From fccae1fa71140bd66f4a57597ca3c7307ba05b30 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Thu, 21 Mar 2024 18:03:36 +0100 Subject: [PATCH] Preparing release 2.5.10 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- ChangeLog | 14 ++++++++++++++ Changes.rst | 28 ++++++++++++++++++++++++++++ version.m4 | 4 ++-- 3 files changed, 44 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3701823d5df..250a06743b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,20 @@ OpenVPN Change Log Copyright (C) 2002-2022 OpenVPN Inc +2024.03.21 -- Version 2.5.10 + +Arne Schwabe (1): + Add Apache2 linking with for new commits + +George Pchelkin (1): + fix typo: dhcp-options to dhcp-option in vpn-network-options.rst + +Lev Stipakov (3): + win32: Enforce loading of plugins from a trusted directory + interactive.c: disable remote access to the service pipe + interactive.c: Fix potential stack overflow issue + + 2023.02.14 -- Version 2.5.9 Arne Schwabe (6): diff --git a/Changes.rst b/Changes.rst index 3ba78c6c7a7..59626c3ca54 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,31 @@ +Overview of changes in 2.5.10 +============================= +Security fixes +-------------- +- CVE-2024-27459: Windows: fix a possible stack overflow in the + interactive service component which might lead to a local privilege + escalation. + Reported-by: Vladimir Tokarev + +- CVE-2024-24974: Windows: disallow access to the interactive service + pipe from remote computers. + Reported-by: Vladimir Tokarev + +- CVE-2024-27903: Windows: disallow loading of plugins from untrusted + installation paths, which could be used to attack openvpn.exe via + a malicious plugin. Plugins can now only be loaded from the OpenVPN + install directory, the Windows system directory, and possibly from + a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. + Reported-by: Vladimir Tokarev + +User visible changes +-------------------- +- License amendment: all NEW commits fall under a modified license that + explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - + see COPYING for details. Existing code in the release/2.5 branch + will not been relicensed (only in release/2.6 and later branches). + + Overview of changes in 2.5.9 