summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:16:46 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:16:46 +0200
commit766cdd4b4d1fcb31addf6727dbcfd3d99e390456 (patch)
tree76932876ae57f139fa1b3f82b375e4e526b507d7 /ChangeLog
parentd73f7253d939e293abf9e27b4b7f37df1ec12a39 (diff)
parent9683f890944ffb114f5f8214f694e0b339cf5a5a (diff)
Merge tag 'upstream/2.4.3'
Upstream version 2.4.3
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog164
1 files changed, 164 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 9ecf4f0..537beaa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,170 @@
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+2017.06.21 -- Version 2.4.3
+Antonio Quartulli (1):
+ Ignore auth-nocache for auth-user-pass if auth-token is pushed
+
+David Sommerseth (3):
+ crypto: Enable SHA256 fingerprint checking in --verify-hash
+ copyright: Update GPLv2 license texts
+ auth-token with auth-nocache fix broke --disable-crypto builds
+
+Emmanuel Deloget (8):
+ OpenSSL: don't use direct access to the internal of X509
+ OpenSSL: don't use direct access to the internal of EVP_PKEY
+ OpenSSL: don't use direct access to the internal of RSA
+ OpenSSL: don't use direct access to the internal of DSA
+ OpenSSL: force meth->name as non-const when we free() it
+ OpenSSL: don't use direct access to the internal of EVP_MD_CTX
+ OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
+ OpenSSL: don't use direct access to the internal of HMAC_CTX
+
+Gert Doering (6):
+ Fix NCP behaviour on TLS reconnect.
+ Remove erroneous limitation on max number of args for --plugin
+ Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
+ Fix potential 1-byte overread in TCP option parsing.
+ Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
+ Update Changes.rst with relevant info for 2.4.3 release.
+
+Guido Vranken (6):
+ refactor my_strupr
+ Fix 2 memory leaks in proxy authentication routine
+ Fix memory leak in add_option() for option 'connection'
+ Ensure option array p[] is always NULL-terminated
+ Fix a null-pointer dereference in establish_http_proxy_passthru()
+ Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
+
+Jérémie Courrèges-Anglas (2):
+ Fix an unaligned access on OpenBSD/sparc64
+ Missing include for socket-flags TCP_NODELAY on OpenBSD
+
+Matthias Andree (1):
+ Make openvpn-plugin.h self-contained again.
+
+Selva Nair (1):
+ Pass correct buffer size to GetModuleFileNameW()
+
+Steffan Karger (11):
+ Log the negotiated (NCP) cipher
+ Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
+ Skip tls-crypt unit tests if required crypto mode not supported
+ openssl: fix overflow check for long --tls-cipher option
+ Add a DSA test key/cert pair to sample-keys
+ Fix mbedtls fingerprint calculation
+ mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
+ mbedtls: require C-string compatible types for --x509-username-field
+ Fix remote-triggerable memory leaks (CVE-2017-7521)
+ Restrict --x509-alt-username extension types
+ Fix potential double-free in --x509-alt-username (CVE-2017-7521)
+
+Steven McDonald (1):
+ Fix gateway detection with OpenBSD routing domains
+
+
+2017.05.11 -- Version 2.4.2
+David Sommerseth (5):
+ auth-token: Ensure tokens are always wiped on de-auth
+ docs: Fixed man-page warnings discoverd by rpmlint
+ Make --cipher/--auth none more explicit on the risks
+ plugin: Fix documentation typo for type_mask
+ plugin: Export secure_memzero() to plug-ins
+
+Hristo Venev (1):
+ Fix extract_x509_field_ssl for external objects, v2
+
+Selva Nair (1):
+ In auth-pam plugin clear the password after use
+
+Steffan Karger (10):
+ cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
+ Don't run packet_id unit tests for --disable-crypto builds
+ Fix Changes.rst layout
+ Fix memory leak in x509_verify_cert_ku()
+ mbedtls: correctly check return value in pkcs11_certificate_dn()
+ Restore pre-NCP frame parameters for new sessions
+ Always clear username/password from memory on error
+ Document tls-crypt security considerations in man page
+ Don't assert out on receiving too-large control packets (CVE-2017-7478)
+ Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
+
+ValdikSS (1):
+ Set a low interface metric for tap adapter when block-outside-dns is in use
+
+2017.03.21 -- Version 2.4.1
+Antonio Quartulli (4):
+ attempt to add IPv6 route even when no IPv6 address was configured
+ fix redirect-gateway behaviour when an IPv4 default route does not exist
+ CRL: use time_t instead of struct timespec to store last mtime
+ ignore remote-random-hostname if a numeric host is provided
+
+Christian Hesse (7):
+ man: fix formatting for alternative option
+ systemd: Use automake tools to install unit files
+ systemd: Do not race on RuntimeDirectory
+ systemd: Add more security feature for systemd units
+ Clean up plugin path handling
+ plugin: Remove GNUism in openvpn-plugin.h generation
+ fix typo in notification message
+
+David Sommerseth (6):
+ management: >REMOTE operation would overwrite ce change indicator
+ management: Remove a redundant #ifdef block
+ git: Merge .gitignore files into a single file
+ systemd: Move the READY=1 signalling to an earlier point
+ plugin: Improve the handling of default plug-in directory
+ cleanup: Remove faulty env processing functions
+
+Emmanuel Deloget (8):
+ OpenSSL: check for the SSL reason, not the full error
+ OpenSSL: don't use direct access to the internal of X509_STORE_CTX
+ OpenSSL: don't use direct access to the internal of SSL_CTX
+ OpenSSL: don't use direct access to the internal of X509_STORE
+ OpenSSL: don't use direct access to the internal of X509_OBJECT
+ OpenSSL: don't use direct access to the internal of RSA_METHOD
+ OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
+ OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
+
+Eric Thorpe (1):
+ Fix Building Using MSVC
+
+Gert Doering (4):
+ Add openssl_compat.h to openvpn_SOURCES
+ Fix '--dev null'
+ Fix installation of IPv6 host route to VPN server when using iservice.
+ Make ENABLE_OCC no longer depend on !ENABLE_SMALL
+
+Gisle Vanem (1):
+ Crash in options.c
+
+Ilya Shipitsin (2):
+ Resolve several travis-ci issues
+ travis-ci: remove unused files
+
+Olivier Wahrenberger (1):
+ Fix building with LibreSSL 2.5.1 by cleaning a hack.
+
+Selva Nair (4):
+ Fix push options digest update
+ Always release dhcp address in close_tun() on Windows.
+ Add a check for -Wl, --wrap support in linker
+ Fix user's group membership check in interactive service to work with domains
+
+Simon Matter (1):
+ Fix segfault when using crypto lib without AES-256-CTR or SHA256
+
+Steffan Karger (8):
+ More broadly enforce Allman style and braces-around-conditionals
+ Use SHA256 for the internal digest, instead of MD5
+ OpenSSL: 1.1 fallout - fix configure on old autoconf
+ Fix types in WIN32 socket_listen_accept()
+ Remove duplicate X509 env variables
+ Fix non-C99-compliant builds: don't use const size_t as array length
+ Deprecate --ns-cert-type
+ Be less picky about keyUsage extensions
+
+
2016.12.26 -- Version 2.4.0
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files