diff options
author | Gert Doering | 2017-06-19 21:02:22 +0200 |
---|---|---|
committer | Gert Doering | 2017-06-20 13:05:52 +0200 |
commit | 8ec9cfdd5f898793321ccdcc8d124216bac80537 (patch) | |
tree | 5fd9f32f891442cb8f5c1891d7d59fef66aa4eda | |
parent | fc61d1bda112ffc669dbde961fab19f60b3c7439 (diff) | |
download | openvpn-2.3.17.zip openvpn-2.3.17.tar.gz |
Preparing for release v2.3.17 (ChangeLog, version.m4, Changes.rst)v2.3.17
General cleanup help, UTF8 fixes, whitespace and quoting fixes for
ChangeLog and Changes.rst provided by David Sommerseth <davids@openvpn.net>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | ChangeLog | 29 | ||||
-rw-r--r-- | Changes.rst | 215 | ||||
-rw-r--r-- | version.m4 | 4 |
3 files changed, 187 insertions, 61 deletions
@@ -1,6 +1,35 @@ OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> +2017.06.21 -- Version 2.3.17 + +David Sommerseth (2): + backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed + auth-token with auth-nocache fix broke --disable-crypto builds + +Gert Doering (2): + Fix potential 1-byte overread in TCP option parsing. + Fix remotely-triggerable ASSERT() on malformed IPv6 packet. + +Guido Vranken (6): + refactor my_strupr + Fix 2 memory leaks in proxy authentication routine + Fix memory leak in add_option() for option 'connection' + Ensure option array p[] is always NULL-terminated + Fix a null-pointer dereference in establish_http_proxy_passthru() + Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + +Jérémie Courrèges-Anglas (2): + Fix an unaligned access on OpenBSD/sparc64 + Missing include for socket-flags TCP_NODELAY on OpenBSD + +Steffan Karger (4): + openssl: fix overflow check for long --tls-cipher option + Fix remote-triggerable memory leaks (CVE-2017-7521) + Restrict --x509-alt-username extension types + Fix potential double-free in --x509-alt-username (CVE-2017-7521) + + 2017.05.18 -- Version 2.3.16 Antonio Quartulli (1): fix redirect-gateway behaviour when an IPv4 default route does not exist diff --git a/Changes.rst b/Changes.rst index 761302e..b9fe6d5 100644 --- a/Changes.rst +++ b/Changes.rst @@ -64,10 +64,10 @@ Behavioral changes - Remove --enable-password-save option to configure, this is now always enabled -- Disallow usage of --server-poll-timeout in --secret key mode +- Disallow usage of ``--server-poll-timeout`` in ``--secret`` key mode -- The second parameter of --ifconfig is no longer a "remote address" but a - "netmask" when using --dev tun and --topology subnet +- The second parameter of ``--ifconfig`` is no longer a "remote address" but a + "netmask" when using ``--dev tun`` and -``-topology subnet`` - Automatic TLS version negotiation may cause issues in certain cases. @@ -81,14 +81,14 @@ Behavioral changes - Always load intermediate certificates from a PKCS#12 file, instead of ignoring them -- Remove the --disable-eurephia configure option +- Remove the ``--disable-eurephia`` configure option -- Remove the support for using system() when executing external programs or +- Remove the support for using ``system()`` when executing external programs or scripts - Inline files are now always enabled -- Remove the --auto-proxy option (now handled via management interface) +- Remove the ``--auto-proxy`` option (now handled via management interface) - Directory layout restructuring @@ -100,10 +100,79 @@ Behavioral changes - Made some options connection-entry specific -- Make '--win-sys env' default +- Make ``--win-sys env`` default - Do not randomize resolving of IP addresses in getaddr() + +Version 2.3.17 +============== + +Security fixes +-------------- +- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks + A client could cause a server to leak a few bytes each time it connects to the + server. That can eventuall cause the server to run out of memory, and thereby + causing the server process to terminate. Discovered and reported to the + OpenVPN security team by Guido Vranken. (OpenSSL builds only.) + +- CVE-2017-7521: Fix a potential post-authentication remote code execution + attack on servers that use the ``--x509-username-field`` option with an X.509 + extension field (option argument prefixed with ``ext:``). A client that can + cause a server to run out-of-memory (see above) might be able to cause the + server to double free, which in turn might lead to remote code execution. + Discovered and reported to the OpenVPN security team by Guido Vranken. + (OpenSSL builds only.) + +- CVE-2017-7520: Pre-authentication remote crash/information disclosure for + clients. If clients use a HTTP proxy with NTLM authentication (i.e. + ``--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2``), + a man-in-the-middle attacker between the client and the proxy can cause + the client to crash or disclose at most 96 bytes of stack memory. The + disclosed stack memory is likely to contain the proxy password. If the + proxy password is not reused, this is unlikely to compromise the security + of the OpenVPN tunnel itself. Clients who do not use the ``--http-proxy`` + option with ntlm2 authentication are not affected. + +- CVE-2017-7508: Fix remotely-triggerable ``ASSERT()`` on malformed IPv6 packet. + This can be used to remotely shutdown an openvpn server or client, if + IPv6 and ``--mssfix`` are enabled and the IPv6 networks used inside the VPN + are known. + +- Fix potential 1-byte overread in TCP option parsing. +- fix null-pointer dereference when talking to a malicious http proxy + that returns a malformed ``Proxy-Authenticate:`` headers for digest auth. +- fix overflow check for long ``--tls-cipher`` option + + +Bug fixes +--------- +- Fix SIGSEGV crash on unaligned access on OpenBSD/sparc64 + +- Fix TCP_NODELAY on OpenBSD + + +Behavioural Changes +------------------- +- Ignore auth-nocache for auth-user-pass if auth-token is pushed + + +Version 2.3.16 +============== + +Security fixes +-------------- +- Re-roll release because two different tarballs for 2.3.15 were created, + one of them missing a relevant security fix. 2.3.16 has everything. + +- Windows: Check for errors in the return value of ``GetModuleFileNameW()`` + + +Bug fixes +--------- +- Fix ``--redirect-gateway`` behaviour when an IPv4 default route does not exist + + Version 2.3.15 ============== @@ -120,6 +189,7 @@ Security fixes would need to get us to send at least about 196 GB of data. (OSTIF/Quarkslab audit finding 5.2, CVE-2017-7479) + Version 2.3.14 ============== @@ -128,16 +198,17 @@ Behavioral changes - On the client side recursively routed packets, which have same destination as the VPN server, are dropped. This could be disabled with - --allow-recursive-routing option. + ``--allow-recursive-routing`` option. + Version 2.3.13 ============== -- Enforcing a new default value for --reneg-bytes for known weaker ciphers +- Enforcing a new default value for ``--reneg-bytes`` for known weaker ciphers Ciphers with cipher blocks less than 128 bits will now do a renegotiation of the tunnel by default for every 64MB of data. This behaviour can be - overridden by explicitly setting --reneg-bytes 0 in the configuration file, + overridden by explicitly setting ``--reneg-bytes 0`` in the configuration file, however this is HIGHLY discouraged. This is to reduce the risk for SWEET32 attacks. The general recommendation @@ -148,6 +219,7 @@ Version 2.3.13 when such weaker ciphers is detected. + Version 2.3.12 ============== @@ -157,10 +229,10 @@ Security changes - Deprecation of ciphers using less than 128-bits cipher blocks It is highly recommended to avoid using ciphers listed in the new - deprecated section of --show-ciphers. These ciphers are no longer + deprecated section of ``--show-ciphers``. These ciphers are no longer considered safe to use. If you cannot migrate away from these ciphers currently, it is strongly recommended to start using - --reneg-bytes with a value less than 64MB. + ``--reneg-bytes`` with a value less than 64MB. Version 2.3.11 @@ -213,35 +285,36 @@ New features - IPv6 address information is now available as environment variables -- --auth-user-pass can now work with files that only have a username, +- ``--auth-user-pass`` can now work with files that only have a username, and will then only prompt for password Behavioral changes ------------------ -- sndbuf and recvbuf default now to OS default instead of 64k +- ``--sndbuf`` and ``--recvbuf`` default now to OS default instead of 64k -- Removed --enable-password-save from configure. This option is now +- Removed ``--enable-password-save`` from configure. This option is now always enabled. -- use interface index when calling netsh.exe to configure IPv6 +- Use interface index when calling netsh.exe to configure IPv6 addresses or routes on windows (instead of interface name) -- properly reject client connect if "disabled" option +- Properly reject client connect if ``--disabled`` option is used (in ccd/ or client-connect script/plugin) -- handle Ctrl-C and Ctrl-BREAK events in Windows +- Handle Ctrl-C and Ctrl-BREAK events in Windows -- do no longer exit if tap6 adapter returns error on Windows +- Do no longer exit if tap6 adapter returns error on Windows suspend/resume -- increase control channel packet