| 1 | {{{ |
| 2 | OpenVPN Change Log |
| 3 | Copyright (C) 2002-2010 OpenVPN Technologies, Inc. < |
| 4 | sales@openvpn.net> |
| 5 | |
| 6 | 2010.11.09 -- Version 2.1.4 |
| 7 | |
| 8 | * Fix problem with special case route targets ('remote_host') |
| 9 | The init_route() function will leave &netlist untouched for |
| 10 | get_special_addr() routes ("remote_host" being one of them). |
| 11 | netlist is on stack, contains random garbage, and |
| 12 | netlist.len will not be 0 - thus, random stack data is copied from |
| 13 | netlist.data[] until the route_list is full. |
| 14 | Thanks to Teodo MICU and Gert Doering for finding and fixing this issue. |
| 15 | |
| 16 | |
| 17 | 2010.08.20 -- Version 2.1.3 |
| 18 | |
| 19 | * Windows build fixes |
| 20 | Attempt to fix issue where domake-win build system was not properly |
| 21 | signing drivers and .exe files. This change is only affecting the |
| 22 | Windows build scripts and not the OpenVPN code base. |
| 23 | |
| 24 | 2010.08.09 -- Version 2.1.2 |
| 25 | |
| 26 | * Windows security issue: |
| 27 | Fixed potential local privilege escalation vulnerability in |
| 28 | Windows service. The Windows service did not properly quote the |
| 29 | executable filename passed to CreateService. A local attacker |
| 30 | with write access to the root directory C:\ could create an |
| 31 | executable that would be run with the same privilege level as |
| 32 | the OpenVPN Windows service. However, since non-Administrative |
| 33 | users normally lack write permission on C:\, this vulnerability |
| 34 | is generally not exploitable except on older versions of Windows |
| 35 | (such as Win2K) where the default permissions on C:\ would allow |
| 36 | any user to create files there. |
| 37 | Credit: Scott Laurie, MWR InfoSecurity |
| 38 | |
| 39 | * Added Python-based based alternative build system for Windows using |
| 40 | Visual Studio 2008 (in win directory). |
| 41 | |
| 42 | * When aborting in a non-graceful way, try to execute do_close_tun in |
| 43 | init.c prior to daemon exit to ensure that the tun/tap interface is |
| 44 | closed and any added routes are deleted. |
| 45 | |
| 46 | * Fixed an issue where AUTH_FAILED was not being properly delivered |
| 47 | to the client when a bad password is given for mid-session reauth, |
| 48 | causing the connection to fail without an error indication. |
| 49 | |
| 50 | * Don't advance to the next connection profile on AUTH_FAILED errors. |
| 51 | |
| 52 | * Fixed an issue in the Management Interface that could cause |
| 53 | a process hang with 100% CPU utilization in --management-client |
| 54 | mode if the management interface client disconnected at the |
| 55 | point where credentials are queried. |
| 56 | |
| 57 | * Fixed an issue where if reneg-sec was set to 0 on the client, |
| 58 | so that the server-side value would take precedence, |
| 59 | the auth_deferred_expire_window function would incorrectly |
| 60 | return a window period of 0 seconds. In this case, the |
| 61 | correct window period should be the handshake window |
| 62 | period. |
| 63 | |
| 64 | * Modified ">PASSWORD:Verification Failed" management interface |
| 65 | notification to include a client reason string: |
| 66 | |
| 67 | >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] |
| 68 | |
| 69 | * Enable exponential backoff in reliability layer |
| 70 | retransmits. |
| 71 | |
| 72 | * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after |
| 73 | socket is created rather than waiting until after connect/listen. |
| 74 | |
| 75 | * Management interface performance optimizations: |
| 76 | |
| 77 | 1. Added env-filter MI command to perform filtering on env vars |
| 78 | passed through as a part of --management-client-auth |
| 79 | |
| 80 | 2. man_write will now try to aggregate output into larger blocks |
| 81 | (up to 1024 bytes) for more efficient i/o |
| 82 | |
| 83 | * Fixed minor issue in Windows TAP driver DEBUG builds |
| 84 | where non-null-terminated unicode strings were being |
| 85 | printed incorrectly. |
| 86 | |
| 87 | * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support |
| 88 | was not being compiled in. |
| 89 | |
| 90 | * Proxy improvements: |
| 91 | |
| 92 | Improved the ability of http-auth "auto" flag to dynamically detect |
| 93 | the auth method required by the proxy. |
| 94 | |
| 95 | Added http-auth "auto-nct" flag to reject weak proxy auth methods. |
| 96 | |
| 97 | Added HTTP proxy digest authentication method. |
| 98 | |
| 99 | Removed extraneous openvpn_sleep calls from proxy.c. |
| 100 | |
| 101 | * Implemented http-proxy-override and http-proxy-fallback directives to make it |
| 102 | easier for OpenVPN client UIs to start a pre-existing client config file with |
| 103 | proxy options, or to adaptively fall back to a proxy connection if a direct |
| 104 | connection fails. |
| 105 | |
| 106 | * Implemented a key/value auth channel from client to server. |
| 107 | |
| 108 | * Fixed issue where bad creds provided by the management interface |
| 109 | for HTTP Proxy Basic Authentication would go into an infinite |
| 110 | retry-fail loop instead of requerying the management interface for |
| 111 | new creds. |
| 112 | |
| 113 | * Added support for MSVC debugging of openvpn.exe in settings.in: |
| 114 | |
| 115 | # Build debugging version of openvpn.exe |
| 116 | !define PRODUCT_OPENVPN_DEBUG |
| 117 | |
| 118 | * Implemented multi-address DNS expansion on the network field of route |
| 119 | commands. |
| 120 | |
| 121 | When only a single IP address is desired from a multi-address DNS |
| 122 | expansion, use the first address rather than a random selection. |
| 123 | |
| 124 | * Added --register-dns option for Windows. |
| 125 | |
| 126 | Fixed some issues on Windows with --log, subprocess creation |
| 127 | for command execution, and stdout/stderr redirection. |
| 128 | |
| 129 | * Fixed an issue where application payload transmissions on the |
| 130 | TLS control channel (such as AUTH_FAILED) that occur during |
| 131 | or immediately after a TLS renegotiation might be dropped. |
| 132 | |
| 133 | * Added warning about tls-remote option in man page. |
| 134 | |
| 135 | 2009.12.11 -- Version 2.1.1 |
| 136 | |
| 137 | * Fixed some breakage in openvpn.spec (which is required to build an |
| 138 | RPM distribution) where it was referencing a non-existent |
| 139 | subdirectory in the tarball, causing it to fail (patch from |
| 140 | David Sommerseth). |
| 141 | |
| 142 | 2009.12.11 -- Version 2.1.0 |
| 143 | |
| 144 | * Fixed a couple issues in sample plugins auth-pam.c and down-root.c. |
| 145 | (1) Fail gracefully rather than segfault if calloc returns NULL. |
| 146 | (2) The openvpn_plugin_abort_v1 function can potentially be called |
| 147 | with handle == NULL. Add code to detect this case, and if so, avoid |
| 148 | dereferencing pointers derived from handle (Thanks to David |
