@@ -1,6 +1,37 @@

 OpenVPN Change Log

 Copyright (C) 2002-2020 OpenVPN Inc <sales@openvpn.net>

+2021.04.20 -- Version 2.5.2

+

+Arne Schwabe (10):

+      Avoid generating unecessary mbed debug messages

+      Restore also ping related options on a reconnect

+      Cleanup print_details and add signature/ED certificate print

+      Always disable TLS renegotiations

+      Also restore/save route-gateway options on SIGUSR1 reconnects

+      Move context_auth from context_2 to tls_multi and name it multi_state

+      Fix condition to generate session keys

+      Move auth_token_state from multi to key_state

+      Ensure auth-token is only sent on a fully authenticated session

+      Ensure key state is authenticated before sending push reply

+

+Gert Doering (2):

+      Fix potential NULL ptr crash if compiled with DMALLOC

+

+Max Fillinger (2):

+      In init_ssl, open the correct CRL path pre-chroot

+      Abort if CRL file can't be stat-ed in ssl_init

+

+Richard Bonhomme (1):

+      Do not print Diffie Hellman parameters file to log file

+

+Simon Rozman (1):

+      openvpnserv: Cache last error before it is overridden

+

+Vladislav Grishenko (1):

+      Fix IPv4 default gateway with multiple route tables

+

+

 2021.02.24 -- Version 2.5.1

 Arne Schwabe (5):

@@ -1,3 +1,48 @@

+Overview of changes in 2.5.2

+============================

+

+Bugfixes

+--------

+- CVE-2020-15078

+  see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

+

+  This bug allows - under very specific circumstances - to trick a

+  server using delayed authentication (plugin or management) into

+  returning a PUSH_REPLY before the AUTH_FAILED message, which can

+  possibly be used to gather information about a VPN setup.

+

+  In combination with "--auth-gen-token" or an user-specific token auth

+  solution it can be possible to get access to a VPN with an

+  otherwise-invalid account.

+

+- restore pushed "ping" settings correctly on a SIGUSR1 restart

+

+- avoid generating unecessary mbed debug messages - this is actually

+  a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448

+  ED curves - mbedTLS crashes on preparing debug infos that we do not

+  actually need unless running with "--verb 8"

+

+- do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file

+

+- fix Linux/SITNL default route lookup in case of multiple routing tables

+  with more than one default route present (always use "main table" for now)

+

+- Fix CRL file handling in combination with chroot

+

+User-visible Changes

+--------------------

+

+- OpenVPN will now refuse to start if CRL file is not present at startup

+  time.  At "reload time" absense of the CRL file is still OK (and the

+  in memory copy is used) but at startup it is now considered an error.

+

+

+New features

+------------

+- printing of the TLS ciphers negotiated has been extended, especially

+  displaying TLS 1.3 and EC certificates more correctly.

+

+

 Overview of changes in 2.5.1

 ============================

@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])

 define([PRODUCT_TARNAME], [openvpn])

 define([PRODUCT_VERSION_MAJOR], [2])

 define([PRODUCT_VERSION_MINOR], [5])

-define([PRODUCT_VERSION_PATCH], [.1])

+define([PRODUCT_VERSION_PATCH], [.2])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])

 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])

-define([PRODUCT_VERSION_RESOURCE], [2,5,1,0])

+define([PRODUCT_VERSION_RESOURCE], [2,5,2,0])

 dnl define the TAP version

 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])

 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])