size for faster handshakes +- Increase control channel packet size for faster handshakes between TLS server and client + Bug fixes --------- -- repair combination of --auth-user-pass, --daemon and systemd +- Repair combination of ``--auth-user-pass``, ``--daemon`` and systemd (errors out in 2.3.8 instead of querying systemd) - Lots of bug fixes and documentation improvements @@ -253,18 +326,19 @@ Version 2.3.8 Bug fixes --------- -- fix various fallouts of the 2.3.7 change where we daemon()ize +- Fix various fallouts of the 2.3.7 change where we daemon()ize now first and initialize crypto later - Lots of bug fixes and documentation improvements + Behavioral changes ------------------ -- print error message if trying to ask for username/password or +- Print error message if trying to ask for username/password or passphrase and no tty is available (--daemon) -- delete ipv6 address on close of linux tun interface +- Delete ipv6 address on close of Linux tun interface (relevant for persistant tun interfaces) @@ -276,6 +350,7 @@ Bug fixes - Lots of bug fixes and documentation improvements + New features ------------ @@ -294,13 +369,13 @@ Behavioral changes - daemon()ize before initializing crypto (= un-break cryptodev on FreeBSD that does not allow fork() after openssl init) -- on FreeBSD and topology subnet, construct a proper address +- On FreeBSD and topology subnet, construct a proper address for the remote side of the tun if (not our own) -- fix interaction of --peer-id, --link-mtu, OCC and old/new +- Fix interaction of ``--peer-id``, ``--link-mtu``, OCC and old/new OpenVPN combinations -- always disable SSL compression +- Always disable SSL compression Version 2.3.6 @@ -315,7 +390,7 @@ New features ------------ - Add client-only support for peer-id -- Add --tls-version-max +- Add ``--tls-version-max`` Version 2.3.5 @@ -324,9 +399,9 @@ Version 2.3.5 Bug fixes --------- -- Fix server routes not working in topology subnet with --server [v3] +- Fix server routes not working in topology subnet with ``--server`` [v3] - Fix regression with password protected private keys (polarssl) -- Fix "code=995" bug with windows NDIS6 tap driver +- Fix ``code=995`` bug with windows NDIS6 tap driver - Lots of other bug fixes @@ -336,7 +411,7 @@ Version 2.3.4 Bug fixes --------- -- When tls-version-min is unspecified, revert to original versioning approach +- When ``--tls-version-min`` is unspecified, revert to original versioning approach - IPv6 address/route delete fix for Win8 - Fix SOCKSv5 method selection - Lots of other bug fixes and documentation improvements @@ -352,6 +427,7 @@ Bug fixes - Fix spurious ignoring of pushed config options (trac#349) - Lots of bug fixes and documentation improvements + New features ------------ @@ -360,9 +436,10 @@ New features - Add support of utun devices under Mac OS X - Support non-ASCII TAP adapter names on Windows - Support non-ASCII characters in Windows tmp path -- Added "setenv opt" directive prefix -- --management-external-key for PolarSSL -- Add support for client-cert-not-required for PolarSSL +- Added ``setenv opt`` directive prefix +- ``--management-external-key`` for PolarSSL +- Add support for ``--client-cert-not-required`` for PolarSSL + Behavioral changes ------------------ @@ -370,51 +447,56 @@ Behavioral changes - TLS version negotiation - Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915 + Version 2.3.2 ============= Bug fixes --------- -- Fix proto tcp6 for server & non-P2MP modes -- Fix NULL-pointer crash in route_list_add_vpn_gateway() +- Fix ``--proto tcp6`` for server & non-P2MP modes +- Fix NULL-pointer crash in ``route_list_add_vpn_gateway()`` - Fix problem with UDP tunneling due to mishandled pktinfo structures - Fix segfault when enabling pf plug-ins - Lots of other bug fixes + New features ------------ - Always push basic set of peer info values to server - make 'explicit-exit-notify' pullable again + Version 2.3.1 ============= Bug fixes --------- -- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout +- Repair "tcp server queue overflow" brokenness, more ``<stdbool.h>`` fallout - Fix directly connected routes for "topology subnet" on Solaris - Use constant time memcmp when comparing HMACs in openvpn_decrypt -- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout - Lots of other bug fixes and documentation improvements + New features ------------ -- reintroduce --no-name-remapping option -- make --tls-remote compatible with pre 2.3 configs +- reintroduce ``--no-name-remapping`` option +- make ``--tls-remote`` compatible with pre 2.3 configs - add new option for X.509 name verification - PolarSSL-1.2 support - Enable TCP_NODELAY configuration on FreeBSD - Permit pool size of /64.../112 for ifconfig-ipv6-pool + Behavioral changes ------------------ - Switch to IANA names for TLS ciphers + Version 2.3.0 ============= @@ -430,13 +512,15 @@ Version 2.3_rc2 Bug fixes --------- -- Fix --show-pkcs11-ids (Bug #239) +- Fix ``--show-pkcs11-ids`` (Bug #239) - Lots of other bug fixes and documentation improvements + New features ------------ -- Implement --mssfix handling for IPv6 packets +- Implement ``--mssfix`` handling for IPv6 packets + Version 2.3_rc1 =============== @@ -448,10 +532,12 @@ Bug fixes - Fix v3 plugins to support returning values back to OpenVPN - Lots of other bug fixes and documentation improvements + New features ------------ -- Support UTF-8 --client-config-dir +- Support UTF-8 ``--client-config-dir`` + Behavioral changes ------------------ @@ -459,28 +545,32 @@ Behavioral changes - Remove the support for using system() when executing external programs or scripts + Version 2.3_beta1 ================= Bug fixes --------- -- Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory - if --management-external-key is used -- fix regression with --http-proxy[\-\*] options +- Fixes error: ``--key`` fails with EXTERNAL_PRIVATE_KEY: No such file or directory + if ``--management-external-key`` is used +- fix regression with ``--http-proxy[\-\*]`` options - Lots of other bug fixes and documentation improvements + New features ------------ -- Add --compat-names option +- Add ``--compat-names`` option - add API for plug-ins to write to openvpn log + Behavioral changes ------------------ - Keep pre-existing tun/tap devices around on \*BSD + Version 2.3_alpha3 ================== @@ -491,10 +581,12 @@ Bug fixes - make non-blocking connect work on Windows - A few other bug fixes + New features ------------ -- add option --management-query-proxy +- add option ``--management-query-proxy`` + Version 2.3_alpha2 ================== @@ -504,11 +596,13 @@ Bug fixes - Lots of other bug fixes and documentation improvements + New features ------------ - Add missing pieces to IPv6 route gateway handling + Behavioral changes ------------------ @@ -516,6 +610,7 @@ Behavioral changes - Complete overhaul of the project structure and the buildsystem - remove the --auto-proxy option from openvpn + Version 2.3-alpha1 ================== @@ -529,34 +624,36 @@ Bug fixes - Fixed issue where a client might receive multiple push replies - Lots of other bug fixes and documentation improvements + New features ------------ - PolarSSL support - Add plug-in API v3 - IPv6 payload and transport support -- New feauture: Add --stale-routes-check +- New feauture: Add ``--stale-routes-check`` - Add support to forward console query to systemd - Windows UTF-8 input/output -- Added "management-external-key" option -- Added --x509-track option -- Added "client-nat" option for stateless, one-to-one NAT on the client side -- Extended "client-kill" management interface command +- Added ``--management-external-key`` option +- Added ``--x509-track`` option +- Added ``--client-nat`` option for stateless, one-to-one NAT on the client side +- Extended ``client-kill`` management interface command - Client will now try to reconnect if no push reply received within handshake-window seconds -- Added "management-external-key" option -- Added "auth-token" client directive -- Added 'dir' flag to "crl-verify" +- Added ``--management-external-key`` option +- Added ``--auth-token`` client directive +- Added ``dir`` flag to ``crl-verify`` - Added support for static challenge/response protocol - Changed CC_PRINT character class to allow UTF-8 chars - Extend output of "status" management interface command to include usernames - Added "memstats" option to maintain real-time operating stats - Added support for "on-link" routes on Linux client -- Add extv3 X509 field support to --x509-username-field +- Add extv3 X509 field support to ``--x509-username-field`` + Behavioral changes ------------------ - Remove support for Linux 2.2 -- Make '--win-sys env' default -- Remove --enable-osxipconfig configure option +- Make ``--win-sys env`` default +- Remove ``--enable-osxipconfig`` configure option @@ -1,9 +1,9 @@ dnl define the OpenVPN version define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) -define([PRODUCT_VERSION], [2.3.16]) +define([PRODUCT_VERSION], [2.3.17]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,3,16,0]) +define([PRODUCT_VERSION_RESOURCE], [2,3,17,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |