- Remove --enable-password-save option to configure, this is now always enabled
-- Disallow usage of --server-poll-timeout in --secret key mode
+- Disallow usage of ``--server-poll-timeout`` in ``--secret`` key mode
-- The second parameter of --ifconfig is no longer a "remote address" but a
- "netmask" when using --dev tun and --topology subnet
+- The second parameter of ``--ifconfig`` is no longer a "remote address" but a
+ "netmask" when using ``--dev tun`` and -``-topology subnet``
- Automatic TLS version negotiation may cause issues in certain cases.
- Always load intermediate certificates from a PKCS#12 file, instead of ignoring
them
-- Remove the --disable-eurephia configure option
+- Remove the ``--disable-eurephia`` configure option
-- Remove the support for using system() when executing external programs or
+- Remove the support for using ``system()`` when executing external programs or
scripts
- Inline files are now always enabled
-- Remove the --auto-proxy option (now handled via management interface)
+- Remove the ``--auto-proxy`` option (now handled via management interface)
- Directory layout restructuring
- Made some options connection-entry specific
-- Make '--win-sys env' default
+- Make ``--win-sys env`` default
- Do not randomize resolving of IP addresses in getaddr()
+
+Version 2.3.17
+==============
+
+Security fixes
+--------------
+- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks
+ A client could cause a server to leak a few bytes each time it connects to the
+ server. That can eventuall cause the server to run out of memory, and thereby
+ causing the server process to terminate. Discovered and reported to the
+ OpenVPN security team by Guido Vranken. (OpenSSL builds only.)
+
+- CVE-2017-7521: Fix a potential post-authentication remote code execution
+ attack on servers that use the ``--x509-username-field`` option with an X.509
+ extension field (option argument prefixed with ``ext:``). A client that can
+ cause a server to run out-of-memory (see above) might be able to cause the
+ server to double free, which in turn might lead to remote code execution.
+ Discovered and reported to the OpenVPN security team by Guido Vranken.
+ (OpenSSL builds only.)
+
+- CVE-2017-7520: Pre-authentication remote crash/information disclosure for
+ clients. If clients use a HTTP proxy with NTLM authentication (i.e.
+ ``--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2``),
+ a man-in-the-middle attacker between the client and the proxy can cause
+ the client to crash or disclose at most 96 bytes of stack memory. The
+ disclosed stack memory is likely to contain the proxy password. If the
+ proxy password is not reused, this is unlikely to compromise the security
+ of the OpenVPN tunnel itself. Clients who do not use the ``--http-proxy``
+ option with ntlm2 authentication are not affected.
+
+- CVE-2017-7508: Fix remotely-triggerable ``ASSERT()`` on malformed IPv6 packet.
+ This can be used to remotely shutdown an openvpn server or client, if
+ IPv6 and ``--mssfix`` are enabled and the IPv6 networks used inside the VPN
+ are known.
+
+- Fix potential 1-byte overread in TCP option parsing.
+- fix null-pointer dereference when talking to a malicious http proxy
+ that returns a malformed ``Proxy-Authenticate:`` headers for digest auth.
+- fix overflow check for long ``--tls-cipher`` option
+
+
+Bug fixes
+---------
+- Fix SIGSEGV crash on unaligned access on OpenBSD/sparc64
+
+- Fix TCP_NODELAY on OpenBSD
+
+
+Behavioural Changes
+-------------------
+- Ignore auth-nocache for auth-user-pass if auth-token is pushed
+
+
+Version 2.3.16
+==============
+
+Security fixes
+--------------
+- Re-roll release because two different tarballs for 2.3.15 were created,
+ one of them missing a relevant security fix. 2.3.16 has everything.
+
+- Windows: Check for errors in the return value of ``GetModuleFileNameW()``
+
+
+Bug fixes
+---------
+- Fix ``--redirect-gateway`` behaviour when an IPv4 default route does not exist
+
+
Version 2.3.15
==============
would need to get us to send at least about 196 GB of data.
(OSTIF/Quarkslab audit finding 5.2, CVE-2017-7479)
+
Version 2.3.14
==============
- On the client side recursively routed packets, which have same destination
as the VPN server, are dropped. This could be disabled with
- --allow-recursive-routing option.
+ ``--allow-recursive-routing`` option.
+
Version 2.3.13
==============
-- Enforcing a new default value for --reneg-bytes for known weaker ciphers
+- Enforcing a new default value for ``--reneg-bytes`` for known weaker ciphers
Ciphers with cipher blocks less than 128 bits will now do a renegotiation
of the tunnel by default for every 64MB of data. This behaviour can be
- overridden by explicitly setting --reneg-bytes 0 in the configuration file,
+ overridden by explicitly setting ``--reneg-bytes 0`` in the configuration file,
however this is HIGHLY discouraged.
This is to reduce the risk for SWEET32 attacks. The general recommendation
when such weaker ciphers is detected.