| 149 | Sommerseth for finding this bug). |
| 150 | |
| 151 | * Documented "multihome" option in the man page. |
| 152 | |
| 153 | 2009.11.20 -- Version 2.1_rc22 |
| 154 | |
| 155 | * Fixed a client-side bug on Windows that occurred when the |
| 156 | "dhcp-pre-release" or "dhcp-renew" options were combined with |
| 157 | "route-gateway dhcp". The release/renew would not occur |
| 158 | because the Windows DHCP renew function is blocking and |
| 159 | therefore must be called from another process or thread |
| 160 | so as not to stall the tunnel. |
| 161 | |
| 162 | * Added a hard failure when peer provides a certificate chain |
| 163 | with depth > 16. Previously, a warning was issued. |
| 164 | |
| 165 | 2009.11.12 -- Version 2.1_rc21 |
| 166 | |
| 167 | * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address |
| 168 | CVE-2009-3555. Note that OpenVPN has never relied on the session |
| 169 | renegotiation capabilities that are built into the SSL/TLS protocol, |
| 170 | therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation |
| 171 | completely) will not adversely affect OpenVPN mid-session SSL/TLS |
| 172 | renegotation or any other OpenVPN capabilities. |
| 173 | |
| 174 | * Added additional session renegotiation hardening. OpenVPN has always |
| 175 | required that mid-session renegotiations build up a new SSL/TLS |
| 176 | session from scratch. While the client certificate common name is |
| 177 | already locked against changes in mid-session TLS renegotiations, we |
| 178 | now extend this locking to the auth-user-pass username as well as all |
| 179 | certificate content in the full client certificate chain. |
| 180 | |
| 181 | 2009.10.01 -- Version 2.1_rc20 |
| 182 | |
| 183 | * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the |
| 184 | redirect-gateway option by itself, without any extra parameters, |
| 185 | would cause the option to be ignored. |
| 186 | |
| 187 | * Fixed build problem when ./configure --disable-server is used. |
| 188 | |
| 189 | * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke). |
| 190 | |
| 191 | * Added --remote-random-hostname option. |
| 192 | |
| 193 | * Added "load-stats" management interface command to get global server |
| 194 | load statistics. |
| 195 | |
| 196 | * Added new ./configure flags: |
| 197 | |
| 198 | --disable-def-auth Disable deferred authentication |
| 199 | --disable-pf Disable internal packet filter |
| 200 | |
| 201 | * Added "setcon" directive for interoperability with SELinux (Sebastien |
| 202 | Raveau). |
| 203 | |
| 204 | * Optimized PUSH_REQUEST handshake sequence to shave several seconds |
| 205 | off of a typical client connection initiation. |
| 206 | |
| 207 | * The maximum number of "route" directives (specified in the config |
| 208 | file or pulled from a server) can now be configured via the new |
| 209 | "max-routes" directive. |
| 210 | |
| 211 | * Eliminated the limitation on the number of options that can be pushed |
| 212 | to clients, including routes. Previously, all pushed options needed |
| 213 | to fit within a 1024 byte options string. |
| 214 | |
| 215 | * Added --server-poll-timeout option : when polling possible remote |
| 216 | servers to connect to in a round-robin fashion, spend no more than |
| 217 | n seconds waiting for a response before trying the next server. |
| 218 | |
| 219 | * Added the ability for the server to provide a custom reason string |
| 220 | when an AUTH_FAILED message is returned to the client. This |
| 221 | string can be set by the server-side managment interface and read |
| 222 | by the client-side management interface. |
| 223 | |
| 224 | * client-kill management interface command, when issued on server, will |
| 225 | now send a RESTART message to client. |
| 226 | This feature is intended to make UDP clients respond the same as TCP |
| 227 | clients in the case where the server issues a RESTART message in |
| 228 | order to force the client to reconnect and pull a new options/route |
| 229 | list. |
| 230 | |
| 231 | 2009.07.16 -- Version 2.1_rc19 |
| 232 | |
| 233 | * In Windows TAP driver, refactor DHCP/ARP packet injection code to |
| 234 | use a DPC (deferred procedure call) to defer packet injection until |
| 235 | IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive |
| 236 | in the context of AdapterTransmit. This is an attempt to reduce kernel |
| 237 | stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been |
| 238 | observed on Vista. Updated TAP driver version number to 9.6. |
| 239 | |
| 240 | * In configure.ac, use datadir instead of datarootdir for compatibility |
| 241 | with <autoconf-2.60. |
| 242 | |
| 243 | 2009.06.07 -- Version 2.1_rc18 |
| 244 | |
| 245 | * Fixed compile error on ./configure --enable-small |
| 246 | |
| 247 | * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change |
| 248 | does not build on Windows on non-MINGW32. |
| 249 | |
| 250 | 2009.05.30 -- Version 2.1_rc17 |
| 251 | |
| 252 | * Reduce the debug level (--verb) at which received management interface |
| 253 | commands are echoed from 7 to 3. Passwords will be filtered. |
| 254 | |
| 255 | * Fixed race condition in management interface recv code on |
| 256 | Windows, where sending a set of several commands to the |
| 257 | management interface in quick succession might cause the |
| 258 | latter commands in the set to be ignored. |
| 259 | |
| 260 | * Increased management interface input command buffer size |
| 261 | from 256 to 1024 bytes. |
| 262 | |
| 263 | * Minor tweaks to Windows build system. |
| 264 | |
| 265 | * Added "redirect-private" option which allows private subnets |
| 266 | to be pushed to the client in such a way that they don't accidently |
| 267 | obscure critical local addresses such as the DHCP server address and |
| 268 | DNS server addresses. |
| 269 | |
| 270 | * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN |
| 271 | client will examine the routing table and determine whether (a) the |
| 272 | OpenVPN server is reachable via a locally connected interface, or (b) |
| 273 | traffic to the server must be forwarded through the default router. |
| 274 | Only add a special bypass route for the OpenVPN server if (b) is true. |
| 275 | If (a) is true, behave as if the 'local' flag is specified, and do not |
| 276 | add a bypass route. |
| 277 | |
| 278 | The new 'autolocal' flag depends on the non-portable test_local_addr() |
| 279 | function in route.c, which is currently only implemented for Windows. |
| 280 | The 'autolocal' flag will act as a no-op on platforms that have not |
| 281 | yet defined a test_local_addr() function. |
| 282 | |
| 283 | * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for |
| 284 | more option content to be pushed from server to client). |
| 285 | |
| 286 | * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug |
| 287 | levels <=3) a common and usually innocuous warning. |
| 288 | |
