From 31ef3d66c20e62cd6cc87a6b9f9c9987b889335c Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Thu, 27 Nov 2025 09:49:36 +0100 Subject: [PATCH] OpenVPN Release 2.7_rc3 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc3" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta/rc* releases it's better to look at git log to see what has been added/fixed. Notable changes rc2 -> rc3 are: - Windows/Interactive Service bugfixes many small bugfixes to registry-related DNS domain handling - Windows/Interactive Service: harden service pipe handling close a small race condition, and add restrictive ACLs - Windows/Interactive Service: CVE-2025-13751 fix bug where the interactive service would error-exit in certain error conditions instead of just logging the fact and continuing. After the error-exit, OpenVPN connections will no longer work until the service is restarted (or the system rebooted). This can be triggered by any authenticated local user, and has thus been classified as a "local denial of service" attack. - more type conversion related warnings have been fixed - --multihome behaviour regarding egress interface selection has been changed. See Changes.rst and manpage for details. - cleanup dead code in event handling code (leftover of the multisocket patch set) - add new feature, --tls-crypt-v2-max-age n. See Changes.rst and manpage for details. - improve documentation to point out the pitfalls of case-insensitive filesystems and --client-config-dir - split default gateway query logic in two: - for --redirect-gateway functionality, query for the gateway towards the actual IP address of the VPN server connecting to - for the "net_gateway" special destination for --route, and the corresponding environment variable, always query for 0.0.0.0 / :: (this will only make a difference in certain scenarios using a local proxy, or on a system with multiple interfaces, not using the "default route" for the VPN connection - see github#890) - upgrade embedded pkcs11-helper vcpkg + pkcs11-uri patch to 1.31 - CMake / autoconf cleanup wrt unused checks, outdated old-Linux checks, Windows oddities - DCO (primarily Linux): improve handling of bulk notifications from kernel (do not lose notifications, do not crash) (github#900) Signed-off-by: Gert Doering --- ChangeLog | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ Changes.rst | 6 +++++- version.m4 | 2 +- 3 files changed, 58 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index efc533b91..12bfaac54 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,58 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.11.28 -- Version 2.7_rc3 + +Frank Lichtenheld (9): + doc: Document potential filesystem pitfalls of client-config-dir + GHA: Maintenance update November 2025 + GHA: Add macos-26 and remove OpenSSL 1.1 builds on macOS + tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age + Changes.rst: Fix various syntax errors and typos + error: Allow status argument to check_status to be ssize_t + Linux: Assume we have a kernel that was release in the last 15 years + configure/CMake: Remove unused checks + configure/CMake: Unify Windows handling + +Gert Doering (4): + Change '--multihome' behaviour regarding egress interface selection. + extract_x509_field_ssl(): verify that X509_NAME is not NULL. + Remove remainders of --no-name-remapping option + OpenVPN Release 2.7_rc3 + +Gianmarco De Gregori (2): + multi-socket: remove duplicated/dead code + multi-socket: do not return tuntap flags on server-side + +Heiko Hund (9): + iservice: fix buffer size in call to FormatMessage + iservice: make sure buffer size is not zero + iservice: make sure registry string is terminated + iservice: check for NULL pointer + iservice: fix calculation of converted domains size + iservice: return correct size when domains are truncated + iservice: handle ignoring itf domains correctly + iservice: fix off by one error + iservice: rename one_glyph to glyph_size + +Lev Stipakov (1): + interactive.c: harden pipe handling against misbehaving clients + +Marco Baffo (1): + route: handle default gateway (net_gateway) and nexthop towards VPN server separately + +Max Fillinger (1): + Add option to check tls-crypt-v2 key timestamps + +Ralf Lici (1): + dco: process messages immediately after read + +Selva Nair (3): + vcpkg-ports/pkcs11-helper: bump version to 1.31 + Harden interactive service pipe + Restrict access to the service pipe to SYSTEM and owner + + 2025.11.17 -- Version 2.7_rc2 Antonio Quartulli (4): diff --git a/Changes.rst b/Changes.rst index 20d89573a..d3c4eda26 100644 --- a/Changes.rst +++ b/Changes.rst @@ -177,6 +177,10 @@ Improved BYTECOUNT support - more strictly adhere to timing interval Improve compatibility with OpenSSL 3.6.0 (do not fail t_lpback selftest) +New option ``--tls-crypt-v2-max-age n`` to check tls-crypt-v2 timestamps + (When a client is older than n days or has no timestamp, the server + will reject it) + Deprecated features ------------------- @@ -260,7 +264,7 @@ User-visible Changes - ``--lport 0`` does not imply ``--bind`` anymore. -- ``--redirect--gateway`` now works correctly if the VPN remote is not +- ``--redirect-gateway`` now works correctly if the VPN remote is not reachable by the default gateway. - ``--show-gateway`` now supports querying the gateway for IPv4 addresses. diff --git a/version.m4 b/version.m4 index d60cc83a3..df4e1ec4f 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_rc2]) +define([PRODUCT_VERSION_PATCH], [_rc3]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- 2.47.3