1 files changed, 164 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 9ecf4f0..537beaa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,170 @@
 OpenVPN Change Log
 Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
 
+2017.06.21 -- Version 2.4.3
+Antonio Quartulli (1):
+      Ignore auth-nocache for auth-user-pass if auth-token is pushed
+
+David Sommerseth (3):
+      crypto: Enable SHA256 fingerprint checking in --verify-hash
+      copyright: Update GPLv2 license texts
+      auth-token with auth-nocache fix broke --disable-crypto builds
+
+Emmanuel Deloget (8):
+      OpenSSL: don't use direct access to the internal of X509
+      OpenSSL: don't use direct access to the internal of EVP_PKEY
+      OpenSSL: don't use direct access to the internal of RSA
+      OpenSSL: don't use direct access to the internal of DSA
+      OpenSSL: force meth->name as non-const when we free() it
+      OpenSSL: don't use direct access to the internal of EVP_MD_CTX
+      OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
+      OpenSSL: don't use direct access to the internal of HMAC_CTX
+
+Gert Doering (6):
+      Fix NCP behaviour on TLS reconnect.
+      Remove erroneous limitation on max number of args for --plugin
+      Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
+      Fix potential 1-byte overread in TCP option parsing.
+      Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
+      Update Changes.rst with relevant info for 2.4.3 release.
+
+Guido Vranken (6):
+      refactor my_strupr
+      Fix 2 memory leaks in proxy authentication routine
+      Fix memory leak in add_option() for option 'connection'
+      Ensure option array p[] is always NULL-terminated
+      Fix a null-pointer dereference in establish_http_proxy_passthru()
+      Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
+
+Jérémie Courrèges-Anglas (2):
+      Fix an unaligned access on OpenBSD/sparc64
+      Missing include for socket-flags TCP_NODELAY on OpenBSD
+
+Matthias Andree (1):
+      Make openvpn-plugin.h self-contained again.
+
+Selva Nair (1):
+      Pass correct buffer size to GetModuleFileNameW()
+
+Steffan Karger (11):
+      Log the negotiated (NCP) cipher
+      Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
+      Skip tls-crypt unit tests if required crypto mode not supported
+      openssl: fix overflow check for long --tls-cipher option
+      Add a DSA test key/cert pair to sample-keys
+      Fix mbedtls fingerprint calculation
+      mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
+      mbedtls: require C-string compatible types for --x509-username-field
+      Fix remote-triggerable memory leaks (CVE-2017-7521)
+      Restrict --x509-alt-username extension types
+      Fix potential double-free in --x509-alt-username (CVE-2017-7521)
+
+Steven McDonald (1):
+      Fix gateway detection with OpenBSD routing domains
+
+
+2017.05.11 -- Version 2.4.2
+David Sommerseth (5):
+      auth-token: Ensure tokens are always wiped on de-auth
+      docs: Fixed man-page warnings discoverd by rpmlint
+      Make --cipher/--auth none more explicit on the risks
+      plugin: Fix documentation typo for type_mask
+      plugin: Export secure_memzero() to plug-ins
+
+Hristo Venev (1):
+      Fix extract_x509_field_ssl for external objects, v2
+
+Selva Nair (1):
+      In auth-pam plugin clear the password after use
+
+Steffan Karger (10):
+      cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
+      Don't run packet_id unit tests for --disable-crypto builds
+      Fix Changes.rst layout
+      Fix memory leak in x509_verify_cert_ku()
+      mbedtls: correctly check return value in pkcs11_certificate_dn()
+      Restore pre-NCP frame parameters for new sessions
+      Always clear username/password from memory on error
+      Document tls-crypt security considerations in man page
+      Don't assert out on receiving too-large control packets (CVE-2017-7478)
+      Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
+
+ValdikSS (1):
+      Set a low interface metric for tap adapter when block-outside-dns is in use
+
+2017.03.21 -- Version 2.4.1
+Antonio Quartulli (4):
+      attempt to add IPv6 route even when no IPv6 address was configured
+      fix redirect-gateway behaviour when an IPv4 default route does not exist
+      CRL: use time_t instead of struct timespec to store last mtime
+      ignore remote-random-hostname if a numeric host is provided
+
+Christian Hesse (7):
+      man: fix formatting for alternative option
+      systemd: Use automake tools to install unit files
+      systemd: Do not race on RuntimeDirectory
+      systemd: Add more security feature for systemd units
+      Clean up plugin path handling
+      plugin: Remove GNUism in openvpn-plugin.h generation
+      fix typo in notification message
+
+David Sommerseth (6):
+      management: >REMOTE operation would overwrite ce change indicator
+      management: Remove a redundant #ifdef block
+      git: Merge .gitignore files into a single file
+      systemd: Move the READY=1 signalling to an earlier point
+      plugin: Improve the handling of default plug-in directory
+      cleanup: Remove faulty env processing functions
+
+Emmanuel Deloget (8):
+      OpenSSL: check for the SSL reason, not the full error
+      OpenSSL: don't use direct access to the internal of X509_STORE_CTX
+      OpenSSL: don't use direct access to the internal of SSL_CTX
+      OpenSSL: don't use direct access to the internal of X509_STORE
+      OpenSSL: don't use direct access to the internal of X509_OBJECT
+      OpenSSL: don't use direct access to the internal of RSA_METHOD
+      OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
+      OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
+
+Eric Thorpe (1):
+      Fix Building Using MSVC
+
+Gert Doering (4):
+      Add openssl_compat.h to openvpn_SOURCES
+      Fix '--dev null'
+      Fix installation of IPv6 host route to VPN server when using iservice.
+      Make ENABLE_OCC no longer depend on !ENABLE_SMALL
+
+Gisle Vanem (1):
+      Crash in options.c
+
+Ilya Shipitsin (2):
+      Resolve several travis-ci issues
+      travis-ci: remove unused files
+
+Olivier Wahrenberger (1):
+      Fix building with LibreSSL 2.5.1 by cleaning a hack.
+
+Selva Nair (4):
+      Fix push options digest update
+      Always release dhcp address in close_tun() on Windows.
+      Add a check for -Wl, --wrap support in linker
+      Fix user's group membership check in interactive service to work with domains
+
+Simon Matter (1):
+      Fix segfault when using crypto lib without AES-256-CTR or SHA256
+
+Steffan Karger (8):
+      More broadly enforce Allman style and braces-around-conditionals
+      Use SHA256 for the internal digest, instead of MD5
+      OpenSSL: 1.1 fallout - fix configure on old autoconf
+      Fix types in WIN32 socket_listen_accept()
+      Remove duplicate X509 env variables
+      Fix non-C99-compliant builds: don't use const size_t as array length
+      Deprecate --ns-cert-type
+      Be less picky about keyUsage extensions
+
+
 2016.12.26 -- Version 2.4.0
 David Sommerseth (5):
       dev-tools: Added script for updating copyright years in files