preparing release 2.6.15

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <[email protected]>

Author: cron2

ChangeLog

@@ -1,6 +1,55 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <[email protected]>
 
+2025.09.22 -- Version 2.6.15
+
+Antonio Quartulli (1):
+      dco: add standard mi prefix handling to multi_process_incoming_dco()
+
+Arne Schwabe (1):
+      Check message id/acked ids too when doing sessionid cookie checks
+
+Frank Lichtenheld (6):
+      GHA: Pin version of CMake for MinGW build
+      GHA: Dependency and Actions update April 2025 (2.6)
+      GHA: Update dependencies July 2025 (2.6)
+      Fix compiler warning in reliable.c with --disable-debug
+      dco linux: avoid redefining ovpn enums (2.6)
+      Update text of GPL to latest version from FSF
+
+Gert Doering (7):
+      unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
+      Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
+      replace assert() calls with ASSERT()
+      remove newline characters at the end of msg() calls
+      fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
+      Fix t_net.sh / networking_testdriver after 'broadcast' change
+      preparing release 2.6.15
+
+Klemens Nanni (1):
+      Fix tmp-dir documentation
+
+Kristof Provost (1):
+      dco: support float notifications on FreeBSD
+
+Lev Stipakov (6):
+      dco-win: Ensure correct OVERLAPPED scope
+      win: replace wmic invocation with powershell
+      openvpnserv: Fix writing messages to the event log
+      Validate DNS domain name before powershell invocation
+      Makefile: fix 'make dist'
+      GHA: collect more artifacts for mingw builds
+
+Ralf Lici (1):
+      dco: backport OS-independent part of peer float support
+
+Sebastian Marsching (1):
+      Bugfix: Set broadcast address on interface.
+
+rein.vanbaaren (1):
+      Fix MBEDTLS_DEPRECATED_REMOVED build errors
+
+
 2025.04.02 -- Version 2.6.14
 
 Arne Schwabe (1):

Changes.rst

@@ -1,3 +1,73 @@
+Overview of changes in 2.6.15
+=============================
+New features / User visible changes
+-----------------------------------
+- on Windows, do not use "wmic.exe" any longer to set DNS search domain
+  (discontinued by Microsoft), use "powershell" fragment instead.
+
+- on Windows, logging to the windows event log has been improved
+  (and logging of GetLastError() strings repaired).  To make this work,
+  a new "openvpnmsgserv.dll" library is now installed and registered.
+
+- DNS domain names are now strictly validated with a positive-list of
+  allowed characters (including UTF-8 high-bit-set bytes) before being
+  handed to powershell.
+
+- Apply more checks to incoming TLS handshake packets before creating
+  new state - namely, verify message ID / acked ID for "valid range for
+  an initial packet".  This fixes a problem with clients that float
+  very early but send control channel packet from the pre-float IP
+  (Github: OpenVPN/openvpn#704), backported from 2.7_beta1.
+
+- backport handling of client float notifications on FreeBSD 14/STABLE DCO
+  (see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303)
+
+- update GPL license text to latest version from FSF
+
+- on Linux, on interfaces where applicable, OpenVPN explicitly configures
+  the broadcast address again.  This was dropped for 2.6.0 "because
+  computers are smart and can do it themselves", but the kernel netlink
+  interface isn't, and will install "0.0.0.0".  This does not normally
+  matter, but for broadcast-based applications that get the address to
+  use from "ifconfig", this change repairs functionality.
+
+
+Code maintenance
+----------------
+- remove a few extra newline characters at the end of rarely-seen log lines
+
+- replace assert() calls in the code with OpenVPN ASSERT() calls
+  (not subject to -DNDEBUG, plus better logging on the actual cause)
+
+- remove "dh 20248.pem" from all sample configurations, remove "dh2048.pem"
+  file from source tree - OpenSSL 3.5 Seclevel=3 considers this "not
+  secure enough" and OpenVPN has not needed an explit DH file in a long while.
+
+- properly handle "old Linux DCO" enum definitions conflicting with
+  "new Linux DCO" kernel headers (uapi/linux/if_link.h)
+
+- fix stdint.h related build errors on Fedora 42
+
+- GHA: update dependencies, pin CMake version
+
+- fix MBEDTLS_DEPRECATED_REMOVED build errors (improve compatibility with
+  recent versions of mbedTLS)
+
+
+Documentation Updates
+---------------------
+- improve ``--tmp-dir`` documentation
+
+
+Bugfixes
+--------
+- dco-win: fix a possible "out of scope" access on access to the
+  "OVERLAPPED" Structure (backport of master commit f60a493)
+
+- bring back configuring of broadcast address on Linux tun/tap interface
+  (see above)
+
+
 Overview of changes in 2.6.14
 =============================
 Security fixes

version.m4

@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.14])
+define([PRODUCT_VERSION_PATCH], [.15])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [[email protected]])
-define([PRODUCT_VERSION_RESOURCE], [2,6,14,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,15,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])