Tags: inrg/openvpn
Tags
OpenVPN v2.4.7 release 2019.02.19 -- Version 2.4.7 Adam Ciarcin?ski (1): Fix subnet topology on NetBSD (2.4). Antonio Quartulli (3): add support for %lu in argv_printf and prevent ASSERT buffer_list: add functions documentation ifconfig-ipv6(-push): allow using hostnames Arne Schwabe (7): Properly free tuntap struct on android when emulating persist-tun Add OpenSSL compat definition for RSA_meth_set_sign Add support for tls-ciphersuites for TLS 1.3 Add better support for showing TLS 1.3 ciphersuites in --show-tls Use right function to set TLS1.3 restrictions in show-tls Add message explaining early TLS client hello failure Fallback to password authentication when auth-token fails Christian Ehrhardt (1): systemd: extend CapabilityBoundingSet for auth_pam David Sommerseth (1): plugin: Export base64 encode and decode functions Gert Doering (4): Add %d, %u and %lu tests to test_argv unit tests. Fix combination of --dev tap and --topology subnet across multiple platforms. Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst) Gert van Dijk (1): Minor reliability layer documentation fixes James Bekkema (1): Resolves small IV_GUI_VER typo in the documentation. Jonathan K. Bullard (1): Clarify and expand management interface documentation Lev Stipakov (5): Refactor NCP-negotiable options handling init.c: refine functions names and description interactive.c: fix usage of potentially uninitialized variable options.c: fix broken unary minus usage Remove extra token after #endif Richard van den Berg via Openvpn-devel (1): Fix error message when using RHEL init script Samy Mahmoudi (1): man: correct a --redirection-gateway option flag Selva Nair (7): Replace M_DEBUG with D_LOW as the former is too verbose Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' Bump version of openvpn plugin argument structs to 5 Move get system directory to a separate function Enable dhcp on tap adapter using interactive service Pass the hash without the DigestInfo header to NCryptSignHash() White-list pull-filter and script-security in interactive service Simon Rozman (2): Add Interactive Service developer documentation Detect TAP interfaces with root-enumerated hardware ID Steffan Karger (7): man: add security considerations to --compress section mbedtls: print warning if random personalisation fails Fix memory leak after sighup travis: add OpenSSL 1.1 Windows build Fix --disable-crypto build Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' buffer_list_aggregate_separator(): simplify code
OpenVPN v2.4.6 release 2018.04.19 -- Version 2.4.6 David Sommerseth (1): management: Warn if TCP port is used without password Gert Doering (3): Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4 Fix potential double-free() in Interactive Service (CVE-2018-9336) preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst) Gert van Dijk (1): manpage: improve description of --status and --status-version Joost Rijneveld (1): Make return code external tls key match docs Selva Nair (3): Delete the IPv6 route to the "connected" network on tun close Management: warn about password only when the option is in use Avoid overflow in wakeup time computation Simon Matter (1): Add missing #ifdef SSL_OP_NO_TLSv1_1/2 Steffan Karger (1): Check for more data in control channel
OpenVPN v2.4.5 release 2018.02.28 -- Version 2.4.5 Antonio Quartulli (4): reload HTTP proxy credentials when moving to the next connection profile Allow learning iroutes with network made up of all 0s (only if netbits < 8) mbedtls: fix typ0 in comment manpage: fix simple typ0 Arne Schwabe (2): Treat dhcp-option DNS6 and DNS identical show the right string for key-direction Bertrand Bonnefoy-Claudet (1): Fix typo in error message: "optione" -> "option" David Sommerseth (8): lz4: Fix confused version check lz4: Fix broken builds when pkg-config is not present but system library is Remove references to keychain-mcd in Changes.rst lz4: Rebase compat-lz4 against upstream v1.7.5 systemd: Add and ship README.systemd Update copyright to include 2018 plus company name change man: Add .TQ groff support macro man: Reword --management to prefer unix sockets over TCP Emmanuel Deloget (1): OpenSSL: check EVP_PKEY key types before returning the pkey Gert Doering (3): Remove warning on pushed tun-ipv6 option. Fix removal of on-link prefix on windows with netsh Preparing for release v2.4.5 (ChangeLog, version.m4, Changes.rst) Ilya Shipitsin (2): travis-ci: add brew cache, remove ccache travis-ci: modify openssl build script to support openssl-1.1.0 James Bottomley (1): autoconf: Fix engine checks for openssl 1.1 Jeremie Courreges-Anglas (2): Cast time_t to long long in order to print it. Fix build with LibreSSL Selva Nair (14): Check whether in pull_mode before warning about previous connection blocks Avoid illegal memory access when malformed data is read from the pipe Fix missing check for return value of malloc'd buffer Return NULL if GetAdaptersInfo fails Use RSA_meth_free instead of free Bring cryptoapi.c upto speed with openssl 1.1 Add SSL_CTX_get_max_proto_version() not in openssl 1.0 TLS v1.2 support for cryptoapicert -- RSA only Refactor get_interface_metric to return metric and auto flag separately Ensure strings read from registry are null-terminated Make most registry values optional Use lowest metric interface when multiple interfaces match a route Adapt to RegGetValue brokenness in Windows 7 Fix format spec errors in Windows builds Simon Rozman (11): Local functions are not supported in MSVC. Bummer. Mixing wide and regular strings in concatenations is not allowed in MSVC. RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h Simplify iphlpapi.dll API calls Fix local #include to use quoted form Document ">PASSWORD:Auth-Token" real-time message Fix typo in "verb" command examples Uniform swprintf() across MinGW and MSVC compilers MSVC meta files added to .gitignore list openvpnserv: Add support for multi-instances Document missing OpenVPN states Steffan Karger (21): make struct key * argument of init_key_ctx const buffer_list_aggregate_separator(): add unit tests Add --tls-cert-profile option. Use P_DATA_V2 for server->client packets too Fix memory leak in buffer unit tests buffer_list_aggregate_separator(): update list size after aggregating buffer_list_aggregate_separator(): don't exceed max_len buffer_list_aggregate_separator(): prevent 0-byte malloc Fix types around buffer_list_push(_data) ssl_openssl: fix compiler warning by removing getbio() wrapper travis: use clang's -fsanitize=address to catch more bugs Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ Add support for TLS 1.3 in --tls-version-{min, max} Plug memory leak if push is interrupted Fix format errors when cross-compiling for Windows Log pre-handshake packet drops using D_MULTI_DROPPED Enable stricter compiler warnings by default Get rid of ax_check_compile_flag.m4 mbedtls: don't use API deprecated in mbed 2.7 Warn if tls-version-max < tls-version-min Don't throw fatal errors from create_temp_file() hashiz (1): Fix '--bind ipv6only'
OpenVPN v2.4.4 release 2017.09.25 -- Version 2.4.4 Antonio Quartulli (23): crypto: correct typ0 in error message use M_ERRNO instead of explicitly printing errno don't print errno twice ntlm: avoid useless cast ntlm: unwrap multiple function calls route: improve error message management: preserve wait_for_push field when asking for user/pass tls-crypt: avoid warnings when --disable-crypto is used ntlm: convert binary buffers to uint8_t * ntlm: restyle compressed multiple function calls ntlm: improve code style and readability OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey() make function declarations C99 compliant remove unused functions use NULL instead of 0 when assigning pointers add missing static attribute to functions ntlm: avoid breaking anti-aliasing rules remove the --disable-multi config switch rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip route: avoid definition of unused variables in certain configurations fix a couple of typ0s in comments and strings fragment.c: simplify boolean expression tcp-server: ensure AF family is propagated to child context