OpenVPN Release 2.7_beta2
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_beta2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
Notable changes beta1 -> beta2 are:
- even more of signed/unsigned related warnings have been fixed
- #pragmas have been added to all to-be-fixed source files, so we can
now always enable -Wconversion to see if new code brings new warnings
(and the CI infra builds with -Werror)
- add proper input sanitation to DNS strings to prevent an attack
coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680,
affects unixoid systems with --dns-updown scripts and windows using
the built-in powershell call)
- greatly improved event log handling for the Windows interactive service
- this brings build system changes and a new openvpnservmsg.dll
- bugfixes when using multi-socket on windows
(properly recognize that TCP server mode does not work with DCO,
properly handle TCP multi-socket server setups without DCO)
- bring back configuring of IPv4 broadcast addresses on Linux
(also backported to 2.6.15)
- Rename Fox Crypto to Sentyron in copyright notices
- Switch test_ssl certificate from RSA 2048 to secp384r1
(so "make check" runs with OpenSSL set to @SECLEVEL=3)
- repair "--dhcp-option DNS" setting in combination with DHCP (TAP)
or --up scripts (GH issue #839, #840)
- clean up MI prefix handling
- replace all assert() calls with OpenVPN ASSERT()
Gert Doering authored on 2025/09/25 05:35:52Showing 3 changed files
| ... | ... |
@@ -1,6 +1,66 @@ |
| 1 | 1 |
OpenVPN ChangeLog |
| 2 | 2 |
Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net> |
| 3 | 3 |
|
| 4 |
+2025.09.25 -- Version 2.7_beta2 |
|
| 5 |
+ |
|
| 6 |
+Antonio Quartulli (1): |
|
| 7 |
+ dco: add standard mi prefix handling to multi_process_incoming_dco() |
|
| 8 |
+ |
|
| 9 |
+Arne Schwabe (1): |
|
| 10 |
+ Switch test_ssl certificate from RSA 2048 to secp384r1 |
|
| 11 |
+ |
|
| 12 |
+Frank Lichtenheld (22): |
|
| 13 |
+ openvpn_PRF: Change API to use size_t for lengths |
|
| 14 |
+ ssl_common: Make sure ssl flags are treated as unsigned |
|
| 15 |
+ options: Factor out usages of strtoll and atoll |
|
| 16 |
+ ps: Clean up conversion warnings in journal_add function |
|
| 17 |
+ events: Make sure rwflags are treated as unsigned |
|
| 18 |
+ manage: Change command_line_* API to use size_t for lengths |
|
| 19 |
+ Introduce msglvl_t to unify msglevel type handling |
|
| 20 |
+ socket: Change resolve flags to unsigned int |
|
| 21 |
+ list: Make types of hash elements consistent |
|
| 22 |
+ ssl: Fix -Wconversion warnings in pem_password_callback |
|
| 23 |
+ ssl_verify: Change backend_x509_* functions to size_t for lengths |
|
| 24 |
+ Handle return type of EVP_MD_size |
|
| 25 |
+ Clean up conversion warnings related to base64_{en, de}code
|
|
| 26 |
+ configure.ac: Make ACL_CHECK_ADD_COMPILE_FLAGS append instead of prepend |
|
| 27 |
+ Enable a subset of -Wextra |
|
| 28 |
+ socks: factor out socks_proxy_recv_char() |
|
| 29 |
+ multi_io_init: simplify |
|
| 30 |
+ dns: Fix bug in error handling when talking to script |
|
| 31 |
+ Enable -Wconversion -Wno-sign-conversion by default |
|
| 32 |
+ Make unit tests -Wconversion clean |
|
| 33 |
+ ps: Fix conversion warnings related to send/recv return values |
|
| 34 |
+ event: Silence conversion warning in tv_to_ms_timeout |
|
| 35 |
+ |
|
| 36 |
+Gert Doering (5): |
|
| 37 |
+ replace assert() calls with ASSERT() |
|
| 38 |
+ remove newline characters at the end of msg() calls |
|
| 39 |
+ dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message |
|
| 40 |
+ fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds |
|
| 41 |
+ Fix t_net.sh / networking_testdriver after 'broadcast' change |
|
| 42 |
+ |
|
| 43 |
+Gianmarco De Gregori (2): |
|
| 44 |
+ Multi-socket win: avoid repeated socket_set() |
|
| 45 |
+ Fix multi-socket and dco-win interaction |
|
| 46 |
+ |
|
| 47 |
+Lev Stipakov (5): |
|
| 48 |
+ Preserve --dhcp-option values from local config |
|
| 49 |
+ win: replace wmic invocation with powershell |
|
| 50 |
+ openvpnserv: Fix writing messages to the event log |
|
| 51 |
+ GHA: collect more artifacts for mingw builds |
|
| 52 |
+ Validate DNS parameters |
|
| 53 |
+ |
|
| 54 |
+Marco Baffo (1): |
|
| 55 |
+ push-update-server: comment about buf_string_compare_advance() usage in send_single_push_update() |
|
| 56 |
+ |
|
| 57 |
+Max Fillinger (1): |
|
| 58 |
+ Rename Fox Crypto to Sentyron in copyright notices |
|
| 59 |
+ |
|
| 60 |
+Sebastian Marsching (1): |
|
| 61 |
+ Bugfix: Set broadcast address on interface. |
|
| 62 |
+ |
|
| 63 |
+ |
|
| 4 | 64 |
2025.09.04 -- Version 2.7_beta1 |
| 5 | 65 |
|
| 6 | 66 |
Arne Schwabe (1): |
| ... | ... |
@@ -45,6 +45,9 @@ Windows network adapters are now generated on demand |
| 45 | 45 |
Windows automatic service now runs as an unpriviledged user |
| 46 | 46 |
All tasks that need privileges are now delegated to the interactive |
| 47 | 47 |
service. |
| 48 |
+ **NOTE** this has the risk of breaking existing setups if the |
|
| 49 |
+ Windows certificate store is used (cryptoapi), and the certificates |
|
| 50 |
+ are not readable for ``NT SERVICE\OpenVPNService``. |
|
| 48 | 51 |
|
| 49 | 52 |
Support for new version of Linux DCO module |
| 50 | 53 |
OpenVPN DCO module is moving upstream and being merged into the |
| ... | ... |
@@ -148,6 +151,8 @@ Two new environment variables have been introduced to communicate desired |
| 148 | 148 |
``route_redirect_gateway_ipv4`` and ``route_redirect_gateway_ipv6``. |
| 149 | 149 |
See the "Environmental Variables" section in the man page |
| 150 | 150 |
|
| 151 |
+Improved logging of service events/errors to event log on Windows. |
|
| 152 |
+ |
|
| 151 | 153 |
|
| 152 | 154 |
Deprecated features |
| 153 | 155 |
------------------- |
| ... | ... |
@@ -265,6 +270,14 @@ User-visible Changes |
| 265 | 265 |
to ``clang-format``. This reformatted quite a bit of code, and requires |
| 266 | 266 |
that regular committers change their pre-commit checks accordingly. |
| 267 | 267 |
|
| 268 |
+- on Linux, on interfaces where applicable, OpenVPN explicitly configures |
|
| 269 |
+ the broadcast address again. This was dropped for 2.6.0 "because |
|
| 270 |
+ computers are smart and can do it themselves", but the kernel netlink |
|
| 271 |
+ interface isn't, and will install "0.0.0.0". This does not normally |
|
| 272 |
+ matter, but for broadcast-based applications that get the address to |
|
| 273 |
+ use from "ifconfig", this change repairs functionality (this has |
|
| 274 |
+ been backported to 2.6.15, but is not in earlier 2.6 versions). |
|
| 275 |
+ |
|
| 268 | 276 |
|
| 269 | 277 |
Overview of changes in 2.6 |
| 270 | 278 |
========================== |
| ... | ... |
@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) |
| 3 | 3 |
define([PRODUCT_TARNAME], [openvpn]) |
| 4 | 4 |
define([PRODUCT_VERSION_MAJOR], [2]) |
| 5 | 5 |
define([PRODUCT_VERSION_MINOR], [7]) |
| 6 |
-define([PRODUCT_VERSION_PATCH], [_beta1]) |
|
| 6 |
+define([PRODUCT_VERSION_PATCH], [_beta2]) |
|
| 7 | 7 |
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) |
| 8 | 8 |
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) |
| 9 | 9 |
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) |