| 289 | * Fixed issue of symbol conflicts interfering with Windows CryptoAPI |
| 290 | functionality (Alon Bar-Lev). |
| 291 | |
| 292 | * Fixed bug where the remote_X environmental variables were not being |
| 293 | set correctly when the 'local' option is specifed. |
| 294 | |
| 295 | 2009.05.17 -- Version 2.1_rc16 |
| 296 | |
| 297 | * Windows installer changes: |
| 298 | |
| 299 | 1. ifdefed out the check Windows version code which is causing |
| 300 | problems on Windows 7 |
| 301 | |
| 302 | 2. don't define SF_SELECTED if it is already defined |
| 303 | |
| 304 | 3. Use LZMA instead of BZIP2 compression for better compression |
| 305 | |
| 306 | 4. Upgraded OpenSSL to 0.9.8k |
| 307 | |
| 308 | * Added the ability to read the configuration file |
| 309 | from stdin, when "stdin" is given as the config |
| 310 | file name. |
| 311 | |
| 312 | * Allow "management-client" directive to be used |
| 313 | with unix domain sockets. |
| 314 | |
| 315 | * Added errors-to-stderr option. When enabled, fatal errors |
| 316 | that result in the termination of the daemon will be written |
| 317 | to stderr. |
| 318 | |
| 319 | * Added optional "nogw" (no gateway) flag to --server-bridge |
| 320 | to inhibit the pushing of the route-gateway parameter to |
| 321 | clients. |
| 322 | |
| 323 | * Added new management interface command "pid" to show the |
| 324 | process ID of the current OpenVPN process (Angelo Laub). |
| 325 | |
| 326 | * Fixed issue where SIGUSR1 restarts would fail if private |
| 327 | key was specified as an inline file. |
| 328 | |
| 329 | * Added daemon_start_time and daemon_pid environmental variables. |
| 330 | |
| 331 | * In management interface, added new ">CLIENT:ESTABLISHED" notification. |
| 332 | |
| 333 | * Build fixes: |
| 334 | |
| 335 | 1. Fixed some issues with C++ style comments that leaked into the code. |
| 336 | |
| 337 | 2. Updated configure.ac to work on MinGW64. |
| 338 | |
| 339 | 3. Updated common.h types for _WIN64. |
| 340 | |
| 341 | 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc |
| 342 | compilers. |
| 343 | |
| 344 | 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to |
| 345 | OpenVPNCryptAcquireCertificatePrivateKey to work around |
| 346 | a symbol conflict in MinGW-5.1.4. |
| 347 | |
| 348 | 2008.11.19 -- Version 2.1_rc15 |
| 349 | |
| 350 | * Fixed issue introduced in 2.1_rc14 that may cause a |
| 351 | segfault when a --plugin module is used. |
| 352 | |
| 353 | * Added server-side --opt-verify option: clients that connect |
| 354 | with options that are incompatible with those of the server |
| 355 | will be disconnected (without this option, incompatible |
| 356 | clients would trigger a warning message in the server log |
| 357 | but would not be disconnected). |
| 358 | |
| 359 | * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket |
| 360 | flag on the server as well as pushes it to connecting clients. |
| 361 | |
| 362 | * Minor options check fix: --no-name-remapping is a |
| 363 | server-only option and should therefore generate an |
| 364 | error when used on the client. |
| 365 | |
| 366 | * Added --prng option to control PRNG (pseudo-random |
| 367 | number generator) parameters. In previous OpenVPN |
| 368 | versions, the PRNG was hardcoded to use the SHA1 |
| 369 | hash. Now any OpenSSL hash may be used. This is |
| 370 | part of an effort to remove hardcoded references to |
| 371 | a specific cipher or cryptographic hash algorithm. |
| 372 | |
| 373 | * Cleaned up man page synopsis. |
| 374 | |
| 375 | 2008.11.16 -- Version 2.1_rc14 |
| 376 | |
| 377 | * Added AC_GNU_SOURCE to configure.ac to enable struct ucred, |
| 378 | with the goal of fixing a build issue on Fedora 9 that was |
| 379 | introduced in 2.1_rc13. |
| 380 | |
| 381 | * Added additional method parameter to --script-security to preserve |
| 382 | backward compatibility with system() call semantics used in OpenVPN |
| 383 | 2.1_rc8 and earlier. To preserve backward compatibility use: |
| 384 | |
| 385 | script-security 3 system |
| 386 | |
| 387 | * Added additional warning messages about --script-security 2 |
| 388 | or higher being required to execute user-defined scripts or |
| 389 | executables. |
| 390 | |
| 391 | * Windows build system changes: |
| 392 | |
| 393 | Modified Windows domake-win build system to write all openvpn.nsi |
| 394 | input files to gen, so that gen can be disconnected from |
| 395 | the rest of the source tree and makensis openvpn.nsi will |
| 396 | still function correctly. |
| 397 | |
| 398 | Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in |
| 399 | (commented out by default). |
| 400 | |
| 401 | Added optional files SAMPCONF_CONF2 (second sample configuration |
| 402 | file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows |
| 403 | build system, and may be defined in settings.in. |
| 404 | |
| 405 | * Extended Management Interface "bytecount" command |
| 406 | to work when OpenVPN is running as a server. |
| 407 | Documented Management Interface "bytecount" command in |
| 408 | management/management-notes.txt. |
| 409 | |
| 410 | * Fixed informational message in ssl.c to properly indicate |
| 411 | deferred authentication. |
| 412 | |
| 413 | * Added server-side --auth-user-pass-optional directive, to allow |
| 414 | connections by clients that do not specify a username/password, when a |
| 415 | user-defined authentication script/module is in place (via |
| 416 | --auth-user-pass-verify, --management-client-auth, or a plugin module). |
| 417 | |
| 418 | * Changes to easy-rsa/2.0/pkitool and related openssl.cnf: |
| 419 | |
| 420 | Calling scripts can set the KEY_NAME environmental variable to set |
| 421 | the "name" X509 subject field in generated certificates. |
| 422 | |
| 423 | Modified pkitool to allow flexibility in separating the Common Name |
| 424 | convention from the cert/key filename convention. |
| 425 | |
| 426 | For example: |
| 427 | |
| 428 | KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james |
| 429 | |
| 430 | will create a client certificate/key pair of james.crt/james.key |
| 431 | having a Common Name of "James's Laptop" and a Name of "james". |
| 432 | |
| 433 | * Added --no-name-remapping option to allow Common Name, X509 Subject, |
| 434 | and username strings to include any printable character including |
| 435 | space, but excluding control characters such as tab, newline, and |
| 436 | carriage-return (this is important for compatibility with external |
| 437 | authentication systems). |
| 438 | |
| 439 | As a related change, added --status-version 3 format (and "status 3" |
| 440 | in the management interface) which uses the version 2 format except |
| 441 | that tabs are used as delimiters instead of commas so that there |
| 442 | is no ambiguity when parsing a Common Name that contains a comma. |
| 443 | |
| 444 | Also, save X509 Subject fields to environment, using the naming |
