Tags: zhengweisk/openvpn
Tags
OpenVPN v2.4.3 release
2017.06.21 -- Version 2.4.3
Antonio Quartulli (1):
Ignore auth-nocache for auth-user-pass if auth-token is pushed
David Sommerseth (3):
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
Emmanuel Deloget (8):
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Gert Doering (6):
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Update Changes.rst with relevant info for 2.4.3 release.
Guido Vranken (6):
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Jérémie Courrèges-Anglas (2):
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Matthias Andree (1):
Make openvpn-plugin.h self-contained again.
Selva Nair (1):
Pass correct buffer size to GetModuleFileNameW()
Steffan Karger (11):
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Steven McDonald (1):
Fix gateway detection with OpenBSD routing domains
OpenVPN v2.3.17 release
2017.06.21 -- Version 2.3.17
David Sommerseth (2):
backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed
auth-token with auth-nocache fix broke --disable-crypto builds
Gert Doering (2):
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Guido Vranken (6):
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Jérémie Courrèges-Anglas (2):
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Steffan Karger (4):
openssl: fix overflow check for long --tls-cipher option
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
OpenVPN v2.3.16
2017.05.18 -- Version 2.3.16
Antonio Quartulli (1):
fix redirect-gateway behaviour when an IPv4 default route does not exist
Guido Vranken (1):
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Selva Nair (1):
Check for errors in the return value of GetModuleFileNameW()
Steven McDonald (1):
Fix gateway detection with OpenBSD routing domains
OpenVPN v2.4.2 release
2017.05.11 -- Version 2.4.2
David Sommerseth (5):
auth-token: Ensure tokens are always wiped on de-auth
docs: Fixed man-page warnings discoverd by rpmlint
Make --cipher/--auth none more explicit on the risks
plugin: Fix documentation typo for type_mask
plugin: Export secure_memzero() to plug-ins
Hristo Venev (1):
Fix extract_x509_field_ssl for external objects, v2
Selva Nair (1):
In auth-pam plugin clear the password after use
Steffan Karger (10):
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Don't run packet_id unit tests for --disable-crypto builds
Fix Changes.rst layout
Fix memory leak in x509_verify_cert_ku()
mbedtls: correctly check return value in pkcs11_certificate_dn()
Restore pre-NCP frame parameters for new sessions
Always clear username/password from memory on error
Document tls-crypt security considerations in man page
Don't assert out on receiving too-large control packets (CVE-2017-7478)
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
ValdikSS (1):
Set a low interface metric for tap adapter when block-outside-dns is in use
OpenVPN v2.3.15
2017.05.11 -- Version 2.3.15
David Sommerseth (6):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Prepare v2.3.15 release
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
OpenVPN v2.4.1 release
2017.03.21 -- Version 2.4.1
Antonio Quartulli (4):
attempt to add IPv6 route even when no IPv6 address was configured
fix redirect-gateway behaviour when an IPv4 default route does not exist
CRL: use time_t instead of struct timespec to store last mtime
ignore remote-random-hostname if a numeric host is provided
Christian Hesse (7):
man: fix formatting for alternative option
systemd: Use automake tools to install unit files
systemd: Do not race on RuntimeDirectory
systemd: Add more security feature for systemd units
Clean up plugin path handling
plugin: Remove GNUism in openvpn-plugin.h generation
fix typo in notification message
David Sommerseth (6):
management: >REMOTE operation would overwrite ce change indicator
management: Remove a redundant #ifdef block
git: Merge .gitignore files into a single file
systemd: Move the READY=1 signalling to an earlier point
plugin: Improve the handling of default plug-in directory
cleanup: Remove faulty env processing functions
Emmanuel Deloget (8):
OpenSSL: check for the SSL reason, not the full error
OpenSSL: don't use direct access to the internal of X509_STORE_CTX
OpenSSL: don't use direct access to the internal of SSL_CTX
OpenSSL: don't use direct access to the internal of X509_STORE
OpenSSL: don't use direct access to the internal of X509_OBJECT
OpenSSL: don't use direct access to the internal of RSA_METHOD
OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
Eric Thorpe (1):
Fix Building Using MSVC
Gert Doering (4):
Add openssl_compat.h to openvpn_SOURCES
Fix '--dev null'
Fix installation of IPv6 host route to VPN server when using iservice.
