From: Gert Doering Date: Wed, 10 Dec 2025 09:53:55 +0000 (+0100) Subject: OpenVPN Release 2.7_rc4 X-Git-Tag: v2.7_rc4^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e052cf29a0d49c6f78264cfdb7005c1ebdf59e2;p=thirdparty%2Fopenvpn.git OpenVPN Release 2.7_rc4 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc4" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta/rc* releases it's better to look at git log to see what has been added/fixed. Notable changes rc3 -> rc4 are: - Windows interactive service: do not configure adapter DNS if there are no search-domains but there are resolve-domains (which get resolved via NRPT rules) - GH: OpenVPN/openvpn#473 - improve documentation and error messages for a number of deprecated options - improve documentation for not-really-deprecated-yet ``--ns-cert-type`` - Windows IPv4 configuration with netsh.exe: ensure addresses are added with "store=active" (ensure proper cleanup) - GH: OpenVPN/openvpn#915 - Windows: set UTF8 code page in openvpn.exe manifest, to make cert/key loading work again for files with non-ASCII characters in their file name (GH: OpenVPN/openvpn#920) - tun.c: unify read_tun()/write_tun() functions for all BSD platforms - more type conversion related cleanups - add NULL check before freeaddrinfo() call, which might lead to a crash on OpenBSD (GH: OpenVPN/openvpn#930) - add NULL check to mbedtls handling of external and inline certificates - add check for auth none / cipher none on FreeBSD DCO - add CAP_SYS_NICE to positive list in Linux systemd unit files (GH: OpenVPN/openvpn#834) - drop mbedtls 2.x support (which is end of life, and work on mbedtls 4 is much simplified by not having to take care of 2.x compat as well) - PUSH_UPDATE: bugfix for the client side where split/continued messages (due to large number of "route" statements) would not correctly handle the full set of routes. Add unit test. (GH: OpenVPN/openvpn#925) - new unit test module for mbuf handling - deprecate --fast-io option (it got partially broken by the multisocket implementation, and the benefits of the existing implementation did not outweigh the extra code complexity to make it work again) - change the ssl_ctx in struct tls_options to be a pointer - this is a shared data structure between various contexts, but previously it was shallow-copied, leading to needless CRL reloading - and when working on implementing the new OpenSSL CRL API, to segfaults (the existing code works, as these new APIs are not used yet). Signed-off-by: Gert Doering --- diff --git a/ChangeLog b/ChangeLog index 12bfaac54..e5c76cf2b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,65 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.12.17 -- Version 2.7_rc4 + +Arne Schwabe (4): + Clarify some code in epoch with better comments + Add a section about wolfSSL GPLv3 and point out missing TLS PRF support + Fix dco with null cipher being enabled without auth none + Change ssl_ctx in struct tls_options to be a pointer + +Frank Lichtenheld (19): + Documentation: Various syntax fixes and text improvements + CMake: For VS build, switch from /W2 to /W3 + socket: Initialize struct in_addr_t in getaddr() + GHA: Add minGW Release build + tun: Refactor BSD write_tun/read_tun + tun: Change return type of write_tun/read_tun to ssize_t + Remove some obsolete references to --windows-driver + options: Remove some verbose error messages for options deprecated in 2.4 + Correct documentation for --ns-cert-type + buffer: Change limits for array_mult_safe + mbuf: Add unit tests + options: Avoid some conversion warnings + schedule: Rework documentation for schedule_add_entry + multi: Fix wrong sigma value in multi_push_restart_schedule_exit + multi: Fix type handling for hashes, mostly inotify_watchers + multi: Fix various conversion warnings + manage: Avoid several conversion warnings by using the correct types + buffer: Change buf_prepend and buf_advance to accept ssize_t for length + multi: Warn about failing read in multi_process_file_closed() + +Gianmarco De Gregori (2): + mudp: fix unaligned 32-bit read when parsing peer ID + Deprecate --fast-io option + +Heiko Hund (1): + iservice: set adapter DNS only with search domains + +Klemens Nanni (1): + Prevent crash on invalid server-ipv6 argument + +Lev Stipakov (1): + tun.c: set IPv4 address temporary on Windows + +Max Fillinger (1): + Drop Mbed TLS 2.X compatibility + +Moritz Fain (1): + PUSH_UPDATE: fix option reset logic in continuation messages + +Selva Nair (2): + Set UTF-8 as the codepage using manifest declaration + pull-filter: improve documentation + +Simon Matter (1): + Add CAP_SYS_NICE to the positive list in systemd service files + +Steffan Karger (1): + mbedtls: gracefully exit if certificate file is NULL + + 2025.11.28 -- Version 2.7_rc3 Frank Lichtenheld (9): diff --git a/Changes.rst b/Changes.rst index 32efbe76b..048434dfa 100644 --- a/Changes.rst +++ b/Changes.rst @@ -338,6 +338,11 @@ User-visible Changes (force egress = ingress interface) can be achieved with the new ``--multihome same-interface`` sub-option. +- Windows ``openvpn.exe`` binary manifest now sets code page UTF8 - which + has no direct effect on OpenVPN itself, but this repairs OpenSSL file + loading for key/cert files with non-ASCII characters in their file names + (GH: OpenVPN/openvpn#920). + Deprecated features ------------------- ``--opt-verify`` feature removed diff --git a/version.m4 b/version.m4 index df4e1ec4f..af17af353 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_rc3]) +define([PRODUCT_VERSION_PATCH], [_rc4]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])