Arne Schwabe (2): Set tls-cipher restriction before loading certificates Print ec bit details, refuse management-external-key if key is not RSA Conrad Hoffmann (2): Use provided env vars in up/down script. Document down-root plugin usage in client.down David Sommerseth (11): doc: The CRL processing is not a deprecated feature cleanup: Move write_pid() to where it is being used contrib: Remove keychain-mcd code cleanup: Move init_random_seed() to where it is being used sample-plugins: fix ASN1_STRING_to_UTF8 return value checks Highlight deprecated features Use consistent version references docs: Replace all PolarSSL references to mbed TLS systemd: Ensure systemd shuts down OpenVPN in a proper way systemd: Enable systemd's auto-restart feature for server profiles lz4: Move towards a newer LZ4 API Emmanuel Deloget (3): OpenSSL: remove pre-1.1 function from the OpenSSL compat interface OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer Gert van Dijk (1): Warn that DH config option is only meaningful in a tls-server context Ilya Shipitsin (3): travis-ci: add 3 missing patches from master to release/2.4 travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1 travis-ci: update pkcs11-helper to 1.22 Richard Bonhomme (1): man: Corrections to doc/openvpn.8 Steffan Karger (17): Fix typo in extract_x509_extension() debug message Move adjust_power_of_2() to integer.h Undo cipher push in client options state if cipher is rejected Remove strerror_ts() Move openvpn_sleep() to manage.c fixup: also change missed openvpn_sleep() occurrences Always use default keysize for NCP'd ciphers Move create_temp_file() out of #ifdef ENABLE_CRYPTO Deprecate --keysize Deprecate --no-replay Move run_up_down() to init.c tls-crypt: introduce tls_crypt_kt() crypto: create function to initialize encrypt and decrypt key Add coverity static analysis to Travis CI config tls-crypt: don't leak memory for incorrect tls-crypt messages travis: reorder matrix to speed up build Fix bounds check in read_key() Szilárd Pfeiffer (1): OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag Thomas Veerman via Openvpn-devel (1): Fix socks_proxy_port pointing to invalid data
OpenVPN 2.3.18 release 2017.09.25 -- Version 2.3.18 Antonio Quartulli (1): crypto: correct typ0 in error message Steffan Karger (2): Deprecate --ns-cert-type Fix bounds check in read_key() Szilárd Pfeiffer (1): OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
OpenVPN v2.4.3 release 2017.06.21 -- Version 2.4.3 Antonio Quartulli (1): Ignore auth-nocache for auth-user-pass if auth-token is pushed David Sommerseth (3): crypto: Enable SHA256 fingerprint checking in --verify-hash copyright: Update GPLv2 license texts auth-token with auth-nocache fix broke --disable-crypto builds Emmanuel Deloget (8): OpenSSL: don't use direct access to the internal of X509 OpenSSL: don't use direct access to the internal of EVP_PKEY OpenSSL: don't use direct access to the internal of RSA OpenSSL: don't use direct access to the internal of DSA OpenSSL: force meth->name as non-const when we free() it OpenSSL: don't use direct access to the internal of EVP_MD_CTX OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX OpenSSL: don't use direct access to the internal of HMAC_CTX Gert Doering (6): Fix NCP behaviour on TLS reconnect. Remove erroneous limitation on max number of args for --plugin Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. Fix potential 1-byte overread in TCP option parsing. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. Update Changes.rst with relevant info for 2.4.3 release. Guido Vranken (6): refactor my_strupr Fix 2 memory leaks in proxy authentication routine Fix memory leak in add_option() for option 'connection' Ensure option array p[] is always NULL-terminated Fix a null-pointer dereference in establish_http_proxy_passthru() Prevent two kinds of stack buffer OOB reads and a crash for invalid input data Jérémie Courrèges-Anglas (2): Fix an unaligned access on OpenBSD/sparc64 Missing include for socket-flags TCP_NODELAY on OpenBSD Matthias Andree (1): Make