From: Gert Doering Date: Sat, 15 Nov 2025 17:16:12 +0000 (+0100) Subject: OpenVPN Release 2.7_rc2 X-Git-Tag: v2.7_rc2^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6ee27b4ff31e4469d699f3bfd7b9998ab167230;p=thirdparty%2Fopenvpn.git OpenVPN Release 2.7_rc2 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc2" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta releases it's better to look at git log to see what has been added/fixed. Notable changes rc1 -> rc2 are: - IPv6 address parsing: fix buffer overread on invalid input (CVE-2025-12106) - HMAC verification check: fix incorrect memcmp() call (CVE-2025-13086) - even more type conversion related warnings have been fixed - DCO FreeBSD improvements: improving debug messages (verb 6) implement client-side counter handling repair --inactive (and document shortcomings) repair handling of DCO disconnection notifications in --client mode - Windows/Service improvements, hardening, bugfixes fix DNS address list generation (if 3 or more --dns addresses in use) fix DNS server undo_list disallow "stdin" as config name unless user has OpenVPN admin privs fix compilation errors with MSVC v19 iservice: improve validation of config path (pathcc lib) [NOTE: this breaks OpenVPN compatibility with Windows 7] tapctl: refactor, improve output, change driver default to ovpn-dco iservice: when restoring iface metrics, enforce correct ifindex - improve cmocka unit test assert() handling - PUSH_UPDATE server: fix reporting of client IPs in ``status`` output after pushing a new IPv4/IPv6 address to client - AEAD cipher safety margins: fix calculation of AEAD blocks in use (old code would undercount blocks) - fix invalid pointer creation / memory overread in tls_pre_decrypt - deprecate ``--opt-verify`` (change into no-op + warning) Signed-off-by: Gert Doering --- diff --git a/ChangeLog b/ChangeLog index e6ac4a058..efc533b91 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,72 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.11.17 -- Version 2.7_rc2 + +Antonio Quartulli (4): + test_networking: use appropriate assert helpers + unit_tests: prefer proper cmocka assert helpers + init: make some functions static + options: remove --opt-verify functionality + +Arne Schwabe (3): + Do not underestimate number of encrypted/decrypted AEAD blocks + Fix construction of invalid pointer in tls_pre_decrypt + Fix memcmp check for the hmac verification in the 3way handshake being inverted + +Frank Lichtenheld (17): + manage: Correctly handle port 65535 in man_kill + pkcs11_openssl: Silence a conversion warning + Enable -Wtype-limits by default (via -Wextra) + ssl: Change tls_send_payload size argument to size_t + openssl_compat: Avoid conversion warning for SSL_get_negotiated_group + pkcs11: Avoid some conversion warnings + ssl: change return type of calc_control_channel_frame_overhead to size_t + otime: Fix various conversion warnings + interval: Fix conversion warning + forward: Change context_reschedule_sec sec argument to time_t + tls_crypt: Avoid some conversion warnings + ssl: Fix conversion warning in tls_prepend_opcode_v1 + ssl: Change update argument of compute_earliest_wakeup to time_t + ssl: Clean up type handling in write_string() + ssl: Clean up type handling in export_user_keying_material() + ssl: Clean up type handling in parse_early_negotiation_tlvs() + ssl_pkt: Avoid conversion warnings + +Gert Doering (5): + FreeBSD DCO: repair incoming 'delete peer' notifications in p2p client mode + dco_freebsd.c: add D_DCO_DEBUG messages for counters and notifications + dco_freebsd: implement dco_get_peer_stats() + FreeBSD DCO: repair --inactive + dco_freebsd.c: fix integer warnings + +Heiko Hund (7): + iservice: fix DNS address list generation + msvc: fix struct initialization for v19 compilers + iservice: validate config path better + win: remove checks for PATHCCH_ENSURE_TRAILING_SLASH + iservice: validate config path case-insensitive + iservice: make sure directories have trailing backslash + iservice: use saved iface index to restore metric + +Lev Stipakov (5): + tapctl: use better wording for adapters + tapctl: factor out command handlers + recursive routing: fixes and clean-ups + tapctl: make output of 'list' and 'create' commands more verbose + tapctl: refactor 'create' command + +Marco Baffo (1): + PUSH_UPDATE server: update reporting_addr after ifconfig update + +Mikhail Khachaiants (1): + socket: reject mismatched address family in get_addr_generic + +Selva Nair (2): + openvpnserv: Disallow stdin as config unless user is authorized + Use correct undo_list when clearing DNS addresses + + 2025.10.29 -- Version 2.7_rc1 Antonio Quartulli (1): diff --git a/Changes.rst b/Changes.rst index 457d3a7a5..9077064ff 100644 --- a/Changes.rst +++ b/Changes.rst @@ -236,9 +236,6 @@ Using ``--push`` in a mode that is not ``--mode server`` will now print a ``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will now print an appropriate warning. -``--opt-verify`` feature removed - This option was already deprecated and it is now being converted to a - no-op. Using this option will only print a warning. User-visible Changes -------------------- @@ -324,6 +321,17 @@ User-visible Changes options cache, and will be restored to pre-connect values on reconnects if the server stops pushing the respective option. +- `tapctl.exe` helper binary on Windows has been reworked to improve + help texts (making clear that it can not only do TAP-Adapters but + Win-DCO as well), add printing of the hwid to all adapter outputs, and + change the default adapter type created to `ovpn-dco`. + +Deprecated features +------------------- +``--opt-verify`` feature removed + This option was already deprecated and it is now being converted to a + no-op. Using this option will only print a warning. + Overview of changes in 2.6 ========================== diff --git a/version.m4 b/version.m4 index feed623fe..d60cc83a3 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_rc1]) +define([PRODUCT_VERSION_PATCH], [_rc2]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])