Tags: CoreSoft2/openvpn
Tags
OpenVPN v2.4.4 release
2017.09.25 -- Version 2.4.4
Antonio Quartulli (23):
crypto: correct typ0 in error message
use M_ERRNO instead of explicitly printing errno
don't print errno twice
ntlm: avoid useless cast
ntlm: unwrap multiple function calls
route: improve error message
management: preserve wait_for_push field when asking for user/pass
tls-crypt: avoid warnings when --disable-crypto is used
ntlm: convert binary buffers to uint8_t *
ntlm: restyle compressed multiple function calls
ntlm: improve code style and readability
OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
make function declarations C99 compliant
remove unused functions
use NULL instead of 0 when assigning pointers
add missing static attribute to functions
ntlm: avoid breaking anti-aliasing rules
remove the --disable-multi config switch
rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
route: avoid definition of unused variables in certain configurations
fix a couple of typ0s in comments and strings
fragment.c: simplify boolean expression
tcp-server: ensure AF family is propagated to child context
Arne Schwabe (2):
Set tls-cipher restriction before loading certificates
Print ec bit details, refuse management-external-key if key is not RSA
Conrad Hoffmann (2):
Use provided env vars in up/down script.
Document down-root plugin usage in client.down
David Sommerseth (11):
doc: The CRL processing is not a deprecated feature
cleanup: Move write_pid() to where it is being used
contrib: Remove keychain-mcd code
cleanup: Move init_random_seed() to where it is being used
sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
Highlight deprecated features
Use consistent version references
docs: Replace all PolarSSL references to mbed TLS
systemd: Ensure systemd shuts down OpenVPN in a proper way
systemd: Enable systemd's auto-restart feature for server profiles
lz4: Move towards a newer LZ4 API
Emmanuel Deloget (3):
OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
Gert van Dijk (1):
Warn that DH config option is only meaningful in a tls-server context
Ilya Shipitsin (3):
travis-ci: add 3 missing patches from master to release/2.4
travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
travis-ci: update pkcs11-helper to 1.22
Richard Bonhomme (1):
man: Corrections to doc/openvpn.8
Steffan Karger (17):
Fix typo in extract_x509_extension() debug message
Move adjust_power_of_2() to integer.h
Undo cipher push in client options state if cipher is rejected
Remove strerror_ts()
Move openvpn_sleep() to manage.c
fixup: also change missed openvpn_sleep() occurrences
Always use default keysize for NCP'd ciphers
Move create_temp_file() out of #ifdef ENABLE_CRYPTO
Deprecate --keysize
Deprecate --no-replay
Move run_up_down() to init.c
tls-crypt: introduce tls_crypt_kt()
crypto: create function to initialize encrypt and decrypt key
Add coverity static analysis to Travis CI config
tls-crypt: don't leak memory for incorrect tls-crypt messages
travis: reorder matrix to speed up build
Fix bounds check in read_key()
Szilárd Pfeiffer (1):
OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
Thomas Veerman via Openvpn-devel (1):
Fix socks_proxy_port pointing to invalid data
OpenVPN 2.3.18 release
2017.09.25 -- Version 2.3.18
Antonio Quartulli (1):
crypto: correct typ0 in error message
Steffan Karger (2):
Deprecate --ns-cert-type
Fix bounds check in read_key()
Szilárd Pfeiffer (1):
OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
OpenVPN v2.4.3 release
2017.06.21 -- Version 2.4.3
Antonio Quartulli (1):
Ignore auth-nocache for auth-user-pass if auth-token is pushed
David Sommerseth (3):
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
Emmanuel Deloget (8):
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Gert Doering (6):
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Update Changes.rst with relevant info for 2.4.3 release.
Guido Vranken (6):
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Jérémie Courrèges-Anglas (2):
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Matthias Andree (1):
Make openvpn-plugin.h self-contained again.
