From 53c9033317b3b8fdcb55f81107e47037a88352f3 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Wed, 8 Nov 2023 14:20:06 +0100 Subject: [PATCH] preparing release 2.6.7 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- ChangeLog | 40 +++++++++++++++++++++++++++++ Changes.rst | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++ version.m4 | 4 +-- 3 files changed, 116 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 298e4fffa28..6234248c8ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,46 @@ OpenVPN ChangeLog Copyright (C) 2002-2023 OpenVPN Inc +2023.11.08 -- Version 2.6.7 + +Antonio Quartulli (1): + dco: fix crash when --multihome is used with --proto tcp + +Arne Schwabe (8): + Mock openvpn_exece on win32 also for test_tls_crypt + Add warning for the --show-groups command that some groups are missing + Print peer temporary key details + Add warning if a p2p NCP client connects to a p2mp server + Remove openssl engine method for loading the key + Remove saving initial frame code + Double check that we do not use a freed buffer when freeing a session + Fix using to_link buffer after freed + +Frank Lichtenheld (7): + GHA: do not trigger builds in openvpn-build anymore + GHA: new workflow to submit scan to Coverity Scan service + buffer: use memcpy in buf_catrunc + vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6 + CMake: backport CMake buildsystem from master to release/2.6 + Remove all traces of the previous MSVC build system + doc: fix argument name in --route-delay documentation + +Heiko Hund (1): + dns option: remove support for exclude-domains + +Lev Stipakov (3): + Warn user if INFO control command is too long + dco-win: get driver version + dco: warn if DATA_V1 packets are sent to userspace + +Selva Nair (2): + Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant + Log OpenSSL errors on failure to set certificate + +orbea (1): + configure: disable engines if OPENSSL_NO_ENGINE is defined + + 2023.08.14 -- Version 2.6.6 Antonio Quartulli (1): diff --git a/Changes.rst b/Changes.rst index 924b9c9efe6..3d4e0bde401 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,77 @@ +Overview of changes in 2.6.7 +============================ + +Bug fixes / Code cleanup +------------------------ +- CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use + a send buffer after it has been free()d in some circumstances, causing + some free()d memory to be sent to the peer. All configurations using TLS + (e.g. not using --secret) are affected by this issue. + (found while tracking down CVE-2023-46849 / Github #400, #417) + +- CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly + restore "--fragment" configuration in some circumstances, leading to + a division by zero when "--fragment" is used. On platforms where + division by zero is fatal, this will cause an OpenVPN crash. + + Reported by Niccolo Belli and WIPocket + (Github #400, #417). + +- cleanup bits and pieces of documentation + +- cleanup code to remove strlen() related warnings in buf_catrunc() + +- DCO on Linux: fix NULL-pointer crash if "--multihome" is used together + with "--proto tcp" + +- work around build fails caused by LibreSSL not longer having engine support + + +User visible changes +-------------------- +- DCO: warn if DATA_V1 packets are sent by the other side - this a hard + incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, + and the only fix is to use "--disable-dco". + +- Remove OpenSSL Engine method for loading a key. This had to be removed + because the original author did not agree to relicensing the code with + the new linking exception added. This was a somewhat obsolete feature + anyway as it only worked with OpenSSL 1.x, which is end-of-support. + +- add warning if p2p NCP client connects to a p2mp server - this is a + combination that used to work without cipher negotiation (pre 2.6 on + both ends), but would fail in non-obvious ways with 2.6 to 2.6. + +- add warning to "--show-groups" that not all supported groups are listed + (this is due the internal enumeration in OpenSSL being a bit weird, + omitting X448 and X25519 curves). + +- "--dns": remove support for "exclude-domains" argument + (this was a new 2.6 option, with no backend support implemented yet + on any platform, and it turns out that no platform supported it at all - + so remove option again) + +- warn user if INFO control message too long, do not forward to management + client (safeguard against protocol-violating server implementations) + + +New features +------------ +- DCO-WIN: get and log driver version (for easier debugging). + +- print "peer temporary key details" in TLS handshake + +- log OpenSSL errors on failure to set certificate, for example if the + algorithms used are in acceptable to OpenSSL (misleading message would + be printed in cryptoapi / pkcs#11 scenarios) + +- add CMake build system for MinGW and MSVC builds + +- remove old MSVC build system + +- improve cmocka unit test building for Windows + + Overview of changes in 2.6.6 ============================ diff --git a/version.m4 b/version.m4 index ce9a15f6763..5ab43dbb1fc 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [.6]) +define([PRODUCT_VERSION_PATCH], [.7]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,6,6,0]) +define([PRODUCT_VERSION_RESOURCE], [2,6,7,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])