Make ENABLE_OCC no longer depend on !ENABLE_SMALL
Gisle Vanem (1):
Crash in options.c
Ilya Shipitsin (2):
Resolve several travis-ci issues
travis-ci: remove unused files
Olivier Wahrenberger (1):
Fix building with LibreSSL 2.5.1 by cleaning a hack.
Selva Nair (4):
Fix push options digest update
Always release dhcp address in close_tun() on Windows.
Add a check for -Wl, --wrap support in linker
Fix user's group membership check in interactive service to work with domains
Simon Matter (1):
Fix segfault when using crypto lib without AES-256-CTR or SHA256
Steffan Karger (8):
More broadly enforce Allman style and braces-around-conditionals
Use SHA256 for the internal digest, instead of MD5
OpenSSL: 1.1 fallout - fix configure on old autoconf
Fix types in WIN32 socket_listen_accept()
Remove duplicate X509 env variables
Fix non-C99-compliant builds: don't use const size_t as array length
Deprecate --ns-cert-type
Be less picky about keyUsage extensions
OpenVPN v2.4.0 release
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further enhance the documentation related to SWEET32
man: Remove references to no longer present IV_RGI6 peer-info
build: Ensure Changes.rst is shipped and installed as a doc file
Gert Doering (1):
Remove IV_RGI6=1 peer-info signalling.
Steffan Karger (3):
Document that RSA_SIGN can also request TLS 1.2 signatures
man: encourage user to read on about --tls-crypt
Textual fixes for Changes.rst
OpenVPN 2.4_rc2 release
2016.12.16 -- Version 2.4_rc2
David Sommerseth (9):
Fix wrong configure.ac parsing of --enable-async-push
Changes: Further improve systemd unit file updates
systemd: Intermediate --chroot fix with the new sd_notify() implementation
Further enhance async-push feature description
Changes.rst: Mainatiner update on C99
dev-tools: Add reformat-all.sh for code style unification
The Great Reformatting - first phase
Merge 'reformatting' branch into master
auth-gen-token: Hardening memory cleanup on auth-token failuers
Gert Doering (1):
Refactor setting close-on-exec for socket FDs
Lev Stipakov (2):
Arm inotify only in server mode
Add "async push" feature to Changes.rst
Magnus Kroken (1):
mbedtls: include correct net/net_sockets header according to version
Selva Nair (2):
Correctly state the default dhcp server address in man page
Unhide a line in man page by fixing a typo
Steffan Karger (4):
Fix (and cleanup) crypto flags in combination with NCP
Deprecate --no-iv
man: mention that --ecdh-curve does not work on mbed TLS builds
Don't reopen tun if cipher changes
OpenVPN v2.3.14
2016.12.06 -- Version 2.3.14
Christian Hesse (1):
update year in copyright message
David Sommerseth (1):
Document the --auth-token option
Gert Doering (3):
Repair topology subnet on FreeBSD 11
Repair topology subnet on OpenBSD
Preparing release of v2.3.14
Lev Stipakov (1):
Drop recursively routed packets
Selva Nair (4):
Support --block-outside-dns on multiple tunnels
When parsing '--setenv opt xx ..' make sure a third parameter is present
Map restart signals from event loop to SIGTERM during exit-notification wait
Correctly state the default dhcp server address in man page
Steffan Karger (1):
Clean up format_hex_ex()
OpenVPN 2.4_rc1 release
2016.12.01 -- Version 2.4_rc1
Antonio Quartulli (1):
reload CRL only if file was modified
Christian Hesse (3):
update year in copyright message
Use systemd service manager notification
Refuse to daemonize when running from systemd
Gert Doering (1):
Fix windows path in Changes.rst
Samuli Seppänen (1):
Mention that OpenVPN 2.4 requires Windows Vista or higher
Selva Nair (4):
Map restart signals from event loop to SIGTERM during exit-notification wait
When parsing '--setenv opt xx ..' make sure a third parameter is present
Force 'def1' method when --redirect-gateway is done through service
Do not restart dns client service as a part of --register-dns processing
Steffan Karger (4):
tls_process: don't set variable that's never read
Unconditionally enable TLS_AGGREGATE_ACK
Clean up format_hex_ex()
Introduce and use secure_memzero() to erase secrets
PreviousNext