| 445 | convention: |
| 446 | |
| 447 | X509_{cert_depth}_{name}={value} |
| 448 | |
| 449 | This is to avoid ambiguities when parsing out the X509 subject string |
| 450 | since "/" characters could potentially be used in the common name. |
| 451 | |
| 452 | * Fixed some ifconfig-pool issues that precluded it from being combined |
| 453 | with --server directive. |
| 454 | |
| 455 | Now, for example, we can configure thusly: |
| 456 | |
| 457 | server 10.8.0.0 255.255.255.0 nopool |
| 458 | ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0 |
| 459 | |
| 460 | to have ifconfig-pool manage only a subset |
| 461 | of the VPN subnet. |
| 462 | |
| 463 | * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax |
| 464 | config file syntax checking to allow directives for future OpenVPN |
| 465 | versions to be ignored. |
| 466 | |
| 467 | 2008.10.07 -- Version 2.1_rc13 |
| 468 | |
| 469 | * Bundled OpenSSL 0.9.8i with Windows installer. |
| 470 | |
| 471 | * Management interface can now listen on a unix |
| 472 | domain socket, for example: |
| 473 | |
| 474 | management /tmp/openvpn unix |
| 475 | |
| 476 | Also added management-client-user and management-client-group |
| 477 | directives to control which processes are allowed to connect |
| 478 | to the socket. |
| 479 | |
| 480 | * Copyright change to OpenVPN Technologies, Inc. |
| 481 | |
| 482 | 2008.09.23 -- Version 2.1_rc12 |
| 483 | |
| 484 | * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes |
| 485 | part of the tarball (Matthias Andree). |
| 486 | |
| 487 | * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code |
| 488 | was incorrectly expecting the lladdr parameter to be an IP address |
| 489 | when it is actually a MAC address (HoverHell). |
| 490 | |
| 491 | 2008.09.14 -- Version 2.1_rc11 |
| 492 | |
| 493 | * Fixed a bug that can cause SSL/TLS negotiations in UDP mode |
| 494 | to fail if UDP packets are dropped. |
| 495 | |
| 496 | 2008.09.10 -- Version 2.1_rc10 |
| 497 | |
| 498 | * Added "--server-bridge" (without parameters) to enable |
| 499 | DHCP proxy mode: Configure server mode for ethernet |
| 500 | bridging using a DHCP-proxy, where clients talk to the |
| 501 | OpenVPN server-side DHCP server to receive their IP address |
| 502 | allocation and DNS server addresses. |
| 503 | |
| 504 | * Added "--route-gateway dhcp", to enable the extraction |
| 505 | of the gateway address from a DHCP negotiation with the |
| 506 | OpenVPN server-side LAN. |
| 507 | |
| 508 | * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns |
| 509 | on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, |
| 510 | ignore it. |
| 511 | |
| 512 | * Warn when ethernet bridging that the IP address of the bridge adapter |
| 513 | is probably not the same address that the LAN adapter was set to |
| 514 | previously. |
| 515 | |
| 516 | * When running as a server, warn if the LAN network address is |
| 517 | the all-popular 192.168.[0|1].x, since this condition commonly |
| 518 | leads to subnet conflicts down the road. |
| 519 | |
| 520 | * Primarily on the client, check for subnet conflicts between |
| 521 | the local LAN and the VPN subnet. |
| 522 | |
| 523 | * Added a 'netmask' parameter to get_default_gateway, to return |
| 524 | the netmask of the adapter containing the default gateway. |
| 525 | Only implemented on Windows so far. Other platforms will |
| 526 | return 255.255.255.0. Currently the netmask information is |
| 527 | only used to warn about subnet conflicts. |
| 528 | |
| 529 | * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO |
| 530 | and USE_SSL flags are enabled (Alon Bar-Lev). |
| 531 | |
| 532 | * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new |
| 533 | --script-security rules. Also adds retrying if the addresses are in |
| 534 | use (Matthias Andree). |
| 535 | |
| 536 | * Fixed build issue with ./configure --disable-socks --disable-http. |
| 537 | |
| 538 | * Fixed separate compile errors in options.c and ntlm.c that occur |
| 539 | on strict C compilers (such as old versions of gcc) that require |
| 540 | that C variable declarations occur at the start of a {} block, |
| 541 | not in the middle. |
| 542 | |
| 543 | * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which |
| 544 | the new implementation of extract_x509_field_ssl depends on. |
| 545 | |
| 546 | * LZO compression buffer overflow errors will now invalidate |
| 547 | the packet rather than trigger a fatal assertion. |
| 548 | |
| 549 | * Fixed minor compile issue in ntlm.c (mid-block declaration). |
| 550 | |
| 551 | * Added --allow-pull-fqdn option which allows client to pull DNS names |
| 552 | from server (rather than only IP address) for --ifconfig, --route, and |
| 553 | --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names |
| 554 | for these options to be pulled and translated to IP addresses by default. |
| 555 | Now --allow-pull-fqdn will be explicitly required on the client to enable |
| 556 | DNS-name-to-IP-address translation of pulled options. |
| 557 | |
| 558 | * 2.1_rc8 and earlier did implicit shell expansion on script |
| 559 | arguments since all scripts were called by system(). |
| 560 | The security hardening changes made to 2.1_rc9 no longer |
| 561 | use system(), but rather use the safer execve or CreateProcess |
| 562 | system calls. The security hardening also introduced a |
| 563 | backward incompatibility with 2.1_rc8 and earlier in that |
| 564 | script parameters were no longer shell-expanded, so |
| 565 | for example: |
| 566 | |
| 567 | client-connect "docc CLIENT-CONNECT" |
| 568 | |
| 569 | would fail to work because execve would try to execute |
| 570 | a script called "docc CLIENT-CONNECT" instead of "docc" |
| 571 | with "CLIENT-CONNECT" as the first argument. |
| 572 | |
| 573 | This patch fixes the issue, bringing the script argument |
| 574 | semantics back to pre 2.1_rc9 behavior in order to preserve |
| 575 | backward compatibility while still using execve or CreateProcess |
| 576 | to execute the script/executable. |
| 577 | |
| 578 | * Modified ip_or_dns_addr_safe, which validates pulled DNS names, |
| 579 | to more closely conform to RFC 3696: |
| 580 | |
| 581 | (1) DNS name length must not exceed 255 characters |
| 582 | |
| 583 | (2) DNS name characters must be limited to alphanumeric, |
| 584 | dash ('-'), and dot ('.') |
| 585 | |
| 586 | * Fixed bug in intra-session TLS key rollover that was introduced with |
| 587 | deferred authentication features in 2.1_rc8. |
| 588 | |
| 589 | 2008.07.31 -- Version 2.1_rc9 |
| 590 | |
| 591 | * Security Fix -- affects non-Windows OpenVPN clients running |
| 592 | OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT |
| 593 | vulnerable nor are any versions of the OpenVPN server vulnerable). |
| 594 | An OpenVPN client connecting to a malicious or compromised |
| 595 | server could potentially receive an "lladdr" or "iproute" configuration |
