preparing release 2.6.10v2.6.10

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>

3 files changed, 84 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 5710b8a..c0c06ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,38 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
 
+2024.03.20 -- Version 2.6.10
+
+Christoph Schug (1):
+      Update documentation references in systemd unit files
+
+Frank Lichtenheld (6):
+      Fix typo --data-cipher-fallback
+      samples: Remove tls-*.conf
+      check_compression_settings_valid: Do not test for LZ4 in LZO check
+      t_client.sh: Allow to skip tests
+      Update Copyright statements to 2024
+      GHA: general update March 2024
+
+Lev Stipakov (4):
+      win32: Enforce loading of plugins from a trusted directory
+      interactive.c: disable remote access to the service pipe
+      interactive.c: Fix potential stack overflow issue
+      Disable DCO if proxy is set via management
+
+Martin Rys (1):
+      openvpn-[client|server].service: Remove syslog.target
+
+Max Fillinger (1):
+      Remove license warning from README.mbedtls
+
+Selva Nair (1):
+      Document that auth-user-pass may be inlined
+
+wellweek (1):
+      remove repetitive words in documentation and comments
+
+
 2024.02.11 -- Version 2.6.9
 
 Arne Schwabe (15):
diff --git a/Changes.rst b/Changes.rst
index 5b8d0c0..029c807 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -1,3 +1,54 @@
+Overview of changes in 2.6.10
+=============================
+Security fixes
+--------------
+- CVE-2024-27459: Windows: fix a possible stack overflow in the
+  interactive service component which might lead to a local privilege
+  escalation.
+  Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
+
+- CVE-2024-24974: Windows: disallow access to the interactive service
+  pipe from remote computers.
+  Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
+
+- CVE-2024-27903: Windows: disallow loading of plugins from untrusted
+  installation paths, which could be used to attack openvpn.exe via
+  a malicious plugin.  Plugins can now only be loaded from the OpenVPN
+  install directory, the Windows system directory, and possibly from
+  a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
+  Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
+
+Bug fixes
+---------
+- Windows: if the win-dco driver is used (default) and the GUI requests
+  use of a proxy server, the connection would fail.  Disable DCO in
+  this case.  (Github: #522)
+
+- Compression: minor bugfix in checking option consistency vs. compiled-in
+  algorithm support
+
+- systemd unit files: remove obsolete syslog.target
+
+User visible changes
+--------------------
+- Update copyright notices to 2024
+
+New features
+------------
+- t_client.sh can now run pre-tests and skip a test block if needed
+  (e.g. skip NTLM proxy tests if SSL library does not support MD4)
+
+Documentation
+-------------
+- remove license warnings about mbedTLS linking (README.mbedtls)
+
+- update documentation references in systemd unit files
+
+- sample config files: remove obsolete tls-*.conf files
+
+- document that auth-user-pass may be inlined
+
+
 Overview of changes in 2.6.9
 ============================
 
diff --git a/version.m4 b/version.m4
index 7525788..fbe6bc9 100644
--- a/version.m4
+++ b/version.m4
@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.9])
+define([PRODUCT_VERSION_PATCH], [.10])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])