diff --git a/ChangeLog b/ChangeLog index c0c06ffb4f8..fd869a1e139 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,41 @@ OpenVPN ChangeLog Copyright (C) 2002-2024 OpenVPN Inc +2024.06.20 -- Version 2.6.11 + +5andr0 (1): + Implement server_poll_timeout for socks + +Arne Schwabe (6): + Use snprintf instead of sprintf for get_ssl_library_version + Add bracket in fingerprint message and do not warn about missing verification + Replace macos11 with macos14 in github runners + Only run coverity scan in OpenVPN/OpenVPN repository + Workaround issue in LibreSSL crashing when enumerating digests/ciphers + Properly handle null bytes and invalid characters in control messages + +Franco Fichtner (1): + Allow to set ifmode for existing DCO interfaces in FreeBSD + +Frank Lichtenheld (6): + samples: Update sample configurations + documentation: make section levels consistent + phase2_tcp_server: fix Coverity issue 'Dereference after null check' + script-options.rst: Update ifconfig_* variables + LZO: do not use lzoutils.h macros + Remove "experimental" denotation for --fast-io + +Heiko Wundram (1): + Implement Windows CA template match for Crypto-API selector + +Lev Stipakov (2): + misc.c: remove unused code + interactive.c: Improve access control for gui<->service pipe + +Reynir Björnsson (1): + Only schedule_exit() once + + 2024.03.20 -- Version 2.6.10 Christoph Schug (1): diff --git a/Changes.rst b/Changes.rst index 029c807651b..5acebf3647b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,72 @@ +Overview of changes in 2.6.11 +============================= +Security fixes +-------------- +- CVE-2024-4877: Windows: harden interactive service pipe. + Security scope: a malicious process with "some" elevated privileges + (SeImpersonatePrivilege) could open the pipe a second time, tricking + openvn GUI into providing user credentials (tokens), getting full + access to the account openvpn-gui.exe runs as. + (Zeze with TeamT5) + +- CVE-2024-5594: control channel: refuse control channel messages with + nonprintable characters in them. Security scope: a malicious openvpn + peer can send garbage to openvpn log, or cause high CPU load. + (Reynir Björnsson) + +- CVE-2024-28882: only call schedule_exit() once (on a given peer). + Security scope: an authenticated client can make the server "keep the + session" even when the server has been told to disconnect this client + (Reynir Björnsson) + +New features +------------ +- Windows Crypto-API: Implement Windows CA template match for searching + certificates in windows crypto store. + +- support pre-created DCO interface on FreeBSD (OpenVPN would fail to + set ifmode p2p/subnet otherwise) + +Bugfixes +-------- +- fix connect timeout when using SOCKS proxies (trac #328, github #267) + +- work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers + (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5, + see also https://github.com/libressl/openbsd/issues/150) + +- Add bracket in fingerprint message and do not warn about missing + verification (github #516) + +Documentation +------------- +- remove "experimental" denotation for --fast-io + +- correctly document ifconfig_* variables passed to scripts (script-options.rst) + +- documentation: make section levels consistent + +- samples: Update sample configurations + remove compression & old cipher settings, add more informative comments + +Code maintenance +---------------- +- remove usage of header & macro, discouraged by upstream + +- only run coverity scans in OpenVPN/OpenVPN repository (= do not spam + owners of cloned repos with "cannot run this" messages) + +- replace macOS 11 github runners with macOS 14 + +- remove some unused code in misc.c (leftover from commit 3a4fb1) + +- phase2_tcp_server: fix Coverity issue 'Dereference after null check' + - the code itself was correct, just doing needless checks + +- Use snprintf instead of sprintf for get_ssl_library_version + - the code itself was correct, but macOS clang dislikes sprintf() + + Overview of changes in 2.6.10 ============================= Security fixes diff --git a/version.m4 b/version.m4 index fbe6bc9817f..1d91f0642bf 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [.10]) +define([PRODUCT_VERSION_PATCH], [.11]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,6,9,0]) +define([PRODUCT_VERSION_RESOURCE], [2,6,11,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])