preparing release 2.6.11

version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering <[email protected]>
OpenVPN · Jun 20, 2024 · ddf6bf6 · ddf6bf6
1 parent 51301eb
commit ddf6bf6
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,41 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2024 OpenVPN Inc <[email protected]>
 
+2024.06.20 -- Version 2.6.11
+
+5andr0 (1):
+      Implement server_poll_timeout for socks
+
+Arne Schwabe (6):
+      Use snprintf instead of sprintf for get_ssl_library_version
+      Add bracket in fingerprint message and do not warn about missing verification
+      Replace macos11 with macos14 in github runners
+      Only run coverity scan in OpenVPN/OpenVPN repository
+      Workaround issue in LibreSSL crashing when enumerating digests/ciphers
+      Properly handle null bytes and invalid characters in control messages
+
+Franco Fichtner (1):
+      Allow to set ifmode for existing DCO interfaces in FreeBSD
+
+Frank Lichtenheld (6):
+      samples: Update sample configurations
+      documentation: make section levels consistent
+      phase2_tcp_server: fix Coverity issue 'Dereference after null check'
+      script-options.rst: Update ifconfig_* variables
+      LZO: do not use lzoutils.h macros
+      Remove "experimental" denotation for --fast-io
+
+Heiko Wundram (1):
+      Implement Windows CA template match for Crypto-API selector
+
+Lev Stipakov (2):
+      misc.c: remove unused code
+      interactive.c: Improve access control for gui<->service pipe
+
+Reynir Björnsson (1):
+      Only schedule_exit() once
+
+
 2024.03.20 -- Version 2.6.10
 
 Christoph Schug (1):

diff --git a/Changes.rst b/Changes.rst
@@ -1,3 +1,72 @@
+Overview of changes in 2.6.11
+=============================
+Security fixes
+--------------
+- CVE-2024-4877: Windows: harden interactive service pipe.
+  Security scope: a malicious process with "some" elevated privileges
+  (SeImpersonatePrivilege) could open the pipe a second time, tricking
+  openvn GUI into providing user credentials (tokens), getting full
+  access to the account openvpn-gui.exe runs as.
+  (Zeze with TeamT5)
+
+- CVE-2024-5594: control channel: refuse control channel messages with
+  nonprintable characters in them.  Security scope: a malicious openvpn
+  peer can send garbage to openvpn log, or cause high CPU load.
+  (Reynir Björnsson)
+
+- CVE-2024-28882: only call schedule_exit() once (on a given peer).
+  Security scope: an authenticated client can make the server "keep the
+  session" even when the server has been told to disconnect this client
+  (Reynir Björnsson)
+
+New features
+------------
+- Windows Crypto-API: Implement Windows CA template match for searching
+  certificates in windows crypto store.
+
+- support pre-created DCO interface on FreeBSD (OpenVPN would fail to
+  set ifmode p2p/subnet otherwise)
+
+Bugfixes
+--------
+- fix connect timeout when using SOCKS proxies (trac #328, github #267)
+
+- work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
+  (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5,
+  see also https://github.com/libressl/openbsd/issues/150)
+
+- Add bracket in fingerprint message and do not warn about missing
+  verification (github #516)
+
+Documentation
+-------------
+- remove "experimental" denotation for --fast-io
+
+- correctly document ifconfig_* variables passed to scripts (script-options.rst)
+
+- documentation: make section levels consistent
+
+- samples: Update sample configurations
+   remove compression & old cipher settings, add more informative comments
+
+Code maintenance
+----------------
+- remove usage of <lzoutils.h> header & macro, discouraged by upstream
+
+- only run coverity scans in OpenVPN/OpenVPN repository (= do not spam
+  owners of cloned repos with "cannot run this" messages)
+
+- replace macOS 11 github runners with macOS 14
+
+- remove some unused code in misc.c (leftover from commit 3a4fb1)
+
+- phase2_tcp_server: fix Coverity issue 'Dereference after null check'
+  - the code itself was correct, just doing needless checks
+
+- Use snprintf instead of sprintf for get_ssl_library_version
+  - the code itself was correct, but macOS clang dislikes sprintf()
+
+
 Overview of changes in 2.6.10
 =============================
 Security fixes

diff --git a/version.m4 b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.10])
+define([PRODUCT_VERSION_PATCH], [.11])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [[email protected]])
-define([PRODUCT_VERSION_RESOURCE], [2,6,9,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,11,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])