diff options
Diffstat (limited to 'Changes.rst')
-rw-r--r-- | Changes.rst | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/Changes.rst b/Changes.rst index 6128275..b0a6b27 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,48 @@ +Overview of changes in 2.5.2 +============================ + +Bugfixes +-------- +- CVE-2020-15078 + see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements + + This bug allows - under very specific circumstances - to trick a + server using delayed authentication (plugin or management) into + returning a PUSH_REPLY before the AUTH_FAILED message, which can + possibly be used to gather information about a VPN setup. + + In combination with "--auth-gen-token" or an user-specific token auth + solution it can be possible to get access to a VPN with an + otherwise-invalid account. + +- restore pushed "ping" settings correctly on a SIGUSR1 restart + +- avoid generating unecessary mbed debug messages - this is actually + a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448 + ED curves - mbedTLS crashes on preparing debug infos that we do not + actually need unless running with "--verb 8" + +- do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file + +- fix Linux/SITNL default route lookup in case of multiple routing tables + with more than one default route present (always use "main table" for now) + +- Fix CRL file handling in combination with chroot + +User-visible Changes +-------------------- + +- OpenVPN will now refuse to start if CRL file is not present at startup + time. At "reload time" absense of the CRL file is still OK (and the + in memory copy is used) but at startup it is now considered an error. + + +New features +------------ +- printing of the TLS ciphers negotiated has been extended, especially + displaying TLS 1.3 and EC certificates more correctly. + + Overview of changes in 2.5.1 ============================ |