Selva Nair (1):
Pass correct buffer size to GetModuleFileNameW()
Steffan Karger (11):
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Steven McDonald (1):
Fix gateway detection with OpenBSD routing domains
OpenVPN v2.3.17 release
2017.06.21 -- Version 2.3.17
David Sommerseth (2):
backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed
auth-token with auth-nocache fix broke --disable-crypto builds
Gert Doering (2):
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Guido Vranken (6):
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Jérémie Courrèges-Anglas (2):
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Steffan Karger (4):
openssl: fix overflow check for long --tls-cipher option
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
OpenVPN v2.3.16
2017.05.18 -- Version 2.3.16
Antonio Quartulli (1):
fix redirect-gateway behaviour when an IPv4 default route does not exist
Guido Vranken (1):
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Selva Nair (1):
Check for errors in the return value of GetModuleFileNameW()
Steven McDonald (1):
Fix gateway detection with OpenBSD routing domains
OpenVPN v2.4.2 release
2017.05.11 -- Version 2.4.2
David Sommerseth (5):
auth-token: Ensure tokens are always wiped on de-auth
docs: Fixed man-page warnings discoverd by rpmlint
Make --cipher/--auth none more explicit on the risks
plugin: Fix documentation typo for type_mask
plugin: Export secure_memzero() to plug-ins
Hristo Venev (1):
Fix extract_x509_field_ssl for external objects, v2
Selva Nair (1):
In auth-pam plugin clear the password after use
Steffan Karger (10):
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Don't run packet_id unit tests for --disable-crypto builds
Fix Changes.rst layout
Fix memory leak in x509_verify_cert_ku()
mbedtls: correctly check return value in pkcs11_certificate_dn()
Restore pre-NCP frame parameters for new sessions
Always clear username/password from memory on error
Document tls-crypt security considerations in man page
Don't assert out on receiving too-large control packets (CVE-2017-7478)
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
ValdikSS (1):
Set a low interface metric for tap adapter when block-outside-dns is in use
OpenVPN v2.3.15
2017.05.11 -- Version 2.3.15
David Sommerseth (6):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Prepare v2.3.15 release
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
OpenVPN v2.4.1 release
2017.03.21 -- Version 2.4.1
Antonio Quartulli (4):
attempt to add IPv6 route even when no IPv6 address was configured
fix redirect-gateway behaviour when an IPv4 default route does not exist
CRL: use time_t instead of struct timespec to store last mtime
ignore remote-random-hostname if a numeric host is provided
Christian Hesse (7):
man: fix formatting for alternative option
systemd: Use automake tools to install unit files
systemd: Do not race on RuntimeDirectory
systemd: Add more security feature for systemd units
Clean up plugin path handling
plugin: Remove GNUism in openvpn-plugin.h generation
fix typo in notification message
David Sommerseth (6):
management: >REMOTE operation would overwrite ce change indicator
management: Remove a redundant #ifdef block
git: Merge .gitignore files into a single file
systemd: Move the READY=1 signalling to an earlier point
plugin: Improve the handling of default plug-in directory
cleanup: Remove faulty env processing functions
Emmanuel Deloget (8):
OpenSSL: check for the SSL reason, not the full error
OpenSSL: don't use direct access to the internal of X509_STORE_CTX
OpenSSL: don't use direct access to the internal of SSL_CTX
OpenSSL: don't use direct access to the internal of X509_STORE
OpenSSL: don't use direct access to the internal of X509_OBJECT
OpenSSL: don't use direct access to the internal of RSA_METHOD
OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
Eric Thorpe (1):
Fix Building Using MSVC
Gert Doering (4):
Add openssl_compat.h to openvpn_SOURCES
Fix '--dev null'
Fix installation of IPv6 host route to VPN server when using iservice.
Make ENABLE_OCC no longer depend on !ENABLE_SMALL
Gisle Vanem (1):
Crash in options.c
Ilya Shipitsin (2):
Resolve several travis-ci issues
travis-ci: remove unused files
Olivier Wahrenberger (1):
Fix building with LibreSSL 2.5.1 by cleaning a hack.
Selva Nair (4):
Fix push options digest update
Always release dhcp address in close_tun() on Windows.
Add a check for -Wl, --wrap support in linker
Fix user's group membership check in interactive service to work with domains
Simon Matter (1):
Fix segfault when using crypto lib without AES-256-CTR or SHA256
Steffan Karger (8):
More broadly enforce Allman style and braces-around-conditionals
Use SHA256 for the internal digest, instead of MD5
OpenSSL: 1.1 fallout - fix configure on old autoconf
Fix types in WIN32 socket_listen_accept()
Remove duplicate X509 env variables
Fix non-C99-compliant builds: don't use const size_t as array length
Deprecate --ns-cert-type
Be less picky about keyUsage extensions
OpenVPN v2.4.0 release
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further enhance the documentation related to SWEET32
man: Remove references to no longer present IV_RGI6 peer-info
build: Ensure Changes.rst is shipped and installed as a doc file
Gert Doering (1):
Remove IV_RGI6=1 peer-info signalling.
Steffan Karger (3):
Document that RSA_SIGN can also request TLS 1.2 signatures
man: encourage user to read on about --tls-crypt
Textual fixes for Changes.rst
OpenVPN 2.4_rc2 release
2016.12.16 -- Version 2.4_rc2
David Sommerseth (9):
Fix wrong configure.ac parsing of --enable-async-push
Changes: Further improve systemd unit file updates
systemd: Intermediate --chroot fix with the new sd_notify() implementation
Further enhance async-push feature description
Changes.rst: Mainatiner update on C99
dev-tools: Add reformat-all.sh for code style unification
The Great Reformatting - first phase
Merge 'reformatting' branch into master
auth-gen-token: Hardening memory cleanup on auth-token failuers
Gert Doering (1):
Refactor setting close-on-exec for socket FDs
Lev Stipakov (2):
Arm inotify only in server mode
Add "async push" feature to Changes.rst
Magnus Kroken (1):
mbedtls: include correct net/net_sockets header according to version
Selva Nair (2):
Correctly state the default dhcp server address in man page
Unhide a line in man page by fixing a typo
Steffan Karger (4):
Fix (and cleanup) crypto flags in combination with NCP
Deprecate --no-iv
man: mention that --ecdh-curve does not work on mbed TLS builds
Don't reopen tun if cipher changes
PreviousNext