diff --git a/ChangeLog b/ChangeLog index df1e2eea127..a5dfa3704fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,47 @@ OpenVPN ChangeLog -Copyright (C) 2002-2024 OpenVPN Inc +Copyright (C) 2002-2025 OpenVPN Inc + +2025.01.15 -- Version 2.6.13 + +Arne Schwabe (2): + Refuse clients if username or password is longer than USER_PASS_LEN + Improve peer fingerprint documentation + +Ben Boeckel (1): + console_systemd: remove the timeout when using 'systemd-ask-password' + +Frank Lichtenheld (5): + Fix missing spaces in various messages + GHA: Update macOS runners + GHA: Simplify macOS builds + Various typo fixes + forward: Fix potential unaligned access in drop_if_recursive_routing + +Gert Doering (2): + send uname() release as IV_PLAT_VER= on non-windows versions + preparing release 2.6.13 + +Gianmarco De Gregori (1): + Route: remove incorrect routes on exit + +Lev Stipakov (1): + Use a more robust way to get dco-win version + +Ralf Lici (1): + Fix check_addr_clash argument order + +RĂ©mi Farault (1): + Add calls to nvlist_destroy to avoid leaks + +Selva Nair (3): + proxy.c: Clear sensitive data after use + Protect cached username, password and token on client + Fix more of uninitialized struct user_pass local vars + +corubba (2): + Fix IPv6 in port-share journal + Fix port-share journal doc + 2024.07.17 -- Version 2.6.12 diff --git a/Changes.rst b/Changes.rst index 3d5ec763635..ab2b047d148 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,70 @@ +Overview of changes in 2.6.13 +============================= +New features +------------ +- on non-windows clients (MacOS, Linux, Unix) send "release" string from + uname() call as IV_PLAT_VER= to server - while highly OS specific this + is still helpful to keep track of OS versions used on the client side + (GH #637) + +- Windows: protect cached username, password and token in client memory + (using the CryptProtectMemory() windows API + +- Windows: use new API to get dco-win driver version from driver + (newly introduced non-exclusive control device) (GH: ovpn-dco-win #76) + +- Linux: pass --timeout=0 argument to systemd-ask-password, to avoid + default timeout of 90 seconds ("console prompting also has no timeout") + (GH #649) + + +Bug fixes +--------- +- fix potentially unaligned access in drop_if_recursive_routing on + Linux (ASAN) + +- correct documentation for port-share journal + +- fix logging of IPv6 addresses in port-share journal + +- fix various typos in messages, documentation, comments and examples + (GH #442, GH #644) + +- FreeBSD DCO: fix memory leaks in nvlist handling (GH #636) + +- route handling: correctly handle case of "route installation fails" + in the face of an already-existing route - previously, OpenVPN would + remove the "other" route on exit, incorrectly changing system state. + +- fix generation of warning messages for overlapping --local/--remote + and --ifconfig addresses + +- purge proxy authentication credentials from memory after use + (if --auth-nocache is in use) + +- fix missing space in various (long and wrapped) msg() calls + + +Code maintenance +---------------- +- improve documentation/examples for feature + +- simplify Github Action macOS build setup + +- update Github Action macOS runners (remove macOS 12, add macOS 15) + +- fix a number of uninitialized "struct user_pass" local variables + (no impact beyond "compiler warning", but future-proofing the code) + + +Security fixes +-------------- +- improve server-side handling of clients sending usernames or passwords + longer than USER_PASS_LEN - this would not result in a crash, buffer + overflow or other security issues, but the server would then misparse + incoming IV_* variables and produce misleading error messages. + + Overview of changes in 2.6.12 ============================= Bug fixes diff --git a/version.m4 b/version.m4 index a15077b6b18..ea3a7e4de1f 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [.12]) +define([PRODUCT_VERSION_PATCH], [.13]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,6,12,0]) +define([PRODUCT_VERSION_RESOURCE], [2,6,13,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])