| 596 | directive from the server which could cause arbitrary code execution on |
| 597 | the client. A successful attack requires that (a) the client has agreed |
| 598 | to allow the server to push configuration directives to it by including |
| 599 | "pull" or the macro "client" in its configuration file, (b) the client |
| 600 | successfully authenticates the server, (c) the server is malicious or has |
| 601 | been compromised and is under the control of the attacker, and (d) the |
| 602 | client is running a non-Windows OS. Credit: David Wagner. |
| 603 | CVE-2008-3459 |
| 604 | |
| 605 | * Miscellaneous defensive programming changes to multiple |
| 606 | areas of the code. In particular, use of the system() call |
| 607 | for calling executables such as ifconfig, route, and |
| 608 | user-defined scripts has been completely revamped in favor |
| 609 | of execve() on unix and CreateProcess() on Windows. |
| 610 | |
| 611 | * In Windows build, package a statically linked openssl.exe to work around |
| 612 | observed instabilities in the dynamic build since the migration to |
| 613 | OpenSSL 0.9.8h. |
| 614 | |
| 615 | 2008.06.11 -- Version 2.1_rc8 |
| 616 | |
| 617 | * Added client authentication and packet filtering capability |
| 618 | to management interface. In addition, allow OpenVPN plugins |
| 619 | to take advantage of deferred authentication and packet |
| 620 | filtering capability. |
| 621 | |
| 622 | * Added support for client-side connection profiles. |
| 623 | |
| 624 | * Fixed unbounded memory growth bug in environmental variable |
| 625 | code that could have caused long-running OpenVPN sessions |
| 626 | with many TLS renegotiations to incrementally |
| 627 | increase memory usage over time. |
| 628 | |
| 629 | * Windows release now packages openssl-0.9.8h. |
| 630 | |
| 631 | * Build system changes -- allow building on Windows using |
| 632 | autoconf/automake scripts (Alon Bar-Lev). |
| 633 | |
| 634 | * Changes to Windows build system to make it easier to do |
| 635 | partial builds, with a reduced set of prerequisites, |
| 636 | where only a subset of OpenVPN installer |
| 637 | components are built. See ./domake-win comments. |
| 638 | |
| 639 | * Cleanup IP address for persistence interfaces for tap and also |
| 640 | using ifconfig, gentoo#209055 (Alon Bar-Lev). |
| 641 | |
| 642 | * Fall back to old version of extract_x509_field for OpenSSL 0.9.6. |
| 643 | |
| 644 | * Clarified tcp-queue-limit man page entry (Matti Linnanvuori). |
| 645 | |
| 646 | * Added new OpenVPN icon and installer graphic. |
| 647 | |
| 648 | * Minor pkitool changes. |
| 649 | |
| 650 | * Added --pkcs11-id-management option, which will cause OpenVPN to |
| 651 | query the management interface via the new NEED-STR asynchronous |
| 652 | notification query to get additional PKCS#11 options (Alon Bar-Lev). |
| 653 | |
| 654 | * Added NEED-STR management interface asynchronous query and |
| 655 | "needstr" management interface command to respond to the query |
| 656 | (Alon Bar-Lev). |
| 657 | |
| 658 | * Added Dragonfly BSD support (Francis-Gudin). |
| 659 | |
| 660 | * Quote device names before passing to up/down script (Josh Cepek). |
| 661 | |
| 662 | * Bracketed struct openvpn_pktinfo with #pragma pack(1) to |
| 663 | prevent structure padding from causing an incorrect length |
| 664 | to be returned by sizeof (struct openvpn_pktinfo) on 64-bit |
| 665 | platforms. |
| 666 | |
| 667 | * On systems that support res_init, always call it |
| 668 | before calling gethostbyname to ensure that |
| 669 | resolver configuration state is current. |
| 670 | |
| 671 | * Added NTLMv2 proxy support (Miroslav Zajic). |
| 672 | |
| 673 | * Fixed an issue in extract_x509_field_ssl where the extraction |
| 674 | would fail on the first field of the subject name, such as |
| 675 | the common name in: /CN=foo/emailAddress= |
| 676 | foo@bar.com |
| 677 | |
| 678 | * Made "Linux ip addr del failed" error nonfatal. |
| 679 | |
| 680 | * Amplified --client-cert-not-required warning. |
| 681 | |
| 682 | * Added #pragma pack to proto.h. |
| 683 | |
| 684 | 2008.01.29 -- Version 2.1_rc7 |
| 685 | |
| 686 | * Added a few extra files that exist in the svn repo but were |
| 687 | not being copied into the tarball by make dist. |
| 688 | |
| 689 | * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev). |
| 690 | |
| 691 | 2008.01.24 -- Version 2.1_rc6 |
| 692 | |
| 693 | * Fixed options checking bug introduced in rc5 where legitimate configuration |
| 694 | files might elicit the error: "Options error: Parameter pkcs11_private_mode |
| 695 | can only be specified in TLS-mode, i.e. where --tls-server or --tls-client |
| 696 | is also specified." |
| 697 | |
| 698 | 2008.01.23 -- Version 2.1_rc5 |
| 699 | |
| 700 | * Fixed Win2K TAP driver bug that was introduced by Vista fixes, |
| 701 | incremented driver version to 9.4. |
| 702 | |
| 703 | * Windows build system changes: |
| 704 | |
| 705 | Incremented included OpenSSL version to openssl-0.9.7m. |
| 706 | |
| 707 | Updated openssl.patch for openssl-0.9.7m and added some |
| 708 | brief usage comments to the head of the patch. |
| 709 | |
| 710 | Added build-pkcs11-helper.sh for building the pkcs11-helper |
| 711 | library. |
| 712 | |
| 713 | Integrated inclusion of pkcs11-helper into Windows build |
| 714 | system. |
| 715 | |
| 716 | Upgraded TAP build scripts to use WDK 6001.17121 |
| 717 | (Windows 2008 Server pre-RTM). |
| 718 | |
| 719 | * Windows installer changes: |
| 720 | |
| 721 | Clean up the start menu folder. |
| 722 | |
| 723 | Allow for a site-specific sample configuration file and keys |
| 724 | to be included in a custom installer (see SAMPCONF macros |
| 725 | in settings.in). |
| 726 | |
| 727 | New icon (temporary). |
| 728 | |
| 729 | * Added "forget-passwords" command to the management interface |
| 730 | (Alon Bar-Lev). |
| 731 | |
| 732 | * Added --management-signal option to signal SIGUSR1 when the |
| 733 | management interface disconnects (Alon Bar-Lev). |
| 734 | |
| 735 | * Modified command line and config file parser to allow |
| 736 | quoted strings using single quotes ('') (Alon Bar-Lev). |
| 737 | |
| 738 | * Use pkcs11-helper as external library, can be downloaded from |
| 739 | https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev). |
| 740 | |
| 741 | * Fixed interim memory growth issue in TCP connect loop where |
| 742 | "TCP: connect to %s failed, will try again in %d seconds: %s" |
| 743 | is output. |
| 744 | |
| 745 | * Fixed bug in epoll driver in event.c, where the lack of a |
| 746 | handler for EPOLLHUP could cause 99% CPU usage. |
| 747 | |
| 748 | * Defined ALLOW_NON_CBC_CIPHERS for people who don't |
| 749 | want to use a CBC cipher for OpenVPN's data channel. |
| 750 | |
| 751 | * Added PLUGIN_LIBDIR preprocessor string to prepend a default |
| 752 | plugin directory to the dlopen search list when the user |
