Preparing release 2.5.2

version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering <[email protected]>
Knudn · Apr 20, 2021 · 23ae78e · 23ae78e
1 parent f7b3bf0
commit 23ae78e
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,37 @@
 OpenVPN Change Log
 Copyright (C) 2002-2020 OpenVPN Inc <[email protected]>
 
+2021.04.20 -- Version 2.5.2
+
+Arne Schwabe (10):
+      Avoid generating unecessary mbed debug messages
+      Restore also ping related options on a reconnect
+      Cleanup print_details and add signature/ED certificate print
+      Always disable TLS renegotiations
+      Also restore/save route-gateway options on SIGUSR1 reconnects
+      Move context_auth from context_2 to tls_multi and name it multi_state
+      Fix condition to generate session keys
+      Move auth_token_state from multi to key_state
+      Ensure auth-token is only sent on a fully authenticated session
+      Ensure key state is authenticated before sending push reply
+
+Gert Doering (2):
+      Fix potential NULL ptr crash if compiled with DMALLOC
+
+Max Fillinger (2):
+      In init_ssl, open the correct CRL path pre-chroot
+      Abort if CRL file can't be stat-ed in ssl_init
+
+Richard Bonhomme (1):
+      Do not print Diffie Hellman parameters file to log file
+
+Simon Rozman (1):
+      openvpnserv: Cache last error before it is overridden
+
+Vladislav Grishenko (1):
+      Fix IPv4 default gateway with multiple route tables
+
+
 2021.02.24 -- Version 2.5.1
 
 Arne Schwabe (5):

diff --git a/Changes.rst b/Changes.rst
@@ -1,3 +1,48 @@
+Overview of changes in 2.5.2
+============================
+
+Bugfixes
+--------
+- CVE-2020-15078
+  see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
+
+  This bug allows - under very specific circumstances - to trick a
+  server using delayed authentication (plugin or management) into
+  returning a PUSH_REPLY before the AUTH_FAILED message, which can
+  possibly be used to gather information about a VPN setup.
+
+  In combination with "--auth-gen-token" or an user-specific token auth
+  solution it can be possible to get access to a VPN with an
+  otherwise-invalid account.
+
+- restore pushed "ping" settings correctly on a SIGUSR1 restart
+
+- avoid generating unecessary mbed debug messages - this is actually
+  a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
+  ED curves - mbedTLS crashes on preparing debug infos that we do not
+  actually need unless running with "--verb 8"
+
+- do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
+
+- fix Linux/SITNL default route lookup in case of multiple routing tables
+  with more than one default route present (always use "main table" for now)
+
+- Fix CRL file handling in combination with chroot
+
+User-visible Changes
+--------------------
+
+- OpenVPN will now refuse to start if CRL file is not present at startup
+  time.  At "reload time" absense of the CRL file is still OK (and the
+  in memory copy is used) but at startup it is now considered an error.
+
+
+New features
+------------
+- printing of the TLS ciphers negotiated has been extended, especially
+  displaying TLS 1.3 and EC certificates more correctly.
+
+
 Overview of changes in 2.5.1
 ============================
 

diff --git a/version.m4 b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.1])
+define([PRODUCT_VERSION_PATCH], [.2])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [[email protected]])
-define([PRODUCT_VERSION_RESOURCE], [2,5,1,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,2,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])