Version 2.1.2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5
... | ... |
@@ -1,6 +1,117 @@ |
1 | 1 |
OpenVPN Change Log |
2 | 2 |
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
3 | 3 |
|
4 |
+2010.08.09 -- Version 2.1.2 |
|
5 |
+ |
|
6 |
+* Windows security issue: |
|
7 |
+ Fixed potential local privilege escalation vulnerability in |
|
8 |
+ Windows service. The Windows service did not properly quote the |
|
9 |
+ executable filename passed to CreateService. A local attacker |
|
10 |
+ with write access to the root directory C:\ could create an |
|
11 |
+ executable that would be run with the same privilege level as |
|
12 |
+ the OpenVPN Windows service. However, since non-Administrative |
|
13 |
+ users normally lack write permission on C:\, this vulnerability |
|
14 |
+ is generally not exploitable except on older versions of Windows |
|
15 |
+ (such as Win2K) where the default permissions on C:\ would allow |
|
16 |
+ any user to create files there. |
|
17 |
+ Credit: Scott Laurie, MWR InfoSecurity |
|
18 |
+ |
|
19 |
+* Added Python-based based alternative build system for Windows using |
|
20 |
+ Visual Studio 2008 (in win directory). |
|
21 |
+ |
|
22 |
+* When aborting in a non-graceful way, try to execute do_close_tun in |
|
23 |
+ init.c prior to daemon exit to ensure that the tun/tap interface is |
|
24 |
+ closed and any added routes are deleted. |
|
25 |
+ |
|
26 |
+* Fixed an issue where AUTH_FAILED was not being properly delivered |
|
27 |
+ to the client when a bad password is given for mid-session reauth, |
|
28 |
+ causing the connection to fail without an error indication. |
|
29 |
+ |
|
30 |
+* Don't advance to the next connection profile on AUTH_FAILED errors. |
|
31 |
+ |
|
32 |
+* Fixed an issue in the Management Interface that could cause |
|
33 |
+ a process hang with 100% CPU utilization in --management-client |
|
34 |
+ mode if the management interface client disconnected at the |
|
35 |
+ point where credentials are queried. |
|
36 |
+ |
|
37 |
+* Fixed an issue where if reneg-sec was set to 0 on the client, |
|
38 |
+ so that the server-side value would take precedence, |
|
39 |
+ the auth_deferred_expire_window function would incorrectly |
|
40 |
+ return a window period of 0 seconds. In this case, the |
|
41 |
+ correct window period should be the handshake window |
|
42 |
+ period. |
|
43 |
+ |
|
44 |
+* Modified ">PASSWORD:Verification Failed" management interface |
|
45 |
+ notification to include a client reason string: |
|
46 |
+ |
|
47 |
+ >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] |
|
48 |
+ |
|
49 |
+* Enable exponential backoff in reliability layer |
|
50 |
+ retransmits. |
|
51 |
+ |
|
52 |
+* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after |
|
53 |
+ socket is created rather than waiting until after connect/listen. |
|
54 |
+ |
|
55 |
+* Management interface performance optimizations: |
|
56 |
+ |
|
57 |
+ 1. Added env-filter MI command to perform filtering on env vars |
|
58 |
+ passed through as a part of --management-client-auth |
|
59 |
+ |
|
60 |
+ 2. man_write will now try to aggregate output into larger blocks |
|
61 |
+ (up to 1024 bytes) for more efficient i/o |
|
62 |
+ |
|
63 |
+* Fixed minor issue in Windows TAP driver DEBUG builds |
|
64 |
+ where non-null-terminated unicode strings were being |
|
65 |