| 753 | specifies the basename of the plugin only (Marius Tomaschewski). |
| 754 | |
| 755 | * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS |
| 756 | to allow forward slash characters ("/") in the X509 common name |
| 757 | (Pavel Shramov). |
| 758 | |
| 759 | * Allow OpenVPN to run completely unprivileged under Linux |
| 760 | by allowing openvpn --mktun to be used with --user and --group |
| 761 | to set the UID/GID of the tun device node. Also added --iproute |
| 762 | option to allow an alternative command to be executed in place |
| 763 | of the default iproute2 command (Alon Bar-Lev). |
| 764 | |
| 765 | * Fixed --disable-iproute2 in ./configure to actually disable |
| 766 | iproute2 usage (Alon Bar-Lev). |
| 767 | |
| 768 | * Added --management-forget-disconnect option -- forget |
| 769 | passwords when management session disconnects (Alon Bar-Lev). |
| 770 | |
| 771 | 2007.04.25 -- Version 2.1_rc4 |
| 772 | |
| 773 | * Worked out remaining issues with TAP driver signing |
| 774 | on Vista x64. OpenVPN will now run on Vista x64 |
| 775 | with driver signing enforcement enabled. |
| 776 | |
| 777 | * Fixed 64-bit portability bug in time_string function |
| 778 | (Thomas Habets). |
| 779 | |
| 780 | 2007.04.22 -- Version 2.1_rc3 |
| 781 | |
| 782 | * Additional fixes to TAP driver for Windows x64. Driver |
| 783 | now runs successfully on Vista x64 if driver signing |
| 784 | enforcement is disabled. |
| 785 | |
| 786 | * The Windows Installer and TAP driver are now signed by |
| 787 | OpenVPN Solutions LLC (in addition to the usual GnuPG |
| 788 | signatures). |
| 789 | |
| 790 | * Added OpenVPN GUI (Mathias Sundman version) as install |
| 791 | option in Windows installer. |
| 792 | |
| 793 | * Clean up configure on FreeBSD for recent autotool versions |
| 794 | that require that all .h files have to be compiled. |
| 795 | Also, FreeBSD install does not support GNU long options |
| 796 | which the Makefile in easy-rsa/2.0 uses (not checked the |
| 797 | others as we don't install those on Gentoo) (Roy Marples). |
| 798 | |
| 799 | * Added additional scripts to easy-rsa/Windows for working |
| 800 | with password-protected keys; also add -extensions server |
| 801 | option when generating server cert via |
| 802 | build-key-server-pass.bat (Daniel Zauft). |
| 803 | |
| 804 | 2007.02.27 -- Version 2.1_rc2 |
| 805 | |
| 806 | * auth-pam change: link with -lpam rather |
| 807 | than dlopen (Roy Marples). |
| 808 | |
| 809 | * Prevent SIGUSR1 or SIGHUP from causing program |
| 810 | exit from initial management hold. |
| 811 | |
| 812 | * SO_REUSEADDR should not be set on Windows TCP sockets |
| 813 | because it will cause bind to succeed on port conflicts. |
| 814 | |
| 815 | * Added time_ascii, time_duration, and time_unix |
| 816 | environmental variables for plugins and callback |
| 817 | scripts. |
| 818 | |
| 819 | * Fixed issue where OpenVPN does not apply the --txqueuelen option |
| 820 | to persistent interfaces made with --mktun (Roy Marples). |
| 821 | |
| 822 | * Attempt at rational signal handling when in the |
| 823 | management hold state. During management hold, ignore |
| 824 | SIGUSR1/SIGHUP signals thrown with the "signal" command. |
| 825 | Also, "signal" command will now apply remapping as |
| 826 | specified with the --remap-usr1 option. |
| 827 | When a signal entered using the "signal" command from a management |
| 828 | hold is ignored, output: >HOLD:Waiting for hold release |
| 829 | |
| 830 | * Fixed issue where struct env_set methods that |
| 831 | change the value of an existing name=value pair |
| 832 | would delay the freeing of the memory held by |
| 833 | the previous name=value pair until the underlying |
| 834 | client instance object is closed. |
| 835 | This could cause a server that handles long-term |
| 836 | client connections, resulting in many periodic calls |
| 837 | to verify_callback, to needlessly grow the env_set |
| 838 | memory allocation until the underlying client instance |
| 839 | object is closed. |
| 840 | |
| 841 | * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys |
| 842 | to reflect the fact that Vista has blacklisted the tap0801.sys |
| 843 | file name due to previous compatibility issues which have now |
| 844 | been resolved. TAP-Win32 major/minor version number is now 9/1. |
| 845 | |
| 846 | * Windows installer will delete a previously installed |
| 847 | tap0801.sys TAP driver before installing tap0901.sys. |
| 848 | |
| 849 | * Added code to Windows installer to fail gracefully on 64 bit |
| 850 | installs until 64-bit TAP driver issues can be resolved. |
| 851 | |
| 852 | * Added code to Windows installer to fail gracefully on |
| 853 | versions of Windows which are not explicitly supported. |
| 854 | |
| 855 | * The Windows version will now use a default route-delay |
| 856 | of 5 seconds to deal with an apparent routing table race |
| 857 | condition on Vista. |
| 858 | |
| 859 | * Worked around an incompatibility in the Windows Vista |
| 860 | version of CreateIpForwardEntry as described in |
| 861 | http://www.nynaeve.net/?p=59 |
| 862 | This issue would cause route additions using the |
| 863 | IP Helper API to fail on Vista. |
| 864 | |
| 865 | * On Windows, revert to "ip-win32 dynamic" as the default. |
| 866 | |
| 867 | 2006.10.31 -- Version 2.1_rc1 |
| 868 | |
| 869 | * Support recovery (return to hold) from signal at |
| 870 | management password prompt. |
| 871 | |
| 872 | * Added workaround for OpenSC PKCS#11 bug#108 |
| 873 | (Alon Bar-Lev). |
| 874 | |
| 875 | 2006.10.01 -- Version 2.1-beta16 |
| 876 | |
| 877 | * Windows installer updated with OpenSSL 0.9.7l DLLs to fix |
| 878 | published vulnerabilities. |
| 879 | |
| 880 | * Fixed TAP-Win32 bug that caused BSOD on Windows Vista |
| 881 | (Henry Nestler). |
| 882 | |
| 883 | * Autodetect 32/64 bit Windows in installer and install |
| 884 | appropriate TAP driver (Mathias Sundman, Hypherion). |
| 885 | |
| 886 | * Fixed bug in loopback self-test introduced |
| 887 | in 2.1-beta15 where self test as invoked by |
| 888 | "make check" would not properly exit after |
| 889 | 2 minutes (Paul Howarth). |
| 890 | |
| 891 | 2006.09.12 -- Version 2.1-beta15 |
| 892 | |
| 893 | * Windows installer updated with OpenSSL 0.9.7k DLLs to fix |
| 894 | RSA Signature Forgery (CVE-2006-4339). |
| 895 | |
| 896 | * Fixed bug introduced with the --port-share directive |
| 897 | (back in 2.1-beta9 which causes TLS soft resets |
| 898 | (1 per hour by default) in TCP server mode to force |
| 899 | a blockage of tunnel packets and later time-out and |
| 900 | restart the connection. |
| 901 | |
| 902 | * easy-rsa update (Alon Bar-Lev) |
| 903 | Makefile (install) is now available so that |
| 904 | distribs will be able to install it safely. |
| 905 | |
| 906 | * PKCS#11 changes: (Alon Bar-Lev) |
| 907 | - Modified ssl.c to not FATAL and return to init.c |
