OpenVPN Change Log
Copyright (C) 2002-2020 OpenVPN Inc <sales@openvpn.net>
+2021.04.20 -- Version 2.5.2
+
+Arne Schwabe (10):
+ Avoid generating unecessary mbed debug messages
+ Restore also ping related options on a reconnect
+ Cleanup print_details and add signature/ED certificate print
+ Always disable TLS renegotiations
+ Also restore/save route-gateway options on SIGUSR1 reconnects
+ Move context_auth from context_2 to tls_multi and name it multi_state
+ Fix condition to generate session keys
+ Move auth_token_state from multi to key_state
+ Ensure auth-token is only sent on a fully authenticated session
+ Ensure key state is authenticated before sending push reply
+
+Gert Doering (2):
+ Fix potential NULL ptr crash if compiled with DMALLOC
+
+Max Fillinger (2):
+ In init_ssl, open the correct CRL path pre-chroot
+ Abort if CRL file can't be stat-ed in ssl_init
+
+Richard Bonhomme (1):
+ Do not print Diffie Hellman parameters file to log file
+
+Simon Rozman (1):
+ openvpnserv: Cache last error before it is overridden
+
+Vladislav Grishenko (1):
+ Fix IPv4 default gateway with multiple route tables
+
+
2021.02.24 -- Version 2.5.1
Arne Schwabe (5):
+Overview of changes in 2.5.2
+============================
+
+Bugfixes
+--------
+- CVE-2020-15078
+ see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
+
+ This bug allows - under very specific circumstances - to trick a
+ server using delayed authentication (plugin or management) into
+ returning a PUSH_REPLY before the AUTH_FAILED message, which can
+ possibly be used to gather information about a VPN setup.
+
+ In combination with "--auth-gen-token" or an user-specific token auth
+ solution it can be possible to get access to a VPN with an
+ otherwise-invalid account.
+
+- restore pushed "ping" settings correctly on a SIGUSR1 restart
+
+- avoid generating unecessary mbed debug messages - this is actually
+ a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
+ ED curves - mbedTLS crashes on preparing debug infos that we do not
+ actually need unless running with "--verb 8"
+
+- do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
+
+- fix Linux/SITNL default route lookup in case of multiple routing tables
+ with more than one default route present (always use "main table" for now)
+
+- Fix CRL file handling in combination with chroot
+
+User-visible Changes
+--------------------
+
+- OpenVPN will now refuse to start if CRL file is not present at startup
+ time. At "reload time" absense of the CRL file is still OK (and the
+ in memory copy is used) but at startup it is now considered an error.
+
+
+New features
+------------
+- printing of the TLS ciphers negotiated has been extended, especially
+ displaying TLS 1.3 and EC certificates more correctly.
+
+
Overview of changes in 2.5.1
============================
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION_MAJOR], [2])
define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.1])
+define([PRODUCT_VERSION_PATCH], [.2])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,1,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,2,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
projects / thirdparty / openvpn.git / commitdiff
