From 9b0dafca6c50b8bb51f4851bd1361773d2bcded0 Mon Sep 17 00:00:00 2001
From: Gert Doering <gert@greenie.muc.de>
Date: Thu, 16 Apr 2020 12:47:37 +0200
Subject: [PATCH] Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst)

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 ChangeLog   | 37 +++++++++++++++++++++++++++++++++++++
 Changes.rst | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 version.m4  |  4 ++--
 3 files changed, 89 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8d16faad5..b0b0dd716 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,43 @@
 OpenVPN Change Log
 Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
 
+2020.04.16 -- Version 2.4.9
+Antonio Quartulli (1):
+      socks: use the right function when printing struct openvpn_sockaddr
+
+Arne Schwabe (3):
+      Fetch OpenSSL versions via source/old links
+      Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
+      Fix OpenSSL 1.1.1 not using auto elliptic curve selection
+
+Lev Stipakov (4):
+      Fix broken fragmentation logic when using NCP
+      Fix building with --enable-async-push in FreeBSD
+      Fix broken async push with NCP is used
+      Fix illegal client float (CVE-2020-11810)
+
+Maxim Plotnikov (1):
+      OpenSSL: Fix --crl-verify not loading multiple CRLs in one file
+
+Santtu Lakkala (1):
+      Fix OpenSSL private key passphrase notices
+
+Selva Nair (7):
+      Swap the order of checks for validating interactive service user
+      Move querying username/password from management interface to a function
+      When auth-user-pass file has no password query the management interface (if available).
+      Fix possibly uninitialized return value in GetOpenvpnSettings()
+      Fix possible access of uninitialized pipe handles
+      Skip expired certificates in Windows certificate store
+      Allow unicode search string in --cryptoapicert option
+
+Tom van Leeuwen (1):
+      mbedTLS: Make sure TLS session survives move
+
+WGH (1):
+      docs: Add reference to X509_LOOKUP_hash_dir(3)
+
+
 2019.10.30 -- Version 2.4.8
 Antonio Quartulli (1):
       mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
diff --git a/Changes.rst b/Changes.rst
index 65d1eb38a..fee48e251 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -321,6 +321,56 @@ Maintainer-visible changes
   i386/i686 builds on RHEL5.
 
 
+Version 2.4.9
+=============
+This is primarily a maintenance release with minor bugfixes and improvements.
+
+New features
+------------
+- Allow unicode search string in --cryptoapicert option (Windows)
+
+User visible changes
+--------------------
+- Skip expired certificates in Windows certificate store (Windows) (trac #966)
+
+- OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
+
+- When using "--auth-user-pass file" with just a username and no password
+  in the file, OpenVPN now queries the management interface (if active)
+  for the credentials.  Previously it would query the console for the 
+  password, and fail if no console available (normal case on Windows)
+  (trac #757)
+
+- Swap the order of checks for validating interactive service user
+  (Windows: check config location before querying domain controller for
+  group membership, which can be slow)
+
+
+Bug fixes
+---------
+- fix condition where a client's session could "float" to a new IP address
+  that is not authorized ("fix illegal client float").
+
+  This can be used to disrupt service to a freshly connected client (no
+  session keys negotiated yet).  It can not be used to inject or steal 
+  VPN traffic.  CVE-2020-11810, trac #1272).
+
+- fix combination of async push (deferred auth) and NCP (trac #1259)
+
+- Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
+
+- Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
+
+- mbedTLS: Make sure TLS session survives move (trac #880)
+
+- Fix OpenSSL private key passphrase notices
+
+- Fix building with --enable-async-push in FreeBSD (trac #1256)
+
+- Fix broken fragmentation logic when using NCP (trac #1140)
+
+
+
 Version 2.4.8
 =============
 This is primarily a maintenance release with minor bugfixes and improvements.
diff --git a/version.m4 b/version.m4
index a6fa16221..2e23539a6 100644
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [4])
-define([PRODUCT_VERSION_PATCH], [.8])
+define([PRODUCT_VERSION_PATCH], [.9])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,4,8,0])
+define([PRODUCT_VERSION_RESOURCE], [2,4,9,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
-- 
2.47.2