ4 in LZO check + t_client.sh: Allow to skip tests + Update Copyright statements to 2024 + GHA: general update March 2024 + +Lev Stipakov (4): + win32: Enforce loading of plugins from a trusted directory + interactive.c: disable remote access to the service pipe + interactive.c: Fix potential stack overflow issue + Disable DCO if proxy is set via management + +Martin Rys (1): + openvpn-[client|server].service: Remove syslog.target + +Max Fillinger (1): + Remove license warning from README.mbedtls + +Selva Nair (1): + Document that auth-user-pass may be inlined + +wellweek (1): + remove repetitive words in documentation and comments + + 2024.02.11 -- Version 2.6.9 Arne Schwabe (15): diff --git a/Changes.rst b/Changes.rst index 5b8d0c0da..029c80765 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,54 @@ +Overview of changes in 2.6.10 +============================= +Security fixes +-------------- +- CVE-2024-27459: Windows: fix a possible stack overflow in the + interactive service component which might lead to a local privilege + escalation. + Reported-by: Vladimir Tokarev + +- CVE-2024-24974: Windows: disallow access to the interactive service + pipe from remote computers. + Reported-by: Vladimir Tokarev + +- CVE-2024-27903: Windows: disallow loading of plugins from untrusted + installation paths, which could be used to attack openvpn.exe via + a malicious plugin. Plugins can now only be loaded from the OpenVPN + install directory, the Windows system directory, and possibly from + a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. + Reported-by: Vladimir Tokarev + +Bug fixes +--------- +- Windows: if the win-dco driver is used (default) and the GUI requests + use of a proxy server, the connection would fail. Disable DCO in + this case. (Github: #522) + +- Compression: minor bugfix in checking option consistency vs. compiled-in + algorithm support + +- systemd unit files: remove obsolete syslog.target + +User visible changes +-------------------- +- Update copyright notices to 2024 + +New features +------------ +- t_client.sh can now run pre-tests and skip a test block if needed + (e.g. skip NTLM proxy tests if SSL library does not support MD4) + +Documentation +------------- +- remove license warnings about mbedTLS linking (README.mbedtls) + +- update documentation references in systemd unit files + +- sample config files: remove obsolete tls-*.conf files + +- document that auth-user-pass may be inlined + + Overview of changes in 2.6.9 ============================ diff --git a/version.m4 b/version.m4 index 7525788b6..fbe6bc981 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [.9]) +define([PRODUCT_VERSION_PATCH], [.10]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- 2.47.3