Preparing for release v2.3.17 (ChangeLog, version.m4, Changes.rst)v2.3.17

General cleanup help, UTF8 fixes, whitespace and quoting fixes for
ChangeLog and Changes.rst provided by David Sommerseth <davids@openvpn.net>

Signed-off-by: Gert Doering <gert@greenie.muc.de>

3 files changed, 187 insertions, 61 deletions

diff --git a/ChangeLog b/ChangeLog
index bf6122c..a9e57bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,35 @@
 OpenVPN Change Log
 Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
 
+2017.06.21 -- Version 2.3.17
+
+David Sommerseth (2):
+      backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed
+      auth-token with auth-nocache fix broke --disable-crypto builds
+
+Gert Doering (2):
+      Fix potential 1-byte overread in TCP option parsing.
+      Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
+
+Guido Vranken (6):
+      refactor my_strupr
+      Fix 2 memory leaks in proxy authentication routine
+      Fix memory leak in add_option() for option 'connection'
+      Ensure option array p[] is always NULL-terminated
+      Fix a null-pointer dereference in establish_http_proxy_passthru()
+      Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
+
+Jérémie Courrèges-Anglas (2):
+      Fix an unaligned access on OpenBSD/sparc64
+      Missing include for socket-flags TCP_NODELAY on OpenBSD
+
+Steffan Karger (4):
+      openssl: fix overflow check for long --tls-cipher option
+      Fix remote-triggerable memory leaks (CVE-2017-7521)
+      Restrict --x509-alt-username extension types
+      Fix potential double-free in --x509-alt-username (CVE-2017-7521)
+
+
 2017.05.18 -- Version 2.3.16
 Antonio Quartulli (1):
       fix redirect-gateway behaviour when an IPv4 default route does not exist
diff --git a/Changes.rst b/Changes.rst
index 761302e..b9fe6d5 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -64,10 +64,10 @@ Behavioral changes
 
 - Remove --enable-password-save option to configure, this is now always enabled
 
-- Disallow usage of --server-poll-timeout in --secret key mode
+- Disallow usage of ``--server-poll-timeout`` in ``--secret`` key mode
 
-- The second parameter of --ifconfig is no longer a "remote address" but a
-  "netmask" when using --dev tun and --topology subnet
+- The second parameter of ``--ifconfig`` is no longer a "remote address" but a
+  "netmask" when using ``--dev tun`` and -``-topology subnet``
 
 - Automatic TLS version negotiation may cause issues in certain cases.
 
@@ -81,14 +81,14 @@ Behavioral changes
 - Always load intermediate certificates from a PKCS#12 file, instead of ignoring
   them
 
-- Remove the --disable-eurephia configure option
+- Remove the ``--disable-eurephia`` configure option
 
-- Remove the support for using system() when executing external programs or
+- Remove the support for using ``system()`` when executing external programs or
   scripts
 
 - Inline files are now always enabled
 
-- Remove the --auto-proxy option (now handled via management interface)
+- Remove the ``--auto-proxy`` option (now handled via management interface)
 
 - Directory layout restructuring
 
@@ -100,10 +100,79 @@ Behavioral changes
 
 - Made some options connection-entry specific
 
-- Make '--win-sys env' default
+- Make ``--win-sys env`` default
 
 - Do not randomize resolving of IP addresses in getaddr()
 
