preparing release 2.6.9

version.m4, ChangeLog, Changes.rst

ChangeLog

@@ -1,6 +1,76 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
 
+2024.02.11 -- Version 2.6.9
+
+Arne Schwabe (15):
+      Remove unused function prototype crypto_adjust_frame_parameters
+      Log SSL alerts more prominently
+      Document tls-exit option mainly as test option
+      Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
+      Fix check_session_buf_not_used using wrong index
+      Add missing check for nl_socket_alloc failure
+      Add check for nice in cmake config
+      Remove compat versionhelpers.h and remove cmake/configure check for it
+      Extend the error message when TLS 1.0 PRF fails
+      Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
+      Check PRF availability on initialisation and add --force-tls-key-material-export
+      Make it more explicit and visible when pkg-config is not found
+      Clarify that the tls-crypt-v2-verify has a very limited env set
+      Implement the --tls-export-cert feature
+      Remove conditional text for Apache2 linking exception
+
+David Sommerseth (2):
+      Remove --tls-export-cert
+      Remove superfluous x509_write_pem()
+
+Frank Lichtenheld (14):
+      sample-keys: renew for the next 10 years
+      GHA: clean up libressl builds with newer libressl
+      configure.ac: Remove unused AC_TYPE_SIGNAL macro
+      documentation: remove reference to removed option --show-proxy-settings
+      unit_tests: remove includes for mock_msg.h
+      documentation: improve documentation of --x509-track
+      NTLM: add length check to add_security_buffer
+      NTLM: increase size of phase 2 response we can handle
+      proxy-options.rst: Add proper documentation for --http-proxy-user-pass
+      buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
+      --http-proxy-user-pass: allow to specify in either order with --http-proxy
+      README.cmake.md: Document minimum required CMake version for --preset
+      documentation: Update and fix documentation for --push-peer-info
+      documentation: Fixes for previous fixes to --push-peer-info
+
+Gert Doering (4):
+      OpenBSD: repair --show-gateway
+      get_default_gateway() HWADDR overhaul
+      fix uncrustify complaints about previous patch
+      preparing release 2.6.9
+
+Kristof Provost (1):
+      dco-freebsd: dynamically re-allocate buffer if it's too small
+
+Lev Stipakov (1):
+      tun.c: don't attempt to delete DNS and WINS servers if they're not set
+
+Marc Becker (1):
+      vcpkg-ports/pkcs11-helper: bump to version 1.30
+
+Max Fillinger (4):
+      Add support for mbedtls 3.X.Y
+      Update README.mbedtls
+      Disable TLS 1.3 support with mbed TLS
+      Enable key export with mbed TLS 3.x.y
+
+Reynir Bjoernsson (1):
+      protocol_dump: tls-crypt support
+
+Steffan Karger (1):
+      Fix IPv6 route add/delete message log level
+
+yatta (1):
+      fix(ssl): init peer_id when init tls_multi
+
+
 2023.11.17 -- Version 2.6.8
 
 Aquila Macedo (1):

Changes.rst

@@ -1,3 +1,118 @@
+Overview of changes in 2.6.9
+============================
+
+Security fixes
+--------------
+- Windows Installer: fix CVE 2023-7235 where installing to a non-default
+  directory could lead to a local privilege escalation.
+  Reported by Will Dormann <will.dormann@analygence.com>.
+
+New features
+------------
+- add support for building with mbedTLS 3.x.x
+
+- new option "--force-tls-key-material-export" to only accept clients
+  that can do TLS keying material export to generate session keys
+  (mostly an internal option to better deal with TLS 1.0 PRF failures).
+
+- Windows: bump vcpkg-ports/pkcs11-helper to 1.30
+
+- Log incoming SSL alerts in easier to understand form and move logging
+  from "--verb 8" to "--verb 3".
+
+- protocol_dump(): add support for printing "--tls-crypt" packets
+
+
+User visible changes
+--------------------
+- license change is now complete, and all code has been re-licensed
+  under the new license (still GPLv2, but with new linking exception
+  for Apache2 licensed code).  See COPYING for details.
+
+  Code that could not be re-licensed has been removed or rewritten.
+
+- the original code for the "--tls-export-cert" feature has been removed
+  (due to the re-licensing effort) and rewritten without looking at the
+  original code.  Feature-compatibility has been tested by other developers,
+  looking at both old and new code and documentation, so there *should*
+  not be a user-visible change here.
+
+- IPv6 route addition/deletion are now logged on the same level (3) as
+  for IPv4.  Previously IPv6 was always logged at "--verb 1".
+
+- better handling of TLS 1.0 PRF failures in the underlying SSL library
+  (e.g. on some FIPS builds) - this is now reported on startup, and
+  clients before 2.6.0 that can not use TLS EKM to generate key material
+  are rejected by the server.  Also, error messages are improved to see
+  what exactly failed.
+
+- packaged sample-keys renewed (old keys due to expire in October 2024)
+
+
+Bug fixes / Code cleanup
+------------------------
+- Windows GUI: always update tray icon on state change (Github: #669)
+  (for persistent connection profiles, "connecting" state would not show)
+
+- FreeBSD: for servers with multiple clients, reporting of peer traffic
+  statistics would fail due to insufficient buffer space (Github: #487)
+
+- make interaction between "--http-proxy-user-pass" and "--http-proxy"
+  more consistent
+
+- doc: improve documentation on "--http-proxy-user-pass"
+
+- doc: improve documentation for IV_ variables and IV_PROTO bits
+
+- doc: improve documentation on CMake requirements
+
+- fix various coverity-reported complains (signed/unsigned comparison etc),
+  none of them actual bugs
+
+- NTLMv2: increase phase 2 buffers so things actually work
+
+- NTLM: add extra buffer size verification checks
+
+- doc: improve documentation on "--tls-crypt-v2-verify"
+
+- autoconf on Linux: improve error reporting for missing libraries - in
+  case the problem came due to missing "pkg-config" the previous error
+  was misleading.  Now clearly report that Linux builds require "pkg-config"
+  and abort if not found.
+
+- MacOS X: fix "undefined behaviour" found by UBSAN in get_default_gateway()
+  (IV_HWADDR), using getifaddrs(3) instead of old and convoluted
+  SIOCGIFCONF API.
+
+- OpenSolaris: correctly implement get_default_gateway() (IV_HWADDR), using
+  SIOCGIFHWADDR instead of SIOCGIFCONF API.
+
+- OpenBSD: work around route socket issue in get_default_gateway()
+  ("--show-gateway") where RA_IFP must not be set on the query message,
+  otherwise kernel will return EINVAL.
+
+- doc: improve documentation of --x509-track
+
+- bugfix: in UDP mode when exceeding "--max-clients", OpenVPN would
+  incorrectly close the connection to "peer-id 0".  Fix by correctly
+  initializing peer_id with MAX_PEER_ID.
+
+- Windows: do not attempt to delete DNS or WINS servers if they are not set
+
+- configure: get rid of AC_TYPE_SIGNAL macro (unused)
+
+- Linux DCO: add missing check for nl_socket_alloc() failure
+
+- bugfix: check_session_buf_not_used() was not working as planned
+
+- remove dead test code for TEST_GET_DEFAULT_GATEWAY (use "--show-gateway")
+
+- doc: better document "--tls-exit" option
+
+- Github Actions: clean up LibreSSL builds
+
+
+
 Overview of changes in 2.6.8
 ============================
 
@@ -526,7 +641,7 @@ Improve DCO-related logging in many places.
 DCO/Linux robustness fixes.
 
 DCO/Linux TCP crashbug (recvfrom(-1) endless loop) worked around - root
-    cause has not been found, but the condition is detected and the 
+    cause has not been found, but the condition is detected and the
     offending client is removed, instead of crashing the server.
 
 Rename internal TLS state TM_UNTRUSTED to TM_INITIAL, always start new

version.m4

@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.8])
+define([PRODUCT_VERSION_PATCH], [.9])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,6,8,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,9,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])