+
Version 2.3.12
==============
- Deprecation of ciphers using less than 128-bits cipher blocks
It is highly recommended to avoid using ciphers listed in the new
- deprecated section of --show-ciphers. These ciphers are no longer
+ deprecated section of ``--show-ciphers``. These ciphers are no longer
considered safe to use. If you cannot migrate away from these
ciphers currently, it is strongly recommended to start using
- --reneg-bytes with a value less than 64MB.
+ ``--reneg-bytes`` with a value less than 64MB.
Version 2.3.11
- IPv6 address information is now available as environment variables
-- --auth-user-pass can now work with files that only have a username,
+- ``--auth-user-pass`` can now work with files that only have a username,
and will then only prompt for password
Behavioral changes
------------------
-- sndbuf and recvbuf default now to OS default instead of 64k
+- ``--sndbuf`` and ``--recvbuf`` default now to OS default instead of 64k
-- Removed --enable-password-save from configure. This option is now
+- Removed ``--enable-password-save`` from configure. This option is now
always enabled.
-- use interface index when calling netsh.exe to configure IPv6
+- Use interface index when calling netsh.exe to configure IPv6
addresses or routes on windows (instead of interface name)
-- properly reject client connect if "disabled" option
+- Properly reject client connect if ``--disabled`` option is used
(in ccd/ or client-connect script/plugin)
-- handle Ctrl-C and Ctrl-BREAK events in Windows
+- Handle Ctrl-C and Ctrl-BREAK events in Windows
-- do no longer exit if tap6 adapter returns error on Windows
+- Do no longer exit if tap6 adapter returns error on Windows
suspend/resume
-- increase control channel packet size for faster handshakes
+- Increase control channel packet size for faster handshakes
between TLS server and client
+
Bug fixes
---------
-- repair combination of --auth-user-pass, --daemon and systemd
+- Repair combination of ``--auth-user-pass``, ``--daemon`` and systemd
(errors out in 2.3.8 instead of querying systemd)
- Lots of bug fixes and documentation improvements
Bug fixes
---------
-- fix various fallouts of the 2.3.7 change where we daemon()ize
+- Fix various fallouts of the 2.3.7 change where we daemon()ize
now first and initialize crypto later
- Lots of bug fixes and documentation improvements
+
Behavioral changes
------------------
-- print error message if trying to ask for username/password or
+- Print error message if trying to ask for username/password or
passphrase and no tty is available (--daemon)
-- delete ipv6 address on close of linux tun interface
+- Delete ipv6 address on close of Linux tun interface
(relevant for persistant tun interfaces)
- Lots of bug fixes and documentation improvements
+
New features
------------
- daemon()ize before initializing crypto (= un-break cryptodev
on FreeBSD that does not allow fork() after openssl init)
-- on FreeBSD and topology subnet, construct a proper address
+- On FreeBSD and topology subnet, construct a proper address
for the remote side of the tun if (not our own)
-- fix interaction of --peer-id, --link-mtu, OCC and old/new
+- Fix interaction of ``--peer-id``, ``--link-mtu``, OCC and old/new
OpenVPN combinations
-- always disable SSL compression
+- Always disable SSL compression
Version 2.3.6
------------
- Add client-only support for peer-id
-- Add --tls-version-max
+- Add ``--tls-version-max``
Version 2.3.5
Bug fixes
---------
-- Fix server routes not working in topology subnet with --server [v3]
+- Fix server routes not working in topology subnet with ``--server`` [v3]
- Fix regression with password protected private keys (polarssl)
-- Fix "code=995" bug with windows NDIS6 tap driver
+- Fix ``code=995`` bug with windows NDIS6 tap driver
- Lots of other bug fixes
Bug fixes
---------
-- When tls-version-min is unspecified, revert to original versioning approach
+- When ``--tls-version-min`` is unspecified, revert to original versioning approach
- IPv6 address/route delete fix for Win8
- Fix SOCKSv5 method selection
- Lots of other bug fixes and documentation improvements
- Fix spurious ignoring of pushed config options (trac#349)
- Lots of bug fixes and documentation improvements
+
New features
------------
- Add support of utun devices under Mac OS X
- Support non-ASCII TAP adapter names on Windows
- Support non-ASCII characters in Windows tmp path
-- Added "setenv opt" directive prefix
-- --management-external-key for PolarSSL
-- Add support for client-cert-not-required for PolarSSL
+- Added ``setenv opt`` directive prefix
+- ``--management-external-key`` for PolarSSL
+- Add support for ``--client-cert-not-required`` for PolarSSL
+
Behavioral changes
------------------
- TLS version negotiation
- Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915
+
Version 2.3.2
=============
Bug fixes
---------
-- Fix proto tcp6 for server & non-P2MP modes
-- Fix NULL-pointer crash in route_list_add_vpn_gateway()
+- Fix ``--proto tcp6`` for server & non-P2MP modes
