OpenVPN Release 2.7_rc1

version.m4, ChangeLog, Changes.rst

Changes.rst has not received an "2.7_rc1" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.

Notable changes beta3 -> rc1 are:
    - even more type conversion related warnings have been fixed
    - more bugfixes related to BYTECOUNT display on the management
      interface and byte counters on DCO platforms in general
    - numerous minibugs reported by ZeroPath AI have been fixed
      (small memleaks, possible file descriptor leaks, improved
      sanity checks, add ASSERT() on function contracts, etc.)
    - add warning for unsupported combination of --push and --tls-server
    - add warning for unsupported combination of --reneg-bytes or
      --reneg-pkts with DCO
    - remove perf_push()/perf_pop() infrastructure (because it did not
      work anymore, and compiler profiling will give better results today)
    - ensure compatibility with OpenSSL 3.6.0 - specifically, do not crash
      in t_lpback.sh trying to use new encrypt-then-mac (ETM) ciphers
    - improved PUSH_UPDATE server side support, which now handles changes
      of pushed ifconfig/ifconfig-ipv6 addresses correctly (send packets
      to new IP addresses to this client, stop sending packets to the old
      addresses).
    - improve CONTRIBUTING documentation
    - add unit test for DHCP packet infrastructure
    - freshen URLs all over the tree, and change to HTTPS where possible
    - on DCO Linux/FreeBSD, add support for clients receiving an IPv4/IPv6
      address that is not part of the --server/--server-ipv6 subnet
      (= install extra on-interface host routes).
    - Windows programs use a new API for path name canonicalization now
      (PathCchCanonicalizeEx()) which will break building with MinGW on
      Ubuntu 22.04 -> Upgrade to 24.04 to make builds work again.
    - on Windows, when setting up WINS servers using netsh, use interface
      index instead of adapter name now ("as for all other netsh calls")
    - remove undocumented and unused --memstats feature

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/ChangeLog b/ChangeLog
index 1e9e0eced52f8feee9c3ff45a7e1dd1220b1ac43..e6ac4a0585637ef1f7be2d3409d2b664aabd7cee 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,87 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 
+2025.10.29 -- Version 2.7_rc1
+
+Antonio Quartulli (1):
+      sitnl: set FD_CLOEXEC on socket to prevent abuse
+
+Arne Schwabe (12):
+      Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
+      Avoid possible race condition that kill OpenVPN itself
+      Add ASSERT to afunix code that dev_node is always set up the way we expect
+      Warn if push is used without --mode server/--server/--server-bridge
+      Fix logic when pushed cipher triggers tun reopen and ignore more options
+      Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled
+      Remove --memstats feature
+      clean up environment variable handling in verify_user_pass_script
+      fix key_state_gen_auth_control_files probably checking file creation
+      Fix warnings about conversion from int to unsigned char/uint8_t
+      Ensure return value of snprintf is correctly checked
+      Ensure that get_sigtype always return non-NULL
+
+Christian Kujau (2):
+      doc: Fix hyperlinks in openvpn(8)
+      doc: HTTPS upgrades and URL fixes throughout the tree
+
+Frank Lichtenheld (18):
+      test_dhcp: Start a dhcp helper functions UT
+      CONTRIBUTING: Update outdated/obsolete information
+      schedule: Fix conversion warning
+      win32: Change some APIs to use DWORD instead of size_t
+      dhcp: Clean up type handling of write_dhcp_*
+      init: Fix datav2_enabled check in options import
+      socket: Wrap winsock functions to avoid common conversion warnings
+      proxy: factor out recv_char code common with socks proxy
+      proxy: factor out send code common with socks proxy
+      push_util: Make send_push_update static
+      ssl_util: Fix conversion warning in get_num_elements
+      push_util: Fix conversion warnings
+      multi: Fix wrong usage of mroute_extract_openvpn_sockaddr
+      mroute: Remove unused mask argument of mroute_get_in*
+      gremlin: Avoid some conversion warnings
+      crypto_backend: Change len argument of md_ctx_update to size_t
+      mudp/mtcp: Remove -Wconversion pragmas
+      manage: Change kill_by_addr to use better types for port/proto
+
+Gert Doering (3):
+      remove redundant PULL_DEFINED() macro definition
+      zeroize struct image in packet_id_persist_save() before writing to disk
+      OpenVPN Release 2.7_rc1
+
+Heiko Hund (2):
+      iservice: use interface index with netsh
+      iservice: check return value of MultiByteToWideChar
+
+Joshua Rogers (1):
+      tcp: apply CLOEXEC to accepted socket, not listener
+
+Lev Stipakov (1):
+      interactive.c: add the upper bound for startupdata size
+
+Marco Baffo (2):
+      PUSH_UPDATE server: remove old IP(s) from vhash after sending a message containing ifconfig(-ipv6)
+      PUSH_UPDATE server: invalid read bug-fix and unit-tests improvements
+
+Max Fillinger (1):
+      Zeroize tls-crypt-v2 client keys
+
+Ralf Lici (5):
+      options: warn and ignore --reneg-bytes/pkts when DCO is enabled
+      dco-freebsd: store peer stats directly in c2
+      dco: remove dco_read/write_bytes from dco_context_t
+      dco-freebsd: fix peer stats storage on client instances
+      management: ensure consistent BYTECOUNT timing on server
+
+Selva Nair (3):
+      pkcs11_management_id_get: Free certificate object after use
+      Canonicalize config_dir before comparing with the config file location
+      Add -lpathcch for mingw32 builds using autotools
+
+Steffan Karger (1):
+      Remove perf.c/perf.h
+
+
 2025.10.13 -- Version 2.7_beta3
 
 Arne Schwabe (2):

diff --git a/Changes.rst b/Changes.rst
index 41af103bf9105fb7369d15d296ae8da1991ca796..8bdb2b0a0c8c6c13b5c9d5fdb8ed13eb3209bb47 100644 (file)
--- a/Changes.rst
+++ b/Changes.rst
@@ -170,6 +170,12 @@ Improved logging of service events/errors to event log on Windows.
 COPYING: license details only relevant to our Windows installers have
    been updated and moved to the openvpn-build repo
 
+Improved BYTECOUNT support - more strictly adhere to timing interval
+   requested, correctly support client and server counters with Linux and
+   Windows DCO offloading.
+
+Improve compatibility with OpenSSL 3.6.0 (do not fail t_lpback selftest)
+
 
 Deprecated features
 -------------------
@@ -223,6 +229,14 @@ Compression on send has been removed.
     (number of users, link bytes read/written) and we do not except any
     usage because of this.
 
+Using ``--push`` in a mode that is not ``--mode server`` will now print a
+    clear warning that this is an unsupported operation and might cause
+    negotiation failures.
+
+``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will
+    now print an appropriate warning.
+
+
 User-visible Changes
 --------------------
 - Default for ``--topology`` changed to ``subnet`` for ``--mode server``.

diff --git a/version.m4 b/version.m4
index 916a640f70e67c59d791b06ce79ea5a40b5a9142..feed623feef46e561541c9e059f214b941365ac0 100644 (file)
--- a/version.m4
+++ b/version.m4
@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [_beta3])
+define([PRODUCT_VERSION_PATCH], [_rc1])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])