@@ -1,6 +1,117 @@

 OpenVPN Change Log

 Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

+2010.08.09 -- Version 2.1.2

+

+* Windows security issue:

+  Fixed potential local privilege escalation vulnerability in

+  Windows service. The Windows service did not properly quote the

+  executable filename passed to CreateService.  A local attacker

+  with write access to the root directory C:\ could create an

+  executable that would be run with the same privilege level as

+  the OpenVPN Windows service.  However, since non-Administrative

+  users normally lack write permission on C:\, this vulnerability

+  is generally not exploitable except on older versions of Windows

+  (such as Win2K) where the default permissions on C:\ would allow

+  any user to create files there.

+  Credit:  Scott Laurie, MWR InfoSecurity

+

+* Added Python-based based alternative build system for Windows using

+  Visual Studio 2008 (in win directory).

+

+* When aborting in a non-graceful way, try to execute do_close_tun in

+  init.c prior to daemon exit to ensure that the tun/tap interface is

+  closed and any added routes are deleted.

+

+* Fixed an issue where AUTH_FAILED was not being properly delivered

+  to the client when a bad password is given for mid-session reauth,

+  causing the connection to fail without an error indication.

+

+* Don't advance to the next connection profile on AUTH_FAILED errors.

+

+* Fixed an issue in the Management Interface that could cause

+  a process hang with 100% CPU utilization in --management-client

+  mode if the management interface client disconnected at the

+  point where credentials are queried.

+

+* Fixed an issue where if reneg-sec was set to 0 on the client,

+  so that the server-side value would take precedence,

+  the auth_deferred_expire_window function would incorrectly

+  return a window period of 0 seconds.  In this case, the

+  correct window period should be the handshake window

+  period.

+

+* Modified ">PASSWORD:Verification Failed" management interface

+  notification to include a client reason string:

+

+    >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']

+

+* Enable exponential backoff in reliability layer

+  retransmits.

+

+* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after

+  socket is created rather than waiting until after connect/listen.

+

+* Management interface performance optimizations:

+

+  1. Added env-filter MI command to perform filtering on env vars

+     passed through as a part of --management-client-auth

+

+  2. man_write will now try to aggregate output into larger blocks

+     (up to 1024 bytes) for more efficient i/o

+

+* Fixed minor issue in Windows TAP driver DEBUG builds

+  where non-null-terminated unicode strings were being

+  printed incorrectly.

+

+* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support

+  was not being compiled in.

+

+* Proxy improvements:

+

+  Improved the ability of http-auth "auto" flag to dynamically detect

+  the auth method required by the proxy.

+

+  Added http-auth "auto-nct" flag to reject weak proxy auth methods.

+

+  Added HTTP proxy digest authentication method.

+

+  Removed extraneous openvpn_sleep calls from proxy.c.

+

+* Implemented http-proxy-override and http-proxy-fallback directives to make it

+  easier for OpenVPN client UIs to start a pre-existing client config file with

+  proxy options, or to adaptively fall back to a proxy connection if a direct

+  connection fails.

+

+* Implemented a key/value auth channel from client to server.

+

+* Fixed issue where bad creds provided by the management interface

+  for HTTP Proxy Basic Authentication would go into an infinite

+  retry-fail loop instead of requerying the management interface for

+  new creds.

+

+* Added support for MSVC debugging of openvpn.exe in settings.in:

+

+  # Build debugging version of openvpn.exe

+  !define PRODUCT_OPENVPN_DEBUG

+

+* Implemented multi-address DNS expansion on the network field of route

+  commands.

+

+  When only a single IP address is desired from a multi-address DNS

+  expansion, use the first address rather than a random selection.

+

+* Added --register-dns option for Windows.

+

+  Fixed some issues on Windows with --log, subprocess creation

+  for command execution, and stdout/stderr redirection.

+

+* Fixed an issue where application payload transmissions on the

+  TLS control channel (such as AUTH_FAILED) that occur during

+  or immediately after a TLS renegotiation might be dropped. 

+

+* Added warning about tls-remote option in man page.

+

 2009.12.11 -- Version 2.1.1

 * Fixed some breakage in openvpn.spec (which is required to build an

@@ -22,7 +22,7 @@

 ;!define OPENVPN_XGUI_DIR "../ovpnxml"

 # Prebuilt libraries.  DMALLOC is optional.

-!define OPENSSL_DIR	  "../openssl-0.9.8l"

+!define OPENSSL_DIR	  "../openssl.mingw/openssl-0.9.8o"

 !define LZO_DIR		  "../lzo-2.02"

 !define PKCS11_HELPER_DIR "../pkcs11-helper"

 ;!define DMALLOC_DIR	  "../dmalloc-5.4.2"

@@ -370,11 +370,13 @@ int CmdInstallService()

    int ret = 0;

-   if ( GetModuleFileName( NULL, szPath, 512 ) == 0 )

+   if ( GetModuleFileName( NULL, szPath+1, 510 ) == 0 )

    {

       _tprintf(TEXT("Unable to install %s - %s\n"), TEXT(SZSERVICEDISPLAYNAME), GetLastErrorText(szErr, 256));

       return 1;

    }

+   szPath[0] = '\"';

+   strcat(szPath, "\"");

    schSCManager = OpenSCManager(

                                NULL,                   // machine (NULL == local)

@@ -1,5 +1,5 @@

 dnl define the OpenVPN version

-define(PRODUCT_VERSION,[2.1.1o])

+define(PRODUCT_VERSION,[2.1.2])

 dnl define the TAP version

 define(PRODUCT_TAP_ID,[tap0901])

 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])