git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3323 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2008/09/10 16:16:14... | ... |
@@ -3,6 +3,99 @@ Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net> |
3 | 3 |
|
4 | 4 |
$Id$ |
5 | 5 |
|
6 |
+2008.09.10 -- Version 2.1_rc10 |
|
7 |
+ |
|
8 |
+* Added "--server-bridge" (without parameters) to enable |
|
9 |
+ DHCP proxy mode: Configure server mode for ethernet |
|
10 |
+ bridging using a DHCP-proxy, where clients talk to the |
|
11 |
+ OpenVPN server-side DHCP server to receive their IP address |
|
12 |
+ allocation and DNS server addresses. |
|
13 |
+ |
|
14 |
+* Added "--route-gateway dhcp", to enable the extraction |
|
15 |
+ of the gateway address from a DHCP negotiation with the |
|
16 |
+ OpenVPN server-side LAN. |
|
17 |
+ |
|
18 |
+* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns |
|
19 |
+ on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, |
|
20 |
+ ignore it. |
|
21 |
+ |
|
22 |
+* Warn when ethernet bridging that the IP address of the bridge adapter |
|
23 |
+ is probably not the same address that the LAN adapter was set to |
|
24 |
+ previously. |
|
25 |
+ |
|
26 |
+* When running as a server, warn if the LAN network address is |
|
27 |
+ the all-popular 192.168.[0|1].x, since this condition commonly |
|
28 |
+ leads to subnet conflicts down the road. |
|
29 |
+ |
|
30 |
+* Primarily on the client, check for subnet conflicts between |
|
31 |
+ the local LAN and the VPN subnet. |
|
32 |
+ |
|
33 |
+* Added a 'netmask' parameter to get_default_gateway, to return |
|
34 |
+ the netmask of the adapter containing the default gateway. |
|
35 |
+ Only implemented on Windows so far. Other platforms will |
|
36 |
+ return 255.255.255.0. Currently the netmask information is |
|
37 |
+ only used to warn about subnet conflicts. |
|
38 |
+ |
|
39 |
+* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO |
|
40 |
+ and USE_SSL flags are enabled (Alon Bar-Lev). |
|
41 |
+ |
|
42 |
+* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new |
|
43 |
+ --script-security rules. Also adds retrying if the addresses are in |
|
44 |
+ use (Matthias Andree). |
|
45 |
+ |
|
46 |
+* Fixed build issue with ./configure --disable-socks --disable-http. |
|
47 |
+ |
|
48 |
+* Fixed separate compile errors in options.c and ntlm.c that occur |
|
49 |
+ on strict C compilers (such as old versions of gcc) that require |
|
50 |
+ that C variable declarations occur at the start of a {} block, |
|
51 |
+ not in the middle. |
|
52 |
+ |
|
53 |
+* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which |
|
54 |
+ the new implementation of extract_x509_field_ssl depends on. |
|
55 |
+ |
|
56 |
+* LZO compression buffer overflow errors will now invalidate |
|
57 |
+ the packet rather than trigger a fatal assertion. |
|
58 |
+ |
|
59 |
+* Fixed minor compile issue in ntlm.c (mid-block declaration). |
|
60 |
+ |
|
61 |
+* Added --allow-pull-fqdn option which allows client to pull DNS names |
|
62 |
+ from server (rather than only IP address) for --ifconfig, --route, and |
|
63 |
+ --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names |
|
64 |
+ for these options to be pulled and translated to IP addresses by default. |
|
65 |
+ Now --allow-pull-fqdn will be explicitly required on the client to enable |
|
66 |
+ DNS-name-to-IP-address translation of pulled options. |
|
67 |
+ |
|
68 |
+* 2.1_rc8 and earlier did implicit shell expansion on script |
|
69 |
+ arguments since all scripts were called by system(). |
|
70 |
+ The security hardening changes made to 2.1_rc9 no longer |
|
71 |
+ use system(), but rather use the safer execve or CreateProcess |
|
72 |
+ system calls. The security hardening also introduced a |
|
73 |
+ backward incompatibility with 2.1_rc8 and earlier in that |
|
74 |
+ script parameters were no longer shell-expanded, so |
|
75 |
+ for example: |
|
76 |
+ |
|
77 |
+ client-connect "docc CLIENT-CONNECT" |
|
78 |
+ |
|
79 |
+ would fail to work because execve would try to execute |
|
80 |
+ a script called "docc CLIENT-CONNECT" instead of "docc" |
|
81 |
+ with "CLIENT-CONNECT" as the first argument. |
|
82 |
+ |
|
83 |
+ This patch fixes the issue, bringing the script argument |
|
84 |
+ semantics back to pre 2.1_rc9 behavior in order to preserve |
|
85 |
+ backward compatibility while still using execve or CreateProcess |
|
86 |
+ to execute the script/executable. |
|
87 |
+ |
|
88 |
+* Modified ip_or_dns_addr_safe, which validates pulled DNS names, |
|
89 |
+ to more closely conform to RFC 3696: |
|
90 |
+ |
|
91 |
+ (1) DNS name length must not exceed 255 characters |
|
92 |
+ |
|
93 |
+ (2) DNS name characters must be limited to alphanumeric, |
|
94 |
+ dash ('-'), and dot ('.') |
|
95 |
+ |
|
96 |
+* Fixed bug in intra-session TLS key rollover that was introduced with |
|
97 |
+ deferred authentication features in 2.1_rc8. |
|
98 |
+ |
|
6 | 99 |
2008.07.31 -- Version 2.1_rc9 |
7 | 100 |
|
8 | 101 |
* Security Fix -- affects non-Windows OpenVPN clients running |