From f588592ee6c6323b9674f470054e1638182c5b71 Mon Sep 17 00:00:00 2001
From: Gert Doering <gert@greenie.muc.de>
Date: Wed, 2 Apr 2025 08:53:10 +0200
Subject: [PATCH] preparing release 2.6.14

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 ChangeLog   | 14 ++++++++++++++
 Changes.rst | 37 +++++++++++++++++++++++++++++++++++++
 version.m4  |  4 ++--
 3 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a5dfa3704..8948b7e1d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,20 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 
+2025.04.02 -- Version 2.6.14
+
+Arne Schwabe (1):
+      Allow tls-crypt-v2 to be setup only on initial packet of a session
+
+Frank Lichtenheld (3):
+      GHA: Drop Ubuntu 20.04 and other maintenance (2.6)
+      crypto_backend: fix type of enc parameter
+      Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
+
+Qingfang Deng (1):
+      dco: fix source IP selection when multihome
+
+
 2025.01.15 -- Version 2.6.13
 
 Arne Schwabe (2):
diff --git a/Changes.rst b/Changes.rst
index ab2b047d1..b7aeeac4b 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -1,3 +1,40 @@
+Overview of changes in 2.6.14
+=============================
+Security fixes
+--------------
+- CVE-2025-2704 fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
+
+  Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using
+  --tls-crypt-v2 can be made to abort with an ASSERT() message by
+  sending a particular combination of authenticated and malformed packets.
+
+  To trigger the bug, a valid tls-crypt-v2 client key is needed, or
+  network observation of a handshake with a valid tls-crypt-v2 client key
+
+  No crypto integrity is violated, no data is leaked, and no remote
+  code execution is possible.
+
+  This bug does not affect OpenVPN clients.
+
+  (Bug found by internal QA at OpenVPN Inc)
+
+
+Code maintenance
+----------------
+- fix compatibility with mbedTLS 2.28.10+ and 3.6.3+: security "hardening"
+  on the mbedTLS side (adding verification of the server certificate
+  *hostname* inside mbedTLS) broke OpenVPN, as OpenVPN does not use
+  hostname-based verification.  Disable mbedTLS "feature".
+
+- fix compilation warnings for mbedTLS builds related to "enc"
+  enum/integer mismatch.
+
+- Github Action builds: drop Ubuntu 20.04 builds, upgrade various packages
+
+Bug fixes
+---------
+- Linux DCO: repair source IP selection for --multihome (Qingfang Deng)
+
 Overview of changes in 2.6.13
 =============================
 New features
diff --git a/version.m4 b/version.m4
index ea3a7e4de..518fc67c9 100644
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.13])
+define([PRODUCT_VERSION_PATCH], [.14])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,6,13,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,14,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
-- 
2.47.3