+
+Version 2.3.17
+==============
+
+Security fixes
+--------------
+- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks
+  A client could cause a server to leak a few bytes each time it connects to the
+  server.  That can eventuall cause the server to run out of memory, and thereby
+  causing the server process to terminate. Discovered and reported to the
+  OpenVPN security team by Guido Vranken.  (OpenSSL builds only.)
+
+- CVE-2017-7521: Fix a potential post-authentication remote code execution
+  attack on servers that use the ``--x509-username-field`` option with an X.509
+  extension field (option argument prefixed with ``ext:``).  A client that can
+  cause a server to run out-of-memory (see above) might be able to cause the
+  server to double free, which in turn might lead to remote code execution.
+  Discovered and reported to the OpenVPN security team by Guido Vranken.
+  (OpenSSL builds only.)
+
+- CVE-2017-7520: Pre-authentication remote crash/information disclosure for
+  clients. If clients use a HTTP proxy with NTLM authentication (i.e.
+  ``--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2``),
+  a man-in-the-middle attacker between the client and the proxy can cause
+  the client to crash or disclose at most 96 bytes of stack memory. The
+  disclosed stack memory is likely to contain the proxy password. If the
+  proxy password is not reused, this is unlikely to compromise the security
+  of the OpenVPN tunnel itself.  Clients who do not use the ``--http-proxy``
+  option with ntlm2 authentication are not affected.
+
+- CVE-2017-7508: Fix remotely-triggerable ``ASSERT()`` on malformed IPv6 packet.
+  This can be used to remotely shutdown an openvpn server or client, if
+  IPv6 and ``--mssfix`` are enabled and the IPv6 networks used inside the VPN
+  are known.
+
+- Fix potential 1-byte overread in TCP option parsing.
+- fix null-pointer dereference when talking to a malicious http proxy
+  that returns a malformed ``Proxy-Authenticate:`` headers for digest auth.
+- fix overflow check for long ``--tls-cipher`` option
+
+
+Bug fixes
+---------
+- Fix SIGSEGV crash on unaligned access on OpenBSD/sparc64
+
+- Fix TCP_NODELAY on OpenBSD
+
+
+Behavioural Changes
+-------------------
+- Ignore auth-nocache for auth-user-pass if auth-token is pushed
+
+
+Version 2.3.16
+==============
+
+Security fixes
+--------------
+- Re-roll release because two different tarballs for 2.3.15 were created,
+  one of them missing a relevant security fix.  2.3.16 has everything.
+
+- Windows: Check for errors in the return value of ``GetModuleFileNameW()``
+
+
+Bug fixes
+---------
+- Fix ``--redirect-gateway`` behaviour when an IPv4 default route does not exist
+
+
 Version 2.3.15
 ==============
 
@@ -120,6 +189,7 @@ Security fixes
   would need to get us to send at least about 196 GB of data.
   (OSTIF/Quarkslab audit finding 5.2, CVE-2017-7479)
 
+
 Version 2.3.14
 ==============
 
@@ -128,16 +198,17 @@ Behavioral changes
 
 - On the client side recursively routed packets, which have same destination
   as the VPN server, are dropped. This could be disabled with
-  --allow-recursive-routing option.
+  ``--allow-recursive-routing`` option.
+
 
 Version 2.3.13
 ==============
 
-- Enforcing a new default value for --reneg-bytes for known weaker ciphers
+- Enforcing a new default value for ``--reneg-bytes`` for known weaker ciphers
 
   Ciphers with cipher blocks less than 128 bits will now do a renegotiation
   of the tunnel by default for every 64MB of data.  This behaviour can be
-  overridden by explicitly setting --reneg-bytes 0 in the configuration file,
+  overridden by explicitly setting ``--reneg-bytes 0`` in the configuration file,
   however this is HIGHLY discouraged.
 
   This is to reduce the risk for SWEET32 attacks.  The general recommendation
@@ -148,6 +219,7 @@ Version 2.3.13
   when such weaker ciphers is detected.
 
 
+
 Version 2.3.12
 ==============
 
@@ -157,10 +229,10 @@ Security changes
 - Deprecation of ciphers using less than 128-bits cipher blocks
 
   It is highly recommended to avoid using ciphers listed in the new
-  deprecated section of --show-ciphers.  These ciphers are no longer
+  deprecated section of ``--show-ciphers``.  These ciphers are no longer
   considered safe to use.  If you cannot migrate away from these
   ciphers currently, it is strongly recommended to start using
-  --reneg-bytes with a value less than 64MB.
+  ``--reneg-bytes`` with a value less than 64MB.
 
