Preparing release 2.5.10

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/ChangeLog b/ChangeLog
index 3701823d5df3fc51ab51e80b14b5098d57166f25..250a06743b9ea5896dbffa6e35b803fee1a43406 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,20 @@
 OpenVPN Change Log
 Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
 
+2024.03.21 -- Version 2.5.10
+
+Arne Schwabe (1):
+      Add Apache2 linking with for new commits
+
+George Pchelkin (1):
+      fix typo: dhcp-options to dhcp-option in vpn-network-options.rst
+
+Lev Stipakov (3):
+      win32: Enforce loading of plugins from a trusted directory
+      interactive.c: disable remote access to the service pipe
+      interactive.c: Fix potential stack overflow issue
+
+
 2023.02.14 -- Version 2.5.9
 
 Arne Schwabe (6):

diff --git a/Changes.rst b/Changes.rst
index 3ba78c6c7a7f3870c49592a93f1d13d04f536201..59626c3ca545aebf89ec365f746f9d77c35bdd65 100644 (file)
--- a/Changes.rst
+++ b/Changes.rst
@@ -1,3 +1,31 @@
+Overview of changes in 2.5.10
+=============================
+Security fixes
+--------------
+- CVE-2024-27459: Windows: fix a possible stack overflow in the
+  interactive service component which might lead to a local privilege
+  escalation.
+  Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
+
+- CVE-2024-24974: Windows: disallow access to the interactive service
+  pipe from remote computers.
+  Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
+
+- CVE-2024-27903: Windows: disallow loading of plugins from untrusted
+  installation paths, which could be used to attack openvpn.exe via
+  a malicious plugin.  Plugins can now only be loaded from the OpenVPN
+  install directory, the Windows system directory, and possibly from
+  a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
+  Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
+
+User visible changes
+--------------------
+- License amendment: all NEW commits fall under a modified license that
+  explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) -
+  see COPYING for details.  Existing code in the release/2.5 branch
+  will not been relicensed (only in release/2.6 and later branches).
+
+
 Overview of changes in 2.5.9
 ============================
 

diff --git a/version.m4 b/version.m4
index 53d1edf57d75e125994edb5b7b27f12bc1175cd2..c6afb8bd1d46a5ac6c52303d8ab8c316129de931 100644 (file)
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.9])
+define([PRODUCT_VERSION_PATCH], [.10])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,9,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,10,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])