+ printed incorrectly. |
|
66 |
+ |
|
67 |
+* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support |
|
68 |
+ was not being compiled in. |
|
69 |
+ |
|
70 |
+* Proxy improvements: |
|
71 |
+ |
|
72 |
+ Improved the ability of http-auth "auto" flag to dynamically detect |
|
73 |
+ the auth method required by the proxy. |
|
74 |
+ |
|
75 |
+ Added http-auth "auto-nct" flag to reject weak proxy auth methods. |
|
76 |
+ |
|
77 |
+ Added HTTP proxy digest authentication method. |
|
78 |
+ |
|
79 |
+ Removed extraneous openvpn_sleep calls from proxy.c. |
|
80 |
+ |
|
81 |
+* Implemented http-proxy-override and http-proxy-fallback directives to make it |
|
82 |
+ easier for OpenVPN client UIs to start a pre-existing client config file with |
|
83 |
+ proxy options, or to adaptively fall back to a proxy connection if a direct |
|
84 |
+ connection fails. |
|
85 |
+ |
|
86 |
+* Implemented a key/value auth channel from client to server. |
|
87 |
+ |
|
88 |
+* Fixed issue where bad creds provided by the management interface |
|
89 |
+ for HTTP Proxy Basic Authentication would go into an infinite |
|
90 |
+ retry-fail loop instead of requerying the management interface for |
|
91 |
+ new creds. |
|
92 |
+ |
|
93 |
+* Added support for MSVC debugging of openvpn.exe in settings.in: |
|
94 |
+ |
|
95 |
+ # Build debugging version of openvpn.exe |
|
96 |
+ !define PRODUCT_OPENVPN_DEBUG |
|
97 |
+ |
|
98 |
+* Implemented multi-address DNS expansion on the network field of route |
|
99 |
+ commands. |
|
100 |
+ |
|
101 |
+ When only a single IP address is desired from a multi-address DNS |
|
102 |
+ expansion, use the first address rather than a random selection. |
|
103 |
+ |
|
104 |
+* Added --register-dns option for Windows. |
|
105 |
+ |
|
106 |
+ Fixed some issues on Windows with --log, subprocess creation |
|
107 |
+ for command execution, and stdout/stderr redirection. |
|
108 |
+ |
|
109 |
+* Fixed an issue where application payload transmissions on the |
|
110 |
+ TLS control channel (such as AUTH_FAILED) that occur during |
|
111 |
+ or immediately after a TLS renegotiation might be dropped. |
|
112 |
+ |
|
113 |
+* Added warning about tls-remote option in man page. |
|
114 |
+ |
|
4 | 115 |
2009.12.11 -- Version 2.1.1 |
5 | 116 |
|
6 | 117 |
* Fixed some breakage in openvpn.spec (which is required to build an |
... | ... |
@@ -22,7 +22,7 @@ |
22 | 22 |
;!define OPENVPN_XGUI_DIR "../ovpnxml" |
23 | 23 |
|
24 | 24 |
# Prebuilt libraries. DMALLOC is optional. |
25 |
-!define OPENSSL_DIR "../openssl-0.9.8l" |
|
25 |
+!define OPENSSL_DIR "../openssl.mingw/openssl-0.9.8o" |
|
26 | 26 |
!define LZO_DIR "../lzo-2.02" |
27 | 27 |
!define PKCS11_HELPER_DIR "../pkcs11-helper" |
28 | 28 |
;!define DMALLOC_DIR "../dmalloc-5.4.2" |
... | ... |
@@ -370,11 +370,13 @@ int CmdInstallService() |
370 | 370 |
|
371 | 371 |
int ret = 0; |
372 | 372 |
|
373 |
- if ( GetModuleFileName( NULL, szPath, 512 ) == 0 ) |
|
373 |
+ if ( GetModuleFileName( NULL, szPath+1, 510 ) == 0 ) |
|
374 | 374 |
{ |
375 | 375 |
_tprintf(TEXT("Unable to install %s - %s\n"), TEXT(SZSERVICEDISPLAYNAME), GetLastErrorText(szErr, 256)); |
376 | 376 |
return 1; |
377 | 377 |
} |
378 |
+ szPath[0] = '\"'; |
|
379 |
+ strcat(szPath, "\""); |
|
378 | 380 |
|
379 | 381 |
schSCManager = OpenSCManager( |
380 | 382 |
NULL, // machine (NULL == local) |