 
 Version 2.3.11
@@ -213,35 +285,36 @@ New features
 
 - IPv6 address information is now available as environment variables
 
-- --auth-user-pass can now work with files that only have a username,
+- ``--auth-user-pass`` can now work with files that only have a username,
   and will then only prompt for password
 
 Behavioral changes
 ------------------
 
-- sndbuf and recvbuf default now to OS default instead of 64k
+- ``--sndbuf`` and ``--recvbuf`` default now to OS default instead of 64k
 
-- Removed --enable-password-save from configure. This option is now
+- Removed ``--enable-password-save`` from configure. This option is now
   always enabled.
 
-- use interface index when calling netsh.exe to configure IPv6
+- Use interface index when calling netsh.exe to configure IPv6
   addresses or routes on windows (instead of interface name)
 
-- properly reject client connect if "disabled" option
+- Properly reject client connect if ``--disabled`` option is used
   (in ccd/ or client-connect script/plugin)
 
-- handle Ctrl-C and Ctrl-BREAK events in Windows
+- Handle Ctrl-C and Ctrl-BREAK events in Windows
 
-- do no longer exit if tap6 adapter returns error on Windows
+- Do no longer exit if tap6 adapter returns error on Windows
   suspend/resume
 
-- increase control channel packet size for faster handshakes
+- Increase control channel packet size for faster handshakes
   between TLS server and client
 
+
 Bug fixes
 ---------
 
-- repair combination of --auth-user-pass, --daemon and systemd
+- Repair combination of ``--auth-user-pass``, ``--daemon`` and systemd
   (errors out in 2.3.8 instead of querying systemd)
 
 - Lots of bug fixes and documentation improvements
@@ -253,18 +326,19 @@ Version 2.3.8
 Bug fixes
 ---------
 
-- fix various fallouts of the 2.3.7 change where we daemon()ize
+- Fix various fallouts of the 2.3.7 change where we daemon()ize
   now first and initialize crypto later
 
 - Lots of bug fixes and documentation improvements
 
+
 Behavioral changes
 ------------------
 
-- print error message if trying to ask for username/password or 
+- Print error message if trying to ask for username/password or 
   passphrase and no tty is available (--daemon)
 
-- delete ipv6 address on close of linux tun interface
+- Delete ipv6 address on close of Linux tun interface
   (relevant for persistant tun interfaces)
 
 
@@ -276,6 +350,7 @@ Bug fixes
 
 - Lots of bug fixes and documentation improvements
 
+
 New features
 ------------
 
@@ -294,13 +369,13 @@ Behavioral changes
 - daemon()ize before initializing crypto (= un-break cryptodev
   on FreeBSD that does not allow fork() after openssl init)
 
-- on FreeBSD and topology subnet, construct a proper address
+- On FreeBSD and topology subnet, construct a proper address
   for the remote side of the tun if (not our own)
 
-- fix interaction of --peer-id, --link-mtu, OCC and old/new
+- Fix interaction of ``--peer-id``, ``--link-mtu``, OCC and old/new
   OpenVPN combinations
 
-- always disable SSL compression
+- Always disable SSL compression
 
 
 Version 2.3.6
@@ -315,7 +390,7 @@ New features
 ------------
 
 - Add client-only support for peer-id
-- Add --tls-version-max
+- Add ``--tls-version-max``
 
 
 Version 2.3.5
@@ -324,9 +399,9 @@ Version 2.3.5
 Bug fixes
 ---------
 
-- Fix server routes not working in topology subnet with --server [v3]
+- Fix server routes not working in topology subnet with ``--server`` [v3]
 - Fix regression with password protected private keys (polarssl)
-- Fix "code=995" bug with windows NDIS6 tap driver
+- Fix ``code=995`` bug with windows NDIS6 tap driver
 - Lots of other bug fixes
 
