diff options
author | Gert Doering | 2024-03-21 18:03:36 +0100 |
---|---|---|
committer | Gert Doering | 2024-03-21 18:03:36 +0100 |
commit | fccae1fa71140bd66f4a57597ca3c7307ba05b30 (patch) | |
tree | af4f9cac4f58dfc651c4bc74b08fedabb646dadb | |
parent | d29496cce2d91a74706e3d5e4c48773715b10812 (diff) | |
download | openvpn-2.5.10.zip openvpn-2.5.10.tar.gz |
Preparing release 2.5.10v2.5.10
version.m4, ChangeLog, Changes.rst
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | ChangeLog | 14 | ||||
-rw-r--r-- | Changes.rst | 28 | ||||
-rw-r--r-- | version.m4 | 4 |
3 files changed, 44 insertions, 2 deletions
@@ -1,6 +1,20 @@ OpenVPN Change Log Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net> +2024.03.21 -- Version 2.5.10 + +Arne Schwabe (1): + Add Apache2 linking with for new commits + +George Pchelkin (1): + fix typo: dhcp-options to dhcp-option in vpn-network-options.rst + +Lev Stipakov (3): + win32: Enforce loading of plugins from a trusted directory + interactive.c: disable remote access to the service pipe + interactive.c: Fix potential stack overflow issue + + 2023.02.14 -- Version 2.5.9 Arne Schwabe (6): diff --git a/Changes.rst b/Changes.rst index 3ba78c6..59626c3 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,31 @@ +Overview of changes in 2.5.10 +============================= +Security fixes +-------------- +- CVE-2024-27459: Windows: fix a possible stack overflow in the + interactive service component which might lead to a local privilege + escalation. + Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> + +- CVE-2024-24974: Windows: disallow access to the interactive service + pipe from remote computers. + Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> + +- CVE-2024-27903: Windows: disallow loading of plugins from untrusted + installation paths, which could be used to attack openvpn.exe via + a malicious plugin. Plugins can now only be loaded from the OpenVPN + install directory, the Windows system directory, and possibly from + a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. + Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> + +User visible changes +-------------------- +- License amendment: all NEW commits fall under a modified license that + explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - + see COPYING for details. Existing code in the release/2.5 branch + will not been relicensed (only in release/2.6 and later branches). + + Overview of changes in 2.5.9 ============================ @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.9]) +define([PRODUCT_VERSION_PATCH], [.10]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,9,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,10,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |