|
| 1 | +Overview of changes in 2.6.11 |
| 2 | +============================= |
| 3 | +Security fixes |
| 4 | +-------------- |
| 5 | +- CVE-2024-4877: Windows: harden interactive service pipe. |
| 6 | + Security scope: a malicious process with "some" elevated privileges |
| 7 | + (SeImpersonatePrivilege) could open the pipe a second time, tricking |
| 8 | + openvn GUI into providing user credentials (tokens), getting full |
| 9 | + access to the account openvpn-gui.exe runs as. |
| 10 | + (Zeze with TeamT5) |
| 11 | + |
| 12 | +- CVE-2024-5594: control channel: refuse control channel messages with |
| 13 | + nonprintable characters in them. Security scope: a malicious openvpn |
| 14 | + peer can send garbage to openvpn log, or cause high CPU load. |
| 15 | + (Reynir Björnsson) |
| 16 | + |
| 17 | +- CVE-2024-28882: only call schedule_exit() once (on a given peer). |
| 18 | + Security scope: an authenticated client can make the server "keep the |
| 19 | + session" even when the server has been told to disconnect this client |
| 20 | + (Reynir Björnsson) |
| 21 | + |
| 22 | +New features |
| 23 | +------------ |
| 24 | +- Windows Crypto-API: Implement Windows CA template match for searching |
| 25 | + certificates in windows crypto store. |
| 26 | + |
| 27 | +- support pre-created DCO interface on FreeBSD (OpenVPN would fail to |
| 28 | + set ifmode p2p/subnet otherwise) |
| 29 | + |
| 30 | +Bugfixes |
| 31 | +-------- |
| 32 | +- fix connect timeout when using SOCKS proxies (trac #328, github #267) |
| 33 | + |
| 34 | +- work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers |
| 35 | + (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5, |
| 36 | + see also https://github.com/libressl/openbsd/issues/150) |
| 37 | + |
| 38 | +- Add bracket in fingerprint message and do not warn about missing |
| 39 | + verification (github #516) |
| 40 | + |
| 41 | +Documentation |
| 42 | +------------- |
| 43 | +- remove "experimental" denotation for --fast-io |
| 44 | + |
| 45 | +- correctly document ifconfig_* variables passed to scripts (script-options.rst) |
| 46 | + |
| 47 | +- documentation: make section levels consistent |
| 48 | + |
| 49 | +- samples: Update sample configurations |
| 50 | + remove compression & old cipher settings, add more informative comments |
| 51 | + |
| 52 | +Code maintenance |
| 53 | +---------------- |
| 54 | +- remove usage of <lzoutils.h> header & macro, discouraged by upstream |
| 55 | + |
| 56 | +- only run coverity scans in OpenVPN/OpenVPN repository (= do not spam |
| 57 | + owners of cloned repos with "cannot run this" messages) |
| 58 | + |
| 59 | +- replace macOS 11 github runners with macOS 14 |
| 60 | + |
| 61 | +- remove some unused code in misc.c (leftover from commit 3a4fb1) |
| 62 | + |
| 63 | +- phase2_tcp_server: fix Coverity issue 'Dereference after null check' |
| 64 | + - the code itself was correct, just doing needless checks |
| 65 | + |
| 66 | +- Use snprintf instead of sprintf for get_ssl_library_version |
| 67 | + - the code itself was correct, but macOS clang dislikes sprintf() |
| 68 | + |
| 69 | + |
1 | 70 | Overview of changes in 2.6.10 |
2 | 71 | ============================= |
3 | 72 | Security fixes |
|
0 commit comments