 
@@ -336,7 +411,7 @@ Version 2.3.4
 Bug fixes
 ---------
 
-- When tls-version-min is unspecified, revert to original versioning approach
+- When ``--tls-version-min`` is unspecified, revert to original versioning approach
 - IPv6 address/route delete fix for Win8
 - Fix SOCKSv5 method selection
 - Lots of other bug fixes and documentation improvements
@@ -352,6 +427,7 @@ Bug fixes
 - Fix spurious ignoring of pushed config options (trac#349)
 - Lots of bug fixes and documentation improvements
 
+
 New features
 ------------
 
@@ -360,9 +436,10 @@ New features
 - Add support of utun devices under Mac OS X
 - Support non-ASCII TAP adapter names on Windows
 - Support non-ASCII characters in Windows tmp path
-- Added "setenv opt" directive prefix
-- --management-external-key for PolarSSL
-- Add support for client-cert-not-required for PolarSSL
+- Added ``setenv opt`` directive prefix
+- ``--management-external-key`` for PolarSSL
+- Add support for ``--client-cert-not-required`` for PolarSSL
+
 
 Behavioral changes
 ------------------
@@ -370,51 +447,56 @@ Behavioral changes
 - TLS version negotiation
 - Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915
 
+
 Version 2.3.2
 =============
 
 Bug fixes
 ---------
 
-- Fix proto tcp6 for server & non-P2MP modes
-- Fix NULL-pointer crash in route_list_add_vpn_gateway()
+- Fix ``--proto tcp6`` for server & non-P2MP modes
+- Fix NULL-pointer crash in ``route_list_add_vpn_gateway()``
 - Fix problem with UDP tunneling due to mishandled pktinfo structures
 - Fix segfault when enabling pf plug-ins
 - Lots of other bug fixes
 
+
 New features
 ------------
 
 - Always push basic set of peer info values to server
 - make 'explicit-exit-notify' pullable again
 
+
 Version 2.3.1
 =============
 
 Bug fixes
 ---------
 
-- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout
+- Repair "tcp server queue overflow" brokenness, more ``<stdbool.h>`` fallout
 - Fix directly connected routes for "topology subnet" on Solaris
 - Use constant time memcmp when comparing HMACs in openvpn_decrypt
-- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout
 - Lots of other bug fixes and documentation improvements
 
+
 New features
 ------------
 
-- reintroduce --no-name-remapping option
-- make --tls-remote compatible with pre 2.3 configs
+- reintroduce ``--no-name-remapping`` option
+- make ``--tls-remote`` compatible with pre 2.3 configs
 - add new option for X.509 name verification
 - PolarSSL-1.2 support
 - Enable TCP_NODELAY configuration on FreeBSD
 - Permit pool size of /64.../112 for ifconfig-ipv6-pool
 
+
 Behavioral changes
 ------------------
 
 - Switch to IANA names for TLS ciphers
 
+
 Version 2.3.0
 =============
 
@@ -430,13 +512,15 @@ Version 2.3_rc2
 Bug fixes
 ---------
 
-- Fix --show-pkcs11-ids (Bug #239)
+- Fix ``--show-pkcs11-ids`` (Bug #239)
 - Lots of other bug fixes and documentation improvements
 
+
 New features
 ------------
 
-- Implement --mssfix handling for IPv6 packets
+- Implement ``--mssfix`` handling for IPv6 packets
+
 
 Version 2.3_rc1
 ===============
@@ -448,10 +532,12 @@ Bug fixes
 - Fix v3 plugins to support returning values back to OpenVPN
 - Lots of other bug fixes and documentation improvements
 
+
 New features
 ------------
 
-- Support UTF-8 --client-config-dir
+- Support UTF-8 ``--client-config-dir``
+
 
 Behavioral changes
 ------------------
@@ -459,28 +545,32 @@ Behavioral changes
 - Remove the support for using system() when executing external programs or
   scripts
 
