diff options
author | David Sommerseth | 2017-09-25 21:30:38 +0200 |
---|---|---|
committer | David Sommerseth | 2017-09-25 22:45:34 +0200 |
commit | 1f458322cdaffed02184df8c638bde69256a840a (patch) | |
tree | 356dad1d132dc1d0da3a53c185a0ec38905bea23 | |
parent | 38da61f3cc2f06ff7d3d174576dc5c6e87d6d174 (diff) | |
download | openvpn-2.4.4.zip openvpn-2.4.4.tar.gz |
Prepare the release of OpenVPN 2.4.4v2.4.4
Signed-off-by: David Sommerseth <davids@openvpn.net>
-rw-r--r-- | ChangeLog | 89 | ||||
-rw-r--r-- | Changes.rst | 39 | ||||
-rw-r--r-- | version.m4 | 4 |
3 files changed, 129 insertions, 3 deletions
@@ -1,6 +1,95 @@ OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> +2017.09.25 -- Version 2.4.4 +Antonio Quartulli (23): + crypto: correct typ0 in error message + use M_ERRNO instead of explicitly printing errno + don't print errno twice + ntlm: avoid useless cast + ntlm: unwrap multiple function calls + route: improve error message + management: preserve wait_for_push field when asking for user/pass + tls-crypt: avoid warnings when --disable-crypto is used + ntlm: convert binary buffers to uint8_t * + ntlm: restyle compressed multiple function calls + ntlm: improve code style and readability + OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey() + make function declarations C99 compliant + remove unused functions + use NULL instead of 0 when assigning pointers + add missing static attribute to functions + ntlm: avoid breaking anti-aliasing rules + remove the --disable-multi config switch + rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip + route: avoid definition of unused variables in certain configurations + fix a couple of typ0s in comments and strings + fragment.c: simplify boolean expression + tcp-server: ensure AF family is propagated to child context + +Arne Schwabe (2): + Set tls-cipher restriction before loading certificates + Print ec bit details, refuse management-external-key if key is not RSA + +Conrad Hoffmann (2): + Use provided env vars in up/down script. + Document down-root plugin usage in client.down + +David Sommerseth (11): + doc: The CRL processing is not a deprecated feature + cleanup: Move write_pid() to where it is being used + contrib: Remove keychain-mcd code + cleanup: Move init_random_seed() to where it is being used + sample-plugins: fix ASN1_STRING_to_UTF8 return value checks + Highlight deprecated features + Use consistent version references + docs: Replace all PolarSSL references to mbed TLS + systemd: Ensure systemd shuts down OpenVPN in a proper way + systemd: Enable systemd's auto-restart feature for server profiles + lz4: Move towards a newer LZ4 API + +Emmanuel Deloget (3): + OpenSSL: remove pre-1.1 function from the OpenSSL compat interface + OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer + OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer + +Gert van Dijk (1): + Warn that DH config option is only meaningful in a tls-server context + +Ilya Shipitsin (3): + travis-ci: add 3 missing patches from master to release/2.4 + travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1 + travis-ci: update pkcs11-helper to 1.22 + +Richard Bonhomme (1): + man: Corrections to doc/openvpn.8 + +Steffan Karger (17): + Fix typo in extract_x509_extension() debug message + Move adjust_power_of_2() to integer.h + Undo cipher push in client options state if cipher is rejected + Remove strerror_ts() + Move openvpn_sleep() to manage.c + fixup: also change missed openvpn_sleep() occurrences + Always use default keysize for NCP'd ciphers + Move create_temp_file() out of #ifdef ENABLE_CRYPTO + Deprecate --keysize + Deprecate --no-replay + Move run_up_down() to init.c + tls-crypt: introduce tls_crypt_kt() + crypto: create function to initialize encrypt and decrypt key + Add coverity static analysis to Travis CI config + tls-crypt: don't leak memory for incorrect tls-crypt messages + travis: reorder matrix to speed up build + Fix bounds check in read_key() + +Szilárd Pfeiffer (1): + OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag + +Thomas Veerman via Openvpn-devel (1): + Fix socks_proxy_port pointing to invalid data + + 2017.06.21 -- Version 2.4.3 Antonio Quartulli (1): Ignore auth-nocache for auth-user-pass if auth-token is pushed diff --git a/Changes.rst b/Changes.rst index fd31d87..d5e12eb 100644 --- a/Changes.rst +++ b/Changes.rst @@ -325,13 +325,50 @@ Maintainer-visible changes i386/i686 builds on RHEL5. - Version 2.4.4 ============= +This is primarily a maintenance release, with further improved OpenSSL 1.1 +integration, several minor bug fixes and other minor improvements. + +Bug fixes +--------- +- Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is + rejected by the remote side + +- Ignore ``--keysize`` when NCP have resulted in a changed cipher. + +- Configurations using ``--auth-nocache`` and the management interface to provide + user credentials (like NetworkManager on Linux) on client side with servers + implementing authentication tokens (for example, using ``--auth-gen-token``) + will now behave correctly and not query the user for an, to them, unknown + authentication token on renegotiations of the tunnel. + +- Fix bug causing invalid or corrupt SOCKS port number when changing the + proxy via the management interface. + +- The man page should now have proper escaping of hyphens/minus characters + and have seen some minor corrections. + +User-visible Changes +-------------------- +- Linux servers with systemd which uses the ``openvpn-server@.service`` unit + file for server configurations will now utilize the automatic restart feature + in systemd. If the OpenVPN server process dies unexpectedly, systemd will + ensure the OpenVPN configuration will be restarted without any user interaction. Deprecated features ------------------- - ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5. +- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 + +Security +-------- +- CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``. + Before this fix, it could allow an attacker to send a malformed packet to + trigger a stack overflow. This is considered to be a low risk issue, as + ``--key-method 2`` has been the default since OpenVPN 2.0 (released on + 2005-04-17). This option is already deprecated in v2.4 and will be + completely removed in v2.5. Version 2.4.3 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [4]) -define([PRODUCT_VERSION_PATCH], [.3]) +define([PRODUCT_VERSION_PATCH], [.4]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,4,3,0]) +define([PRODUCT_VERSION_RESOURCE], [2,4,4,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |