From: Gert Doering Date: Tue, 6 Apr 2021 15:00:01 +0000 (+0200) Subject: Preparing release 2.5.2 X-Git-Tag: v2.5.2^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23ae78e657052748be68b623ca8122e4103dc7e0;p=thirdparty%2Fopenvpn.git Preparing release 2.5.2 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- diff --git a/ChangeLog b/ChangeLog index 1b26873e1..35a04775a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,37 @@ OpenVPN Change Log Copyright (C) 2002-2020 OpenVPN Inc +2021.04.20 -- Version 2.5.2 + +Arne Schwabe (10): + Avoid generating unecessary mbed debug messages + Restore also ping related options on a reconnect + Cleanup print_details and add signature/ED certificate print + Always disable TLS renegotiations + Also restore/save route-gateway options on SIGUSR1 reconnects + Move context_auth from context_2 to tls_multi and name it multi_state + Fix condition to generate session keys + Move auth_token_state from multi to key_state + Ensure auth-token is only sent on a fully authenticated session + Ensure key state is authenticated before sending push reply + +Gert Doering (2): + Fix potential NULL ptr crash if compiled with DMALLOC + +Max Fillinger (2): + In init_ssl, open the correct CRL path pre-chroot + Abort if CRL file can't be stat-ed in ssl_init + +Richard Bonhomme (1): + Do not print Diffie Hellman parameters file to log file + +Simon Rozman (1): + openvpnserv: Cache last error before it is overridden + +Vladislav Grishenko (1): + Fix IPv4 default gateway with multiple route tables + + 2021.02.24 -- Version 2.5.1 Arne Schwabe (5): diff --git a/Changes.rst b/Changes.rst index 6128275cc..b0a6b273c 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,48 @@ +Overview of changes in 2.5.2 +============================ + +Bugfixes +-------- +- CVE-2020-15078 + see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements + + This bug allows - under very specific circumstances - to trick a + server using delayed authentication (plugin or management) into + returning a PUSH_REPLY before the AUTH_FAILED message, which can + possibly be used to gather information about a VPN setup. + + In combination with "--auth-gen-token" or an user-specific token auth + solution it can be possible to get access to a VPN with an + otherwise-invalid account. + +- restore pushed "ping" settings correctly on a SIGUSR1 restart + +- avoid generating unecessary mbed debug messages - this is actually + a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448 + ED curves - mbedTLS crashes on preparing debug infos that we do not + actually need unless running with "--verb 8" + +- do not print inlined (...) Diffie Hellman parameters to log file + +- fix Linux/SITNL default route lookup in case of multiple routing tables + with more than one default route present (always use "main table" for now) + +- Fix CRL file handling in combination with chroot + +User-visible Changes +-------------------- + +- OpenVPN will now refuse to start if CRL file is not present at startup + time. At "reload time" absense of the CRL file is still OK (and the + in memory copy is used) but at startup it is now considered an error. + + +New features +------------ +- printing of the TLS ciphers negotiated has been extended, especially + displaying TLS 1.3 and EC certificates more correctly. + + Overview of changes in 2.5.1 ============================ diff --git a/version.m4 b/version.m4 index 66832fcc0..bbb6372ae 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.1]) +define([PRODUCT_VERSION_PATCH], [.2]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,1,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,2,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])