From 749384a154025e268b53cf3cc79eaeddde2b3ceb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 27 Jun 2017 13:56:16 +0200 Subject: initial stretch branch release 2.4.0-6 --- ChangeLog | 164 -------------------------------------------------------------- 1 file changed, 164 deletions(-) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 537beaa..9ecf4f0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,170 +1,6 @@ OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. -2017.06.21 -- Version 2.4.3 -Antonio Quartulli (1): - Ignore auth-nocache for auth-user-pass if auth-token is pushed - -David Sommerseth (3): - crypto: Enable SHA256 fingerprint checking in --verify-hash - copyright: Update GPLv2 license texts - auth-token with auth-nocache fix broke --disable-crypto builds - -Emmanuel Deloget (8): - OpenSSL: don't use direct access to the internal of X509 - OpenSSL: don't use direct access to the internal of EVP_PKEY - OpenSSL: don't use direct access to the internal of RSA - OpenSSL: don't use direct access to the internal of DSA - OpenSSL: force meth->name as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - -Gert Doering (6): - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Update Changes.rst with relevant info for 2.4.3 release. - -Guido Vranken (6): - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - -Jérémie Courrèges-Anglas (2): - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - -Matthias Andree (1): - Make openvpn-plugin.h self-contained again. - -Selva Nair (1): - Pass correct buffer size to GetModuleFileNameW() - -Steffan Karger (11): - Log the negotiated (NCP) cipher - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) - Skip tls-crypt unit tests if required crypto mode not supported - openssl: fix overflow check for long --tls-cipher option - Add a DSA test key/cert pair to sample-keys - Fix mbedtls fingerprint calculation - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) - mbedtls: require C-string compatible types for --x509-username-field - Fix remote-triggerable memory leaks (CVE-2017-7521) - Restrict --x509-alt-username extension types - Fix potential double-free in --x509-alt-username (CVE-2017-7521) - -Steven McDonald (1): - Fix gateway detection with OpenBSD routing domains - - -2017.05.11 -- Version 2.4.2 -David Sommerseth (5): - auth-token: Ensure tokens are always wiped on de-auth - docs: Fixed man-page warnings discoverd by rpmlint - Make --cipher/--auth none more explicit on the risks - plugin: Fix documentation typo for type_mask - plugin: Export secure_memzero() to plug-ins - -Hristo Venev (1): - Fix extract_x509_field_ssl for external objects, v2 - -Selva Nair (1): - In auth-pam plugin clear the password after use - -Steffan Karger (10): - cleanup: merge packet_id_alloc_outgoing() into packet_id_write() - Don't run packet_id unit tests for --disable-crypto builds - Fix Changes.rst layout - Fix memory leak in x509_verify_cert_ku() - mbedtls: correctly check return value in pkcs11_certificate_dn() - Restore pre-NCP frame parameters for new sessions - Always clear username/password from memory on error - Document tls-crypt security considerations in man page - Don't assert out on receiving too-large control packets (CVE-2017-7478) - Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) - -ValdikSS (1): - Set a low interface metric for tap adapter when block-outside-dns is in use - -2017.03.21 -- Version 2.4.1 -Antonio Quartulli (4): - attempt to add IPv6 route even when no IPv6 address was configured - fix redirect-gateway behaviour when an IPv4 default route does not exist - CRL: use time_t instead of struct timespec to store last mtime - ignore remote-random-hostname if a numeric host is provided - -Christian Hesse (7): - man: fix formatting for alternative option - systemd: Use automake tools to install unit files - systemd: Do not race on RuntimeDirectory - systemd: Add more security feature for systemd units - Clean up plugin path handling - plugin: Remove GNUism in openvpn-plugin.h generation - fix typo in notification message - -David Sommerseth (6): - management: >REMOTE operation would overwrite ce change indicator - management: Remove a redundant #ifdef block - git: Merge .gitignore files into a single file - systemd: Move the READY=1 signalling to an earlier point - plugin: Improve the handling of default plug-in directory - cleanup: Remove faulty env processing functions - -Emmanuel Deloget (8): - OpenSSL: check for the SSL reason, not the full error - OpenSSL: don't use direct access to the internal of X509_STORE_CTX - OpenSSL: don't use direct access to the internal of SSL_CTX - OpenSSL: don't use direct access to the internal of X509_STORE - OpenSSL: don't use direct access to the internal of X509_OBJECT - OpenSSL: don't use direct access to the internal of RSA_METHOD - OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1 - OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() - -Eric Thorpe (1): - Fix Building Using MSVC - -Gert Doering (4): - Add openssl_compat.h to openvpn_SOURCES - Fix '--dev null' - Fix installation of IPv6 host route to VPN server when using iservice. - Make ENABLE_OCC no longer depend on !ENABLE_SMALL - -Gisle Vanem (1): - Crash in options.c - -Ilya Shipitsin (2): - Resolve several travis-ci issues - travis-ci: remove unused files - -Olivier Wahrenberger (1): - Fix building with LibreSSL 2.5.1 by cleaning a hack. - -Selva Nair (4): - Fix push options digest update - Always release dhcp address in close_tun() on Windows. - Add a check for -Wl, --wrap support in linker - Fix user's group membership check in interactive service to work with domains - -Simon Matter (1): - Fix segfault when using crypto lib without AES-256-CTR or SHA256 - -Steffan Karger (8): - More broadly enforce Allman style and braces-around-conditionals - Use SHA256 for the internal digest, instead of MD5 - OpenSSL: 1.1 fallout - fix configure on old autoconf - Fix types in WIN32 socket_listen_accept() - Remove duplicate X509 env variables - Fix non-C99-compliant builds: don't use const size_t as array length - Deprecate --ns-cert-type - Be less picky about keyUsage extensions - - 2016.12.26 -- Version 2.4.0 David Sommerseth (5): dev-tools: Added script for updating copyright years in files -- cgit v1.2.3