initial stretch branch release 2.4.0-6

1 files changed, 2 insertions, 141 deletions

diff --git a/Changes.rst b/Changes.rst
index 454dde4..7ffd89e 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -1,5 +1,5 @@
-Overview of changes in 2.4
-==========================
+Version 2.4.0
+=============
 
 
 New features
@@ -177,7 +177,6 @@ Deprecated features
 
 - ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5.
 
-
 User-visible Changes
 --------------------
 - When using ciphers with cipher blocks less than 128-bits,
@@ -303,141 +302,3 @@ Maintainer-visible changes
   header combinations.  In most of these situations it is recommended to
   use -std=gnu99 in CFLAGS.  This is known to be needed when doing
   i386/i686 builds on RHEL5.
-
-
-
-Version 2.4.3
-=============
-
-New features
-------------
-- Support building with OpenSSL 1.1 now (in addition to older versions)
-
-- On Win10, set low interface metric for TAP adapter when block-outside-dns
-  is in use, to make Windows prefer the TAP adapter for DNS queries
-  (avoiding large delays)
-
-
-Security
---------
-- CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS
-  A client could crash a 2.4+ mbedtls server, if that server uses the
-  ``--x509-track`` option and the client has a correct, signed and unrevoked
-  certificate that contains an embedded NUL in the certificate subject.
-  Discovered and reported to the OpenVPN security team by Guido Vranken.
-
-- CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks
-  A client could cause a server to leak a few bytes each time it connects to the
-  server.  That can eventuall cause the server to run out of memory, and thereby
-  causing the server process to terminate. Discovered and reported to the
-  OpenVPN security team by Guido Vranken.  (OpenSSL builds only.)
-
-- CVE-2017-7521: Fix a potential post-authentication remote code execution
-  attack on servers that use the ``--x509-username-field`` option with an X.509
-  extension field (option argument prefixed with ``ext:``).  A client that can
-  cause a server to run out-of-memory (see above) might be able to cause the
-  server to double free, which in turn might lead to remote code execution.
-  Discovered and reported to the OpenVPN security team by Guido Vranken.
-  (OpenSSL builds only.)
-
-- CVE-2017-7520: Pre-authentication remote crash/information disclosure for
-  clients. If clients use a HTTP proxy with NTLM authentication (i.e.
-  ``--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2``),
-  a man-in-the-middle attacker between the client and the proxy can cause
-  the client to crash or disclose at most 96 bytes of stack memory. The
-  disclosed stack memory is likely to contain the proxy password. If the
-  proxy password is not reused, this is unlikely to compromise the security
-  of the OpenVPN tunnel itself.  Clients who do not use the ``--http-proxy``
-  option with ntlm2 authentication are not affected.
-
-- CVE-2017-7508: Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
-  This can be used to remotely shutdown an openvpn server or client, if
-  IPv6 and ``--mssfix`` are enabled and the IPv6 networks used inside the VPN
-  are known.
-
-- Fix null-pointer dereference when talking to a malicious http proxy
-  that returns a malformed Proxy-Authenticate: headers for digest auth.
-
-- Fix overflow check for long ``--tls-cipher`` option
-
-- Windows: Pass correct buffer size to ``GetModuleFileNameW()``
-  (OSTIF/Quarkslabs audit, finding 5.6)
-
-
-User-visible Changes
---------------------
-- ``--verify-hash`` can now take an optional flag which changes the hashing
-  algorithm. It can be either SHA1 or SHA256.  The default if not provided is
-  SHA1 to preserve backwards compatibility with existing configurations.
-
-- Restrict the supported ``--x509-username-field`` extension fields to subjectAltName
-  and issuerAltName.  Other extensions probably didn't work anyway, and would
-  cause OpenVPN to crash when a client connects.
-
-
-Bugfixes
---------
-- Fix fingerprint calculation in mbed TLS builds.  This means that mbed TLS users
-  of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the
-  ``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change
-  the fingerprint values they check against.  The security impact of the
-  incorrect calculation is very minimal; the last few bytes (max 4, typically
-  4) are not verified by the fingerprint.  We expect no real-world impact,
-  because users that used this feature before will notice that it has suddenly
-  stopped working, and users that didn't will notice that connection setup
-  fails if they specify correct fingerprints.
-
-- Fix edge case with NCP when the server sends an empty PUSH_REPLY message
-  back, and the client would not initialize it's data channel crypto layer
-  properly (trac #903)
-
-- Fix SIGSEGV on unaligned buffer access on OpenBSD/Sparc64
-
-- Fix TCP_NODELAY on OpenBSD
-
-- Remove erroneous limitation on max number of args for --plugin
-
-- Fix NCP behaviour on TLS reconnect (Server would not send a proper
-  "cipher ..." message back to the client, leading to client and server
-  using different ciphers) (trac #887)
-
-
-Version 2.4.2
-=============
-
-Bugfixes
---------
-- Fix memory leak introduced in 2.4.1: if --remote-cert-tls is used, we leaked
-  some memory on each TLS (re)negotiation.
-
-Security
---------
-- Fix a pre-authentication denial-of-service attack on both clients and servers.
-  By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced
-  to hit an ASSERT() and stop the process.  If ``--tls-auth`` or ``--tls-crypt``
-  is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key
-  can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
-
-- Fix an authenticated remote DoS vulnerability that could be triggered by
-  causing a packet id roll over.  An attack is rather inefficient; a peer
-  would need to get us to send at least about 196 GB of data.
-  (OSTIF/Quarkslab audit finding 5.2, CVE-2017-7479)
-
-
-Version 2.4.1
-=============
-- ``--remote-cert-ku`` now only requires the certificate to have at least the
-  bits set of one of the values in the supplied list, instead of requiring an
-  exact match to one of the values in the list.
-
-- ``--remote-cert-tls`` now only requires that a keyUsage is present in the
-  certificate, and leaves the verification of the value up to the crypto
-  library, which has more information (i.e. the key exchange method in use)
-  to verify that the keyUsage is correct.
-
-- ``--ns-cert-type`` is deprecated.  Use ``--remote-cert-tls`` instead.
-  The nsCertType x509 extension is very old, and barely used.
-  ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage
-  extension instead.  Make sure your certificates carry these to be able to
-  use ``--remote-cert-tls``.
-