@@ -1,6 +1,12 @@

 OpenVPN Change Log

 Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>

+2024.07.18 -- Version 2.5.11

+

+Arne Schwabe (2):

+      Properly handle null bytes and invalid characters in control messages

+      Allow trailing \r and \n in control channel message

+

 2024.03.21 -- Version 2.5.10

 Arne Schwabe (1):

@@ -1,3 +1,15 @@

+Overview of changes in 2.5.11

+=============================

+Security fixes

+--------------

+- CVE-2024-5594: control channel: refuse control channel messages with

+  nonprintable characters in them.  Security scope: a malicious openvpn

+  peer can send garbage to openvpn log, or cause high CPU load.

+  (Reynir Björnsson)

+

+  (Backport of the security fix in 2.6.11 and the fix for the bugfix

+  in 2.6.12)

+

 Overview of changes in 2.5.10

 =============================

 Security fixes

@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])

 define([PRODUCT_TARNAME], [openvpn])

 define([PRODUCT_VERSION_MAJOR], [2])

 define([PRODUCT_VERSION_MINOR], [5])

-define([PRODUCT_VERSION_PATCH], [.10])

+define([PRODUCT_VERSION_PATCH], [.11])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])

 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])

-define([PRODUCT_VERSION_RESOURCE], [2,5,10,0])

+define([PRODUCT_VERSION_RESOURCE], [2,5,11,0])

 dnl define the TAP version

 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])

 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])