+- Fix NULL-pointer crash in ``route_list_add_vpn_gateway()``
- Fix problem with UDP tunneling due to mishandled pktinfo structures
- Fix segfault when enabling pf plug-ins
- Lots of other bug fixes
+
New features
------------
- Always push basic set of peer info values to server
- make 'explicit-exit-notify' pullable again
+
Version 2.3.1
=============
Bug fixes
---------
-- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout
+- Repair "tcp server queue overflow" brokenness, more ``<stdbool.h>`` fallout
- Fix directly connected routes for "topology subnet" on Solaris
- Use constant time memcmp when comparing HMACs in openvpn_decrypt
-- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout
- Lots of other bug fixes and documentation improvements
+
New features
------------
-- reintroduce --no-name-remapping option
-- make --tls-remote compatible with pre 2.3 configs
+- reintroduce ``--no-name-remapping`` option
+- make ``--tls-remote`` compatible with pre 2.3 configs
- add new option for X.509 name verification
- PolarSSL-1.2 support
- Enable TCP_NODELAY configuration on FreeBSD
- Permit pool size of /64.../112 for ifconfig-ipv6-pool
+
Behavioral changes
------------------
- Switch to IANA names for TLS ciphers
+
Version 2.3.0
=============
Bug fixes
---------
-- Fix --show-pkcs11-ids (Bug #239)
+- Fix ``--show-pkcs11-ids`` (Bug #239)
- Lots of other bug fixes and documentation improvements
+
New features
------------
-- Implement --mssfix handling for IPv6 packets
+- Implement ``--mssfix`` handling for IPv6 packets
+
Version 2.3_rc1
===============
- Fix v3 plugins to support returning values back to OpenVPN
- Lots of other bug fixes and documentation improvements
+
New features
------------
-- Support UTF-8 --client-config-dir
+- Support UTF-8 ``--client-config-dir``
+
Behavioral changes
------------------
- Remove the support for using system() when executing external programs or
scripts
+
Version 2.3_beta1
=================
Bug fixes
---------
-- Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory
- if --management-external-key is used
-- fix regression with --http-proxy[\-\*] options
+- Fixes error: ``--key`` fails with EXTERNAL_PRIVATE_KEY: No such file or directory
+ if ``--management-external-key`` is used
+- fix regression with ``--http-proxy[\-\*]`` options
- Lots of other bug fixes and documentation improvements
+
New features
------------
-- Add --compat-names option
+- Add ``--compat-names`` option
- add API for plug-ins to write to openvpn log
+
Behavioral changes
------------------
- Keep pre-existing tun/tap devices around on \*BSD
+
Version 2.3_alpha3
==================
- make non-blocking connect work on Windows
- A few other bug fixes
+
New features
------------
-- add option --management-query-proxy
+- add option ``--management-query-proxy``
+
Version 2.3_alpha2
==================
- Lots of other bug fixes and documentation improvements
+
New features
------------
- Add missing pieces to IPv6 route gateway handling
+
Behavioral changes
------------------
- Complete overhaul of the project structure and the buildsystem
- remove the --auto-proxy option from openvpn
+
Version 2.3-alpha1
==================
- Fixed issue where a client might receive multiple push replies
- Lots of other bug fixes and documentation improvements
+
New features
------------
- PolarSSL support
- Add plug-in API v3
- IPv6 payload and transport support
-- New feauture: Add --stale-routes-check
+- New feauture: Add ``--stale-routes-check``
- Add support to forward console query to systemd
- Windows UTF-8 input/output
-- Added "management-external-key" option
-- Added --x509-track option
-- Added "client-nat" option for stateless, one-to-one NAT on the client side
-- Extended "client-kill" management interface command
+- Added ``--management-external-key`` option
+- Added ``--x509-track`` option
+- Added ``--client-nat`` option for stateless, one-to-one NAT on the client side
+- Extended ``client-kill`` management interface command
- Client will now try to reconnect if no push reply received within
handshake-window seconds
-- Added "management-external-key" option
-- Added "auth-token" client directive
-- Added 'dir' flag to "crl-verify"
+- Added ``--management-external-key`` option
+- Added ``--auth-token`` client directive
+- Added ``dir`` flag to ``crl-verify``
- Added support for static challenge/response protocol
- Changed CC_PRINT character class to allow UTF-8 chars
- Extend output of "status" management interface command to include usernames
- Added "memstats" option to maintain real-time operating stats
- Added support for "on-link" routes on Linux client
-- Add extv3 X509 field support to --x509-username-field
+- Add extv3 X509 field support to ``--x509-username-field``
+
Behavioral changes
------------------
- Remove support for Linux 2.2
-- Make '--win-sys env' default
-- Remove --enable-osxipconfig configure option
+- Make ``--win-sys env`` default
+- Remove ``--enable-osxipconfig`` configure option
projects / thirdparty / openvpn.git / commitdiff