openvpn-plugin.h self-contained again. Selva Nair (1): Pass correct buffer size to GetModuleFileNameW() Steffan Karger (11): Log the negotiated (NCP) cipher Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) Skip tls-crypt unit tests if required crypto mode not supported openssl: fix overflow check for long --tls-cipher option Add a DSA test key/cert pair to sample-keys Fix mbedtls fingerprint calculation mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) mbedtls: require C-string compatible types for --x509-username-field Fix remote-triggerable memory leaks (CVE-2017-7521) Restrict --x509-alt-username extension types Fix potential double-free in --x509-alt-username (CVE-2017-7521) Steven McDonald (1): Fix gateway detection with OpenBSD routing domains
OpenVPN v2.3.17 release 2017.06.21 -- Version 2.3.17 David Sommerseth (2): backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed auth-token with auth-nocache fix broke --disable-crypto builds Gert Doering (2): Fix potential 1-byte overread in TCP option parsing. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. Guido Vranken (6): refactor my_strupr Fix 2 memory leaks in proxy authentication routine Fix memory leak in add_option() for option 'connection' Ensure option array p[] is always NULL-terminated Fix a null-pointer dereference in establish_http_proxy_passthru() Prevent two kinds of stack buffer OOB reads and a crash for invalid input data Jérémie Courrèges-Anglas (2): Fix an unaligned access on OpenBSD/sparc64 Missing include for socket-flags TCP_NODELAY on OpenBSD Steffan Karger (4): openssl: fix overflow check for long --tls-cipher option Fix remote-triggerable memory leaks (CVE-2017-7521) Restrict --x509-alt-username extension types Fix potential double-free in --x509-alt-username (CVE-2017-7521)
OpenVPN v2.3.16 2017.05.18 -- Version 2.3.16 Antonio Quartulli (1): fix redirect-gateway behaviour when an IPv4 default route does not exist Guido Vranken (1): Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) Selva Nair (1): Check for errors in the return value of GetModuleFileNameW() Steven McDonald (1): Fix gateway detection with OpenBSD routing domains
OpenVPN v2.4.2 release 2017.05.11 -- Version 2.4.2 David Sommerseth (5): auth-token: Ensure tokens are always wiped on de-auth docs: Fixed man-page warnings discoverd by rpmlint Make --cipher/--auth none more explicit on the risks plugin: Fix documentation typo for type_mask plugin: Export secure_memzero() to plug-ins Hristo Venev (1): Fix extract_x509_field_ssl for external objects, v2 Selva Nair (1): In auth-pam plugin clear the password after use Steffan Karger (10): cleanup: merge packet_id_alloc_outgoing() into packet_id_write() Don't run packet_id unit tests for --disable-crypto builds Fix Changes.rst layout Fix memory leak in x509_verify_cert_ku() mbedtls: correctly check return value in pkcs11_certificate_dn() Restore pre-NCP frame parameters for new sessions Always clear username/password from memory on error Document tls-crypt security considerations in man page Don't assert out on receiving too-large control packets (CVE-2017-7478) Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) ValdikSS (1): Set a low interface metric for tap adapter when block-outside-dns is in use
OpenVPN v2.3.15 2017.05.11 -- Version 2.3.15 David Sommerseth (6): dev-tools: Added script for updating copyright years in files Update copyrights docs: Further improve --reneg-bytes and SWEET32 information git: Merge .gitignore files into a single file Make --cipher/--auth none more explicit on the risks Prepare v2.3.15 release Gert Doering (1): Document --proto udp6, tcp6, etc. Julien Muchembled (1): Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset Steffan Karger (6): Add missing includes in error.h cleanup: merge packet_id_alloc_outgoing() into packet_id_write() Document that OpenVPN 2.3 does not check the CRL signature Introduce and use secure_memzero() to erase secrets Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) Don't assert out on receiving too-large control packets (CVE-2017-7478)
PreviousNext