New upstream version 2.4.4upstream/2.4.4

1 files changed, 95 insertions, 28 deletions

diff --git a/Changes.rst b/Changes.rst
index 454dde4..d5e12eb 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -44,6 +44,13 @@ ECDH key exchange
     The TLS control channel now supports for elliptic curve diffie-hellmann
     key exchange (ECDH).
 
+Improved Certificate Revocation List (CRL) processing
+    CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead
+    of inside OpenVPN itself.  The crypto library implementations are more
+    strict than the OpenVPN implementation was.  This might reject peer
+    certificates that would previously be accepted.  If this occurs, OpenVPN
+    will log the crypto library's error description.
+
 Dualstack round-robin DNS client connect
     Instead of only using the first address of each ``--remote`` OpenVPN
     will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry.
@@ -154,28 +161,41 @@ Asynchronous push reply
 
 Deprecated features
 -------------------
-- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5.  Migrate
-  away from ``--key-method 1`` as soon as possible.  The recommended approach
-  is to remove the ``--key-method`` option from the configuration files, OpenVPN
-  will then use ``--key-method 2`` by default.  Note that this requires changing
-  the option in both the client and server side configs.
+For an up-to-date list of all deprecated options, see this wiki page:
+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
+
+- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
+  Migrate away from ``--key-method 1`` as soon as possible.  The recommended
+  approach is to remove the ``--key-method`` option from the configuration
+  files, OpenVPN will then use ``--key-method 2`` by default.  Note that this
+  requires changing the option in both the client and server side configs.
+
+- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3
+  man-pages.  Similar functionality is provided via ``--verify-x509-name``,
+  which does the same job in a better way.
+
+- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3
+  and will be removed in v2.5.  All scripts and plug-ins depending on the old
+  non-standard X.509 subject formatting must be updated to the standardized
+  formatting.  See the man page for more information.
+
+- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
+
+- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
+  together with the support of ciphers with cipher block size less than
+  128-bits.
 
-- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of
-  inside OpenVPN itself.  The crypto library implementations are more strict
-  than the OpenVPN implementation was.  This might reject peer certificates
-  that would previously be accepted.  If this occurs, OpenVPN will log the
-  crypto library's error description.
+- ``--comp-lzo`` is deprecated in OpenVPN 2.4.  Use ``--compress`` instead.
 
-- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages.  Similar
-  functionality is provided via ``--verify-x509-name``, which does the same job in
-  a better way.
+- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be
+  removed in v2.5.  Use ``--topology p2p`` instead.
 
-- ``--compat-names`` and ``--no-name-remapping`` were deprecated in 2.3 and will
-  be removed in 2.5.  All scripts and plug-ins depending on the old non-standard
-  X.509 subject formatting must be updated to the standardized formatting.  See
-  the man page for more information.
+- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed
+  in v2.5.  Use ``--verify-client-cert none`` for a functional equivalent.
 
-- ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5.
+- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4.  It will be removed
+  in v2.5.  Use the far better ``--remote-cert-tls`` option which replaces this
+  feature.
 
 
 User-visible Changes
@@ -298,13 +318,58 @@ Maintainer-visible changes
   files instead of older ones, to provide a unified behaviour across systemd
   based Linux distributions.
 
-- With OpenVPN v2.4, the project has moved over to depend on and actively use
+- With OpenVPN 2.4, the project has moved over to depend on and actively use
   the official C99 standard (-std=c99).  This may fail on some older compiler/libc
   header combinations.  In most of these situations it is recommended to
   use -std=gnu99 in CFLAGS.  This is known to be needed when doing
   i386/i686 builds on RHEL5.
 
 
+Version 2.4.4
+=============
+This is primarily a maintenance release, with further improved OpenSSL 1.1
+integration, several minor bug fixes and other minor improvements.
+
+Bug fixes
+---------
+- Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is
+  rejected by the remote side
+
+- Ignore ``--keysize`` when NCP have resulted in a changed cipher.
+
+- Configurations using ``--auth-nocache`` and the management interface to provide
+  user credentials (like NetworkManager on Linux) on client side with servers
+  implementing authentication tokens (for example, using ``--auth-gen-token``)
+  will now behave correctly and not query the user for an, to them, unknown
+  authentication token on renegotiations of the tunnel.
+
+- Fix bug causing invalid or corrupt SOCKS port number when changing the
+  proxy via the management interface.
+
+- The man page should now have proper escaping of hyphens/minus characters
+  and have seen some minor corrections.
+
+User-visible Changes
+--------------------
+- Linux servers with systemd which uses the ``openvpn-server@.service`` unit
+  file for server configurations will now utilize the automatic restart feature
+  in systemd.  If the OpenVPN server process dies unexpectedly, systemd will
+  ensure the OpenVPN configuration will be restarted without any user interaction.
+
+Deprecated features
+-------------------
+- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
+- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
+
+Security
+--------
+- CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``.
+  Before this fix, it could allow an attacker to send a malformed packet to
+  trigger a stack overflow.  This is considered to be a low risk issue, as
+  ``--key-method 2`` has been the default since OpenVPN 2.0 (released on
+  2005-04-17).  This option is already deprecated in v2.4 and will be
+  completely removed in v2.5.
+
 
 Version 2.4.3
 =============
@@ -321,7 +386,7 @@ New features
 Security
 --------
 - CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS
-  A client could crash a 2.4+ mbedtls server, if that server uses the
+  A client could crash a v2.4+ mbedtls server, if that server uses the
   ``--x509-track`` option and the client has a correct, signed and unrevoked
   certificate that contains an embedded NUL in the certificate subject.
   Discovered and reported to the OpenVPN security team by Guido Vranken.
@@ -378,7 +443,7 @@ User-visible Changes
 Bugfixes
 --------
 - Fix fingerprint calculation in mbed TLS builds.  This means that mbed TLS users
-  of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the
+  of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the
   ``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change
   the fingerprint values they check against.  The security impact of the
   incorrect calculation is very minimal; the last few bytes (max 4, typically
@@ -407,16 +472,18 @@ Version 2.4.2
 
 Bugfixes
 --------
-- Fix memory leak introduced in 2.4.1: if --remote-cert-tls is used, we leaked
-  some memory on each TLS (re)negotiation.
+- Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is
+  used, we leaked some memory on each TLS (re)negotiation.
+
 
 Security
 --------
-- Fix a pre-authentication denial-of-service attack on both clients and servers.
-  By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced
-  to hit an ASSERT() and stop the process.  If ``--tls-auth`` or ``--tls-crypt``
-  is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key
-  can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
+- Fix a pre-authentication denial-of-service attack on both clients and
+  servers.  By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can
+  be forced to hit an ASSERT() and stop the process.  If ``--tls-auth`` or
+  ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or
+  ``--tls-crypt`` key can mount an attack.
+  (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
 
 - Fix an authenticated remote DoS vulnerability that could be triggered by
   causing a packet id roll over.  An attack is rather inefficient; a peer