preparing release 2.6.7v2.6.7

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>

3 files changed, 116 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 298e4ff..6234248 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,46 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
 
+2023.11.08 -- Version 2.6.7
+
+Antonio Quartulli (1):
+      dco: fix crash when --multihome is used with --proto tcp
+
+Arne Schwabe (8):
+      Mock openvpn_exece on win32 also for test_tls_crypt
+      Add warning for the --show-groups command that some groups are missing
+      Print peer temporary key details
+      Add warning if a p2p NCP client connects to a p2mp server
+      Remove openssl engine method for loading the key
+      Remove saving initial frame code
+      Double check that we do not use a freed buffer when freeing a session
+      Fix using to_link buffer after freed
+
+Frank Lichtenheld (7):
+      GHA: do not trigger builds in openvpn-build anymore
+      GHA: new workflow to submit scan to Coverity Scan service
+      buffer: use memcpy in buf_catrunc
+      vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6
+      CMake: backport CMake buildsystem from master to release/2.6
+      Remove all traces of the previous MSVC build system
+      doc: fix argument name in --route-delay documentation
+
+Heiko Hund (1):
+      dns option: remove support for exclude-domains
+
+Lev Stipakov (3):
+      Warn user if INFO control command is too long
+      dco-win: get driver version
+      dco: warn if DATA_V1 packets are sent to userspace
+
+Selva Nair (2):
+      Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
+      Log OpenSSL errors on failure to set certificate
+
+orbea (1):
+      configure: disable engines if OPENSSL_NO_ENGINE is defined
+
+
 2023.08.14 -- Version 2.6.6
 
 Antonio Quartulli (1):
diff --git a/Changes.rst b/Changes.rst
index 924b9c9..3d4e0bd 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -1,3 +1,77 @@
+Overview of changes in 2.6.7
+============================
+
+Bug fixes / Code cleanup
+------------------------
+- CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use
+  a send buffer after it has been free()d in some circumstances, causing
+  some free()d memory to be sent to the peer.  All configurations using TLS
+  (e.g. not using --secret) are affected by this issue.
+  (found while tracking down CVE-2023-46849 / Github #400, #417)
+
+- CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
+  restore "--fragment" configuration in some circumstances, leading to
+  a division by zero when "--fragment" is used.  On platforms where
+  division by zero is fatal, this will cause an OpenVPN crash.
+
+  Reported by Niccolo Belli <niccolo.belli@linuxsystems.it> and WIPocket
+  (Github #400, #417).
+
+- cleanup bits and pieces of documentation
+
+- cleanup code to remove strlen() related warnings in buf_catrunc()
+
+- DCO on Linux: fix NULL-pointer crash if "--multihome" is used together
+  with "--proto tcp"
+
+- work around build fails caused by LibreSSL not longer having engine support
+
+
+User visible changes
+--------------------
+- DCO: warn if DATA_V1 packets are sent by the other side - this a hard
+  incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server,
+  and the only fix is to use "--disable-dco".
+
+- Remove OpenSSL Engine method for loading a key.  This had to be removed
+  because the original author did not agree to relicensing the code with
+  the new linking exception added.  This was a somewhat obsolete feature
+  anyway as it only worked with OpenSSL 1.x, which is end-of-support.
+
+- add warning if p2p NCP client connects to a p2mp server - this is a
+  combination that used to work without cipher negotiation (pre 2.6 on
+  both ends), but would fail in non-obvious ways with 2.6 to 2.6.
+
+- add warning to "--show-groups" that not all supported groups are listed
+  (this is due the internal enumeration in OpenSSL being a bit weird,
+  omitting X448 and X25519 curves).
+
+- "--dns": remove support for "exclude-domains" argument
+  (this was a new 2.6 option, with no backend support implemented yet
+  on any platform, and it turns out that no platform supported it at all -
+  so remove option again)
+
+- warn user if INFO control message too long, do not forward to management
+  client (safeguard against protocol-violating server implementations)
+
+
+New features
+------------
+- DCO-WIN: get and log driver version (for easier debugging).
+
+- print "peer temporary key details" in TLS handshake
+
+- log OpenSSL errors on failure to set certificate, for example if the
+  algorithms used are in acceptable to OpenSSL (misleading message would
+  be printed in cryptoapi / pkcs#11 scenarios)
+
+- add CMake build system for MinGW and MSVC builds
+
+- remove old MSVC build system
+
+- improve cmocka unit test building for Windows
+
+
 Overview of changes in 2.6.6
 ============================
 
diff --git a/version.m4 b/version.m4
index ce9a15f..5ab43db 100644
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.6])
+define([PRODUCT_VERSION_PATCH], [.7])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,6,6,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,7,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])