| 908 | so auth-retry will work. |
| 909 | - Modifed pkcs11-helper.c to fix some problem with |
| 910 | multiple providers. |
| 911 | - Added retry counter to PKCS#11 PIN hook. |
| 912 | - Modified PKCS#11 PIN retry loop to return correct error |
| 913 | code when PIN is incorrect. |
| 914 | - Fix handling (ignoring) zero sized attributes. |
| 915 | - Fix gcc-2 issues. |
| 916 | - Fix openssl 0.9.6 (first version) issues. |
| 917 | |
| 918 | * Minor fixes of lladdr (Alon Bar-Lev) |
| 919 | Updated makefile.w32-vc to include lladdr.*, updated |
| 920 | linkage libraries. |
| 921 | Modified lladdr.c to be compiled under visual C. |
| 922 | |
| 923 | * Added two new management states: |
| 924 | OPENVPN_STATE_RESOLVE -- DNS lookup |
| 925 | OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server |
| 926 | |
| 927 | * Echo management state change to log. |
| 928 | |
| 929 | * Minor syshead.h change for NetBSD to allow |
| 930 | TCP_NODELAY flag to work. |
| 931 | |
| 932 | * Modified --port-share code to remove the assumption that |
| 933 | CMSG_SPACE always evaluates to a constant, to enable |
| 934 | compilation on NetBSD and possibly other BSDs as well. |
| 935 | |
| 936 | * Eliminated gcc 3.3.3 warnings on NetBSD |
| 937 | when ./configure --enable-strict is used. |
| 938 | |
| 939 | * Added optional minimum-number-of-bytes parameter |
| 940 | to --inactive directive. |
| 941 | |
| 942 | 2006.04.13 -- Version 2.1-beta14 |
| 943 | |
| 944 | * Fixed Windows server bug in time backtrack handling code which |
| 945 | could cause TLS negotiation failures on legitimate clients. |
| 946 | |
| 947 | * Rewrote gettimeofday function for Windows to be |
| 948 | simpler and more efficient. |
| 949 | |
| 950 | * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev). |
| 951 | |
| 952 | * Added --route-metric option to set a default route metric |
| 953 | for --route (Roy Marples). |
| 954 | |
| 955 | * Added --lladdr option to specify the link layer (MAC) address |
| 956 | for the tap interface on non-Windows platforms (Roy Marples). |
| 957 | |
| 958 | 2006.04.12 -- Version 2.1-beta13 |
| 959 | |
| 960 | * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters |
| 961 | to 64 bits caused a bug in the Windows version which has now |
| 962 | been fixed. The bug could cause intermittent crashes. |
| 963 | |
| 964 | 2006.04.05 -- Version 2.1-beta12 |
| 965 | |
| 966 | * Security Vulnerability -- An OpenVPN client connecting to a |
| 967 | malicious or compromised server could potentially receive |
| 968 | "setenv" configuration directives from the server which could |
| 969 | cause arbitrary code execution on the client via a LD_PRELOAD |
| 970 | attack. A successful attack appears to require that (a) the |
| 971 | client has agreed to allow the server to push configuration |
| 972 | directives to it by including "pull" or the macro "client" in |
| 973 | its configuration file, (b) the client configuration file uses |
| 974 | a scripting directive such as "up" or "down", (c) the client |
| 975 | succesfully authenticates the server, (d) the server is |
| 976 | malicious or has been compromised and is under the control of |
| 977 | the attacker, and (e) the attacker has at least some level of |
| 978 | pre-existing control over files on the client (this might be |
| 979 | accomplished by having the server respond to a client web request |
| 980 | with a specially crafted file). Credit: Hendrik Weimer. |
| 981 | CVE-2006-1629. |
| 982 | |
| 983 | The fix is to disallow "setenv" to be pushed to clients from |
| 984 | the server, and to add a new directive "setenv-safe" which is |
| 985 | pushable from the server, but which appends "OPENVPN_" to the |
| 986 | name of each remotely set environmental variable. |
| 987 | |
| 988 | * "topology subnet" fix for FreeBSD (Benoit Bourdin). |
| 989 | |
| 990 | * PKCS11 fixes (Alon Bar-Lev). For full description: |
| 991 | svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21 |
| 992 | |
| 993 | * When deleting routes under Linux, use the route metric |
| 994 | as a differentiator to ensure that the route teardown |
| 995 | process only deletes the identical route which was originally |
| 996 | added via the "route" directive (Roy Marples). |
| 997 | |
| 998 | * Fix the t_cltsrv.sh file in FreeBSD 4 jails |
| 999 | (Matthias Andree, Dirk Meyer, Vasil Dimov). |
| 1000 | |
| 1001 | * Extended tun device configure code to support ethernet |
| 1002 | bridging on NetBSD (Emmanuel Kasper). |
| 1003 | |
| 1004 | 2006.02.19 -- Version 2.1-beta11 |
| 1005 | |
| 1006 | * Fixed --port-share bug that caused premature closing |
| 1007 | of proxied sessions. |
| 1008 | |
| 1009 | 2006.02.17 -- Version 2.1-beta10 |
| 1010 | |
| 1011 | * Fixed --port-share breakage introduced in 2.1-beta9. |
| 1012 | |
| 1013 | 2006.02.16 -- Version 2.1-beta9 |
| 1014 | |
| 1015 | * Added --port-share option for allowing OpenVPN and HTTPS |
| 1016 | server to share the same port number. |
| 1017 | * Added --management-client option to connect as a client |
| 1018 | to management GUI app rather than be connected to as a |
| 1019 | server. |
| 1020 | * Added "bytecount" command to management interface. |
| 1021 | * --remote-cert-tls fixes (Alon Bar-Lev). |
| 1022 | |
| 1023 | 2006.01.03 -- Version 2.1-beta8 |
| 1024 | |
| 1025 | * --remap-usr1 will now also remap signals thrown during |
| 1026 | initialization. |
| 1027 | * Added --connect-timeout option to control the timeout |
| 1028 | on TCP client connection attempts (doesn't work on all |
| 1029 | OSes). This patch also makes OpenVPN signalable during |
| 1030 | TCP connection attempts. |
| 1031 | * Fixed bug in acinclude.m4 where capability of compiler |
| 1032 | to handle zero-length arrays in structs is tested |
| 1033 | (David Stipp). |
| 1034 | * Fixed typo in manage.c where inline function declaration |
| 1035 | was declared without the "static" keyword (David Stipp). |
| 1036 | * Patch to support --topology subnet on Mac OS X (Mathias Sundman). |
| 1037 | * Added --auto-proxy directive to auto-detect HTTP or SOCKS |
| 1038 | proxy settings (currently Windows only). |
| 1039 | * Removed redundant base64 code. |
| 1040 | * Better sanity checking of --server and --server-bridge |
| 1041 | IP pool ranges, so as not to hit the assertion at |
| 1042 | pool.c:119 (2.0.5). |
| 1043 | * Fixed bug where --daemon and --management-query-passwords |
| 1044 | used together would cause OpenVPN to block prior to |
| 1045 | daemonization. |
| 1046 | * Fixed client/server race condition which could occur |
| 1047 | when --auth-retry interact is set and the initially |
| 1048 | provided auth-user-pass credentials are incorrect, |
| 1049 | forcing a username/password re-query. |
| 1050 | * Fixed bug where if --daemon and --management-hold are |
| 1051 | used together, --user or --group options would be ignored. |
| 1052 | * --ip-win32 adaptive is now the default. |
