diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2017-06-22 13:16:46 +0200 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2017-06-22 13:16:46 +0200 |
commit | 766cdd4b4d1fcb31addf6727dbcfd3d99e390456 (patch) | |
tree | 76932876ae57f139fa1b3f82b375e4e526b507d7 /ChangeLog | |
parent | d73f7253d939e293abf9e27b4b7f37df1ec12a39 (diff) | |
parent | 9683f890944ffb114f5f8214f694e0b339cf5a5a (diff) |
Merge tag 'upstream/2.4.3'
Upstream version 2.4.3
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 164 |
1 files changed, 164 insertions, 0 deletions
@@ -1,6 +1,170 @@ OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> +2017.06.21 -- Version 2.4.3 +Antonio Quartulli (1): + Ignore auth-nocache for auth-user-pass if auth-token is pushed + +David Sommerseth (3): + crypto: Enable SHA256 fingerprint checking in --verify-hash + copyright: Update GPLv2 license texts + auth-token with auth-nocache fix broke --disable-crypto builds + +Emmanuel Deloget (8): + OpenSSL: don't use direct access to the internal of X509 + OpenSSL: don't use direct access to the internal of EVP_PKEY + OpenSSL: don't use direct access to the internal of RSA + OpenSSL: don't use direct access to the internal of DSA + OpenSSL: force meth->name as non-const when we free() it + OpenSSL: don't use direct access to the internal of EVP_MD_CTX + OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX + OpenSSL: don't use direct access to the internal of HMAC_CTX + +Gert Doering (6): + Fix NCP behaviour on TLS reconnect. + Remove erroneous limitation on max number of args for --plugin + Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. + Fix potential 1-byte overread in TCP option parsing. + Fix remotely-triggerable ASSERT() on malformed IPv6 packet. + Update Changes.rst with relevant info for 2.4.3 release. + +Guido Vranken (6): + refactor my_strupr + Fix 2 memory leaks in proxy authentication routine + Fix memory leak in add_option() for option 'connection' + Ensure option array p[] is always NULL-terminated + Fix a null-pointer dereference in establish_http_proxy_passthru() + Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + +Jérémie Courrèges-Anglas (2): + Fix an unaligned access on OpenBSD/sparc64 + Missing include for socket-flags TCP_NODELAY on OpenBSD + +Matthias Andree (1): + Make openvpn-plugin.h self-contained again. + +Selva Nair (1): + Pass correct buffer size to GetModuleFileNameW() + +Steffan Karger (11): + Log the negotiated (NCP) cipher + Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) + Skip tls-crypt unit tests if required crypto mode not supported + openssl: fix overflow check for long --tls-cipher option + Add a DSA test key/cert pair to sample-keys + Fix mbedtls fingerprint calculation + mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) + mbedtls: require C-string compatible types for --x509-username-field + Fix remote-triggerable memory leaks (CVE-2017-7521) + Restrict --x509-alt-username extension types + Fix potential double-free in --x509-alt-username (CVE-2017-7521) + +Steven McDonald (1): + Fix gateway detection with OpenBSD routing domains + + +2017.05.11 -- Version 2.4.2 +David Sommerseth (5): + auth-token: Ensure tokens are always wiped on de-auth + docs: Fixed man-page warnings discoverd by rpmlint + Make --cipher/--auth none more explicit on the risks + plugin: Fix documentation typo for type_mask + plugin: Export secure_memzero() to plug-ins + +Hristo Venev (1): + Fix extract_x509_field_ssl for external objects, v2 + +Selva Nair (1): + In auth-pam plugin clear the password after use + +Steffan Karger (10): + cleanup: merge packet_id_alloc_outgoing() into packet_id_write() + Don't run packet_id unit tests for --disable-crypto builds + Fix Changes.rst layout + Fix memory leak in x509_verify_cert_ku() + mbedtls: correctly check return value in pkcs11_certificate_dn() + Restore pre-NCP frame parameters for new sessions + Always clear username/password from memory on error + Document tls-crypt security considerations in man page + Don't assert out on receiving too-large control packets (CVE-2017-7478) + Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) + +ValdikSS (1): + Set a low interface metric for tap adapter when block-outside-dns is in use + +2017.03.21 -- Version 2.4.1 +Antonio Quartulli (4): + attempt to add IPv6 route even when no IPv6 address was configured + fix redirect-gateway behaviour when an IPv4 default route does not exist + CRL: use time_t instead of struct timespec to store last mtime + ignore remote-random-hostname if a numeric host is provided + +Christian Hesse (7): + man: fix formatting for alternative option + systemd: Use automake tools to install unit files + systemd: Do not race on RuntimeDirectory + systemd: Add more security feature for systemd units + Clean up plugin path handling + plugin: Remove GNUism in openvpn-plugin.h generation + fix typo in notification message + +David Sommerseth (6): + management: >REMOTE operation would overwrite ce change indicator + management: Remove a redundant #ifdef block + git: Merge .gitignore files into a single file + systemd: Move the READY=1 signalling to an earlier point + plugin: Improve the handling of default plug-in directory + cleanup: Remove faulty env processing functions + +Emmanuel Deloget (8): + OpenSSL: check for the SSL reason, not the full error + OpenSSL: don't use direct access to the internal of X509_STORE_CTX + OpenSSL: don't use direct access to the internal of SSL_CTX + OpenSSL: don't use direct access to the internal of X509_STORE + OpenSSL: don't use direct access to the internal of X509_OBJECT + OpenSSL: don't use direct access to the internal of RSA_METHOD + OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1 + OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() + +Eric Thorpe (1): + Fix Building Using MSVC + +Gert Doering (4): + Add openssl_compat.h to openvpn_SOURCES + Fix '--dev null' + Fix installation of IPv6 host route to VPN server when using iservice. + Make ENABLE_OCC no longer depend on !ENABLE_SMALL + +Gisle Vanem (1): + Crash in options.c + +Ilya Shipitsin (2): + Resolve several travis-ci issues + travis-ci: remove unused files + +Olivier Wahrenberger (1): + Fix building with LibreSSL 2.5.1 by cleaning a hack. + +Selva Nair (4): + Fix push options digest update + Always release dhcp address in close_tun() on Windows. + Add a check for -Wl, --wrap support in linker + Fix user's group membership check in interactive service to work with domains + +Simon Matter (1): + Fix segfault when using crypto lib without AES-256-CTR or SHA256 + +Steffan Karger (8): + More broadly enforce Allman style and braces-around-conditionals + Use SHA256 for the internal digest, instead of MD5 + OpenSSL: 1.1 fallout - fix configure on old autoconf + Fix types in WIN32 socket_listen_accept() + Remove duplicate X509 env variables + Fix non-C99-compliant builds: don't use const size_t as array length + Deprecate --ns-cert-type + Be less picky about keyUsage extensions + + 2016.12.26 -- Version 2.4.0 David Sommerseth (5): dev-tools: Added script for updating copyright years in files |