+
 Version 2.3_beta1
 =================
 
 Bug fixes
 ---------
 
-- Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory
-  if --management-external-key is used
-- fix regression with --http-proxy[\-\*] options
+- Fixes error: ``--key`` fails with EXTERNAL_PRIVATE_KEY: No such file or directory
+  if ``--management-external-key`` is used
+- fix regression with ``--http-proxy[\-\*]`` options
 - Lots of other bug fixes and documentation improvements
 
+
 New features
 ------------
 
-- Add --compat-names option
+- Add ``--compat-names`` option
 - add API for plug-ins to write to openvpn log
 
+
 Behavioral changes
 ------------------
 
 - Keep pre-existing tun/tap devices around on \*BSD
 
+
 Version 2.3_alpha3
 ==================
 
@@ -491,10 +581,12 @@ Bug fixes
 - make non-blocking connect work on Windows
 - A few other bug fixes
 
+
 New features
 ------------
 
-- add option --management-query-proxy
+- add option ``--management-query-proxy``
+
 
 Version 2.3_alpha2
 ==================
@@ -504,11 +596,13 @@ Bug fixes
 
 - Lots of other bug fixes and documentation improvements
 
+
 New features
 ------------
 
 - Add missing pieces to IPv6 route gateway handling
 
+
 Behavioral changes
 ------------------
 
@@ -516,6 +610,7 @@ Behavioral changes
 - Complete overhaul of the project structure and the buildsystem
 - remove the --auto-proxy option from openvpn
 
+
 Version 2.3-alpha1
 ==================
 
@@ -529,34 +624,36 @@ Bug fixes
 - Fixed issue where a client might receive multiple push replies
 - Lots of other bug fixes and documentation improvements
 
+
 New features
 ------------
 
 - PolarSSL support
 - Add plug-in API v3
 - IPv6 payload and transport support
-- New feauture: Add --stale-routes-check
+- New feauture: Add ``--stale-routes-check``
 - Add support to forward console query to systemd
 - Windows UTF-8 input/output
-- Added "management-external-key" option
-- Added --x509-track option
-- Added "client-nat" option for stateless, one-to-one NAT on the client side
-- Extended "client-kill" management interface command
+- Added ``--management-external-key`` option
+- Added ``--x509-track`` option
+- Added ``--client-nat`` option for stateless, one-to-one NAT on the client side
+- Extended ``client-kill`` management interface command
 - Client will now try to reconnect if no push reply received within
   handshake-window seconds
-- Added "management-external-key" option
-- Added "auth-token" client directive
-- Added 'dir' flag to "crl-verify"
+- Added ``--management-external-key`` option
+- Added ``--auth-token`` client directive
+- Added ``dir`` flag to ``crl-verify``
 - Added support for static challenge/response protocol
 - Changed CC_PRINT character class to allow UTF-8 chars
 - Extend output of "status" management interface command to include usernames
 - Added "memstats" option to maintain real-time operating stats
 - Added support for "on-link" routes on Linux client
-- Add extv3 X509 field support to --x509-username-field
+- Add extv3 X509 field support to ``--x509-username-field``
+
 
 Behavioral changes
 ------------------
 
 - Remove support for Linux 2.2
-- Make '--win-sys env' default
-- Remove --enable-osxipconfig configure option
+- Make ``--win-sys env`` default
+- Remove ``--enable-osxipconfig`` configure option
diff --git a/version.m4 b/version.m4
index 5a17fa5..f5ab144 100644
--- a/version.m4
+++ b/version.m4
@@ -1,9 +1,9 @@
 dnl define the OpenVPN version
 define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
-define([PRODUCT_VERSION], [2.3.16])
+define([PRODUCT_VERSION], [2.3.17])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,3,16,0])
+define([PRODUCT_VERSION_RESOURCE], [2,3,17,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])