| 1053 | * --ip-win32 netsh (or --ip-win32 adaptive when in netsh |
| 1054 | mode) can now set DNS/WINS addresses on the TAP-Win32 |
| 1055 | adapter. |
| 1056 | * Added new option --route-method adaptive (Win32) |
| 1057 | which tries IP helper API first, then falls back to |
| 1058 | route.exe. |
| 1059 | * Made --route-method adaptive the default. |
| 1060 | |
| 1061 | 2005.11.12 -- Version 2.1-beta7 |
| 1062 | |
| 1063 | * Allow blank passwords to be passed via the management |
| 1064 | interface. |
| 1065 | * Fixed bug where "make check" inside a FreeBSD "jail" |
| 1066 | would never complete (Matthias Andree). |
| 1067 | * Fixed bug where --server directive in --dev tap mode |
| 1068 | claimed that it would support subnets of /30 or less |
| 1069 | but actually would only accept /29 or less. |
| 1070 | * Extend byte counters to 64 bits (M. van Cuijk). |
| 1071 | * Fixed bug in Linux get_default_gateway function |
| 1072 | introduced in 2.0.4, which would cause redirect-gateway |
| 1073 | on Linux clients to fail. |
| 1074 | * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to |
| 1075 | be compatible with 2.0.x distribution. |
| 1076 | * Documented --route-nopull. |
| 1077 | * Documented --ip-win32 adaptive. |
| 1078 | * Windows build now linked with LZO2. |
| 1079 | * Allow ca, cert, key, and dh files to be specified |
| 1080 | inline via XML-like syntax without needing to |
| 1081 | reference an explicit file. |
| 1082 | For example: |
| 1083 | <ca> |
| 1084 | data here... |
| 1085 | </ca> |
| 1086 | * Allow plugin and push directives to have multi-line |
| 1087 | parameter lists such as: |
| 1088 | <plugin> |
| 1089 | my-plugin.so |
| 1090 | parm1 |
| 1091 | parm2 |
| 1092 | </plugin> |
| 1093 | * Added connect-retry-max option (Alon Bar-Lev). |
| 1094 | * Fixed problems where signals thrown during initialization |
| 1095 | were not returning to a management-hold state. |
| 1096 | * Added a backtrack-hardened system time algorithm. |
| 1097 | * Added --remote-cert-ku, --remote-cert-eku, and |
| 1098 | --remote-cert-tls options for verifying certificate |
| 1099 | attributes (Alon Bar-Lev). |
| 1100 | * For Windows, reverted --ip-win32 default back to "dynamic". |
| 1101 | To use new adaptive mode, set explicitly. |
| 1102 | |
| 1103 | 2005.11.01 -- Version 2.1-beta6 |
| 1104 | |
| 1105 | * Security fix (merged from 2.0.4) -- Affects non-Windows |
| 1106 | OpenVPN clients of version 2.0 or higher which connect to |
| 1107 | a malicious or compromised server. A format string |
| 1108 | vulnerability in the foreign_option function in options.c |
| 1109 | could potentially allow a malicious or compromised server |
| 1110 | to execute arbitrary code on the client. Only |
| 1111 | non-Windows clients are affected. The vulnerability |
| 1112 | only exists if (a) the client's TLS negotiation with |
| 1113 | the server succeeds, (b) the server is malicious or |
| 1114 | has been compromised such that it is configured to |
| 1115 | push a maliciously crafted options string to the client, |
| 1116 | and (c) the client indicates its willingness to accept |
| 1117 | pushed options from the server by having "pull" or |
| 1118 | "client" in its configuration file (Credit: Vade79). |
| 1119 | CVE-2005-3393 |
| 1120 | * Security fix -- (merged from 2.0.4) Potential DoS |
| 1121 | vulnerability on the server in TCP mode. If the TCP |
| 1122 | server accept() call returns an error status, the resulting |
| 1123 | exception handler may attempt to indirect through a NULL |
| 1124 | pointer, causing a segfault. Affects all OpenVPN 2.0 versions. |
| 1125 | CVE-2005-3409 |
| 1126 | * Fix attempt of assertion at multi.c:1586 (note that |
| 1127 | this precise line number will vary across different |
| 1128 | versions of OpenVPN). |
| 1129 | * Windows reliability changes: |
| 1130 | (a) Added code to make sure that the local PATH environmental |
| 1131 | variable points to the Windows system32 directory. |
| 1132 | (b) Added new --ip-win32 adaptive mode which tries 'dynamic' |
| 1133 | and then fails over to 'netsh' if the DHCP negotiation fails. |
| 1134 | (c) Made --ip-win32 adaptive the default. |
| 1135 | * More PKCS#11 additions/changes (Alon Bar-Lev). |
| 1136 | * Added ".PHONY: plugin" to Makefile.am to work around |
| 1137 | "make dist" issue. |
| 1138 | * Fixed double fork issue that occurs when --management-hold |
| 1139 | is used. |
| 1140 | * Moved TUN/TAP read/write log messages from --verb 8 to 6. |
| 1141 | * Warn when multiple clients having the same common name or |
| 1142 | username usurp each other when --duplicate-cn is not used. |
| 1143 | * Modified Windows and Linux versions of get_default_gateway |
| 1144 | to return the route with the smallest metric |
| 1145 | if multiple 0.0.0.0/0.0.0.0 entries are present. |
| 1146 | * Added ">NEED-OK" alert and "needok" command to management |
| 1147 | interface to provide a general interface for sending |
| 1148 | alerts to the end-user. Used by the PKCS#11 code |
| 1149 | to send Token Insertion Requests to the user. |
| 1150 | * Added actual remote address used to the ">STATE" alert |
| 1151 | in the management interface (Rolf Fokkens). |
| 1152 | |
| 1153 | 2005.10.17 -- Version 2.1-beta4 |
| 1154 | |
| 1155 | * Fixed bug introduced in 2.1-beta3 where management |
| 1156 | socket bind would fail. |
| 1157 | * --capath fix in ssl.c (Zhuang Yuyao). |
| 1158 | * Added ".PHONY: plugin" to Makefile.am, reverted |
| 1159 | location of "plugin" directory (thanks to |
| 1160 | Matthias Andree for figuring this out). |
| 1161 | |
| 1162 | 2005.10.16 -- Version 2.1-beta3 |
| 1163 | |
| 1164 | * Added PKCS#11 support (Alon Bar-Lev). |
| 1165 | * Enable the use of --ca together with --pkcs12. If --ca is |
| 1166 | used at the same time as --pkcs12, the CA certificate is loaded |
| 1167 | from the file specified by --ca regardless if the pkcs12 file |
| 1168 | contains a CA cert or not (Mathias Sundman). |
| 1169 | * Merged --capath patch (Thomas Noel). |
| 1170 | * Merged --multihome patch. |
| 1171 | * Added --bind option for TCP client connections (Ewan Bhamrah |
| 1172 | Harley). |
| 1173 | * Moved "plugin" directory to "plugins" to deal with strange |
| 1174 | automake problem that ended up being also fixable with |
| 1175 | ".PHONY: plugin" in Makefile.am. |
| 1176 | |
| 1177 | 2005.10.13 -- Version 2.1-beta2 |
| 1178 | |
| 1179 | * Made --sndbuf and --rcvbuf pushable. |
| 1180 | |
| 1181 | 2005.10.01 -- Version 2.1-beta1 |
| 1182 | |
| 1183 | * Made LZO setting pushable. |
| 1184 | * Renamed sample-keys/tmp-ca.crt to ca.crt. |
| 1185 | * Fixed bug where remove_iroutes_from_push_route_list |
| 1186 | was missing routes if those routes had |
| 1187 | an implied netmask (by omission) of 255.255.255.255. |
| 1188 | * Merged with 2.0.3-rc1 |
| 1189 | * easy-rsa/2.0 moved to easy-rsa |
| 1190 | * old easy-rsa moved to easy-rsa/1.0 |
| 1191 | }}} |