From 4281449ba4db2de57375aa7087ef5920aeba10de Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Tue, 28 Oct 2025 20:04:58 +0100 Subject: [PATCH] OpenVPN Release 2.7_rc1 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc1" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta releases it's better to look at git log to see what has been added/fixed. Notable changes beta3 -> rc1 are: - even more type conversion related warnings have been fixed - more bugfixes related to BYTECOUNT display on the management interface and byte counters on DCO platforms in general - numerous minibugs reported by ZeroPath AI have been fixed (small memleaks, possible file descriptor leaks, improved sanity checks, add ASSERT() on function contracts, etc.) - add warning for unsupported combination of --push and --tls-server - add warning for unsupported combination of --reneg-bytes or --reneg-pkts with DCO - remove perf_push()/perf_pop() infrastructure (because it did not work anymore, and compiler profiling will give better results today) - ensure compatibility with OpenSSL 3.6.0 - specifically, do not crash in t_lpback.sh trying to use new encrypt-then-mac (ETM) ciphers - improved PUSH_UPDATE server side support, which now handles changes of pushed ifconfig/ifconfig-ipv6 addresses correctly (send packets to new IP addresses to this client, stop sending packets to the old addresses). - improve CONTRIBUTING documentation - add unit test for DHCP packet infrastructure - freshen URLs all over the tree, and change to HTTPS where possible - on DCO Linux/FreeBSD, add support for clients receiving an IPv4/IPv6 address that is not part of the --server/--server-ipv6 subnet (= install extra on-interface host routes). - Windows programs use a new API for path name canonicalization now (PathCchCanonicalizeEx()) which will break building with MinGW on Ubuntu 22.04 -> Upgrade to 24.04 to make builds work again. - on Windows, when setting up WINS servers using netsh, use interface index instead of adapter name now ("as for all other netsh calls") - remove undocumented and unused --memstats feature Signed-off-by: Gert Doering --- ChangeLog | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++ Changes.rst | 14 +++++++++ version.m4 | 2 +- 3 files changed, 96 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1e9e0eced..e6ac4a058 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,87 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.10.29 -- Version 2.7_rc1 + +Antonio Quartulli (1): + sitnl: set FD_CLOEXEC on socket to prevent abuse + +Arne Schwabe (12): + Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 + Avoid possible race condition that kill OpenVPN itself + Add ASSERT to afunix code that dev_node is always set up the way we expect + Warn if push is used without --mode server/--server/--server-bridge + Fix logic when pushed cipher triggers tun reopen and ignore more options + Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled + Remove --memstats feature + clean up environment variable handling in verify_user_pass_script + fix key_state_gen_auth_control_files probably checking file creation + Fix warnings about conversion from int to unsigned char/uint8_t + Ensure return value of snprintf is correctly checked + Ensure that get_sigtype always return non-NULL + +Christian Kujau (2): + doc: Fix hyperlinks in openvpn(8) + doc: HTTPS upgrades and URL fixes throughout the tree + +Frank Lichtenheld (18): + test_dhcp: Start a dhcp helper functions UT + CONTRIBUTING: Update outdated/obsolete information + schedule: Fix conversion warning + win32: Change some APIs to use DWORD instead of size_t + dhcp: Clean up type handling of write_dhcp_* + init: Fix datav2_enabled check in options import + socket: Wrap winsock functions to avoid common conversion warnings + proxy: factor out recv_char code common with socks proxy + proxy: factor out send code common with socks proxy + push_util: Make send_push_update static + ssl_util: Fix conversion warning in get_num_elements + push_util: Fix conversion warnings + multi: Fix wrong usage of mroute_extract_openvpn_sockaddr + mroute: Remove unused mask argument of mroute_get_in* + gremlin: Avoid some conversion warnings + crypto_backend: Change len argument of md_ctx_update to size_t + mudp/mtcp: Remove -Wconversion pragmas + manage: Change kill_by_addr to use better types for port/proto + +Gert Doering (3): + remove redundant PULL_DEFINED() macro definition + zeroize struct image in packet_id_persist_save() before writing to disk + OpenVPN Release 2.7_rc1 + +Heiko Hund (2): + iservice: use interface index with netsh + iservice: check return value of MultiByteToWideChar + +Joshua Rogers (1): + tcp: apply CLOEXEC to accepted socket, not listener + +Lev Stipakov (1): + interactive.c: add the upper bound for startupdata size + +Marco Baffo (2): + PUSH_UPDATE server: remove old IP(s) from vhash after sending a message containing ifconfig(-ipv6) + PUSH_UPDATE server: invalid read bug-fix and unit-tests improvements + +Max Fillinger (1): + Zeroize tls-crypt-v2 client keys + +Ralf Lici (5): + options: warn and ignore --reneg-bytes/pkts when DCO is enabled + dco-freebsd: store peer stats directly in c2 + dco: remove dco_read/write_bytes from dco_context_t + dco-freebsd: fix peer stats storage on client instances + management: ensure consistent BYTECOUNT timing on server + +Selva Nair (3): + pkcs11_management_id_get: Free certificate object after use + Canonicalize config_dir before comparing with the config file location + Add -lpathcch for mingw32 builds using autotools + +Steffan Karger (1): + Remove perf.c/perf.h + + 2025.10.13 -- Version 2.7_beta3 Arne Schwabe (2): diff --git a/Changes.rst b/Changes.rst index 41af103bf..8bdb2b0a0 100644 --- a/Changes.rst +++ b/Changes.rst @@ -170,6 +170,12 @@ Improved logging of service events/errors to event log on Windows. COPYING: license details only relevant to our Windows installers have been updated and moved to the openvpn-build repo +Improved BYTECOUNT support - more strictly adhere to timing interval + requested, correctly support client and server counters with Linux and + Windows DCO offloading. + +Improve compatibility with OpenSSL 3.6.0 (do not fail t_lpback selftest) + Deprecated features ------------------- @@ -223,6 +229,14 @@ Compression on send has been removed. (number of users, link bytes read/written) and we do not except any usage because of this. +Using ``--push`` in a mode that is not ``--mode server`` will now print a + clear warning that this is an unsupported operation and might cause + negotiation failures. + +``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will + now print an appropriate warning. + + User-visible Changes -------------------- - Default for ``--topology`` changed to ``subnet`` for ``--mode server``. diff --git a/version.m4 b/version.m4 index 916a640f7..feed623fe 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_beta3]) +define([PRODUCT_VERSION_PATCH], [_rc1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- 2.47.3