Browse code
Version 2.1_rc10
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3323 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2008/09/10 16:16:14Showing 2 changed files
| ... | ... |
@@ -3,6 +3,99 @@ Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net> |
| 3 | 3 |
|
| 4 | 4 |
$Id$ |
| 5 | 5 |
|
| 6 |
+2008.09.10 -- Version 2.1_rc10 |
|
| 7 |
+ |
|
| 8 |
+* Added "--server-bridge" (without parameters) to enable |
|
| 9 |
+ DHCP proxy mode: Configure server mode for ethernet |
|
| 10 |
+ bridging using a DHCP-proxy, where clients talk to the |
|
| 11 |
+ OpenVPN server-side DHCP server to receive their IP address |
|
| 12 |
+ allocation and DNS server addresses. |
|
| 13 |
+ |
|
| 14 |
+* Added "--route-gateway dhcp", to enable the extraction |
|
| 15 |
+ of the gateway address from a DHCP negotiation with the |
|
| 16 |
+ OpenVPN server-side LAN. |
|
| 17 |
+ |
|
| 18 |
+* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns |
|
| 19 |
+ on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, |
|
| 20 |
+ ignore it. |
|
| 21 |
+ |
|
| 22 |
+* Warn when ethernet bridging that the IP address of the bridge adapter |
|
| 23 |
+ is probably not the same address that the LAN adapter was set to |
|
| 24 |
+ previously. |
|
| 25 |
+ |
|
| 26 |
+* When running as a server, warn if the LAN network address is |
|
| 27 |
+ the all-popular 192.168.[0|1].x, since this condition commonly |
|
| 28 |
+ leads to subnet conflicts down the road. |
|
| 29 |
+ |
|
| 30 |
+* Primarily on the client, check for subnet conflicts between |
|
| 31 |
+ the local LAN and the VPN subnet. |
|
| 32 |
+ |
|
| 33 |
+* Added a 'netmask' parameter to get_default_gateway, to return |
|
| 34 |
+ the netmask of the adapter containing the default gateway. |
|
| 35 |
+ Only implemented on Windows so far. Other platforms will |
|
| 36 |
+ return 255.255.255.0. Currently the netmask information is |
|
| 37 |
+ only used to warn about subnet conflicts. |
|
| 38 |
+ |
|
| 39 |
+* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO |
|
| 40 |
+ and USE_SSL flags are enabled (Alon Bar-Lev). |
|
| 41 |
+ |
|
| 42 |
+* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new |
|
| 43 |
+ --script-security rules. Also adds retrying if the addresses are in |
|
| 44 |
+ use (Matthias Andree). |
|
| 45 |
+ |
|
| 46 |
+* Fixed build issue with ./configure --disable-socks --disable-http. |
|
| 47 |
+ |
|
| 48 |
+* Fixed separate compile errors in options.c and ntlm.c that occur |
|
| 49 |
+ on strict C compilers (such as old versions of gcc) that require |
|
| 50 |
+ that C variable declarations occur at the start of a {} block,
|
|
| 51 |
+ not in the middle. |
|
| 52 |
+ |
|
| 53 |
+* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which |
|
| 54 |
+ the new implementation of extract_x509_field_ssl depends on. |
|
| 55 |
+ |
|
| 56 |
+* LZO compression buffer overflow errors will now invalidate |
|
| 57 |
+ the packet rather than trigger a fatal assertion. |
|
| 58 |
+ |
|
| 59 |
+* Fixed minor compile issue in ntlm.c (mid-block declaration). |
|
| 60 |
+ |
|
| 61 |
+* Added --allow-pull-fqdn option which allows client to pull DNS names |
|
| 62 |
+ from server (rather than only IP address) for --ifconfig, --route, and |
|
| 63 |
+ --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names |
|
| 64 |
+ for these options to be pulled and translated to IP addresses by default. |
|
| 65 |
+ Now --allow-pull-fqdn will be explicitly required on the client to enable |
|
| 66 |
+ DNS-name-to-IP-address translation of pulled options. |
|
| 67 |
+ |
|
| 68 |
+* 2.1_rc8 and earlier did implicit shell expansion on script |
|
| 69 |
+ arguments since all scripts were called by system(). |
|
| 70 |
+ The security hardening changes made to 2.1_rc9 no longer |
|
| 71 |
+ use system(), but rather use the safer execve or CreateProcess |
|
| 72 |
+ system calls. The security hardening also introduced a |
|
| 73 |
+ backward incompatibility with 2.1_rc8 and earlier in that |
|
| 74 |
+ script parameters were no longer shell-expanded, so |
|
| 75 |
+ for example: |
|
| 76 |
+ |
|
| 77 |
+ client-connect "docc CLIENT-CONNECT" |
|
| 78 |
+ |
|
| 79 |
+ would fail to work because execve would try to execute |
|
| 80 |
+ a script called "docc CLIENT-CONNECT" instead of "docc" |
|
| 81 |
+ with "CLIENT-CONNECT" as the first argument. |
|
| 82 |
+ |
|
| 83 |
+ This patch fixes the issue, bringing the script argument |
|
| 84 |
+ semantics back to pre 2.1_rc9 behavior in order to preserve |
|
| 85 |
+ backward compatibility while still using execve or CreateProcess |
|
| 86 |
+ to execute the script/executable. |
|
| 87 |
+ |
|
| 88 |
+* Modified ip_or_dns_addr_safe, which validates pulled DNS names, |
|
| 89 |
+ to more closely conform to RFC 3696: |
|
| 90 |
+ |
|
| 91 |
+ (1) DNS name length must not exceed 255 characters |
|
| 92 |
+ |
|
| 93 |
+ (2) DNS name characters must be limited to alphanumeric, |
|
| 94 |
+ dash ('-'), and dot ('.')
|
|
| 95 |
+ |
|
| 96 |
+* Fixed bug in intra-session TLS key rollover that was introduced with |
|
| 97 |
+ deferred authentication features in 2.1_rc8. |
|
| 98 |
+ |
|
| 6 | 99 |
2008.07.31 -- Version 2.1_rc9 |
| 7 | 100 |
|
| 8 | 101 |
* Security Fix -- affects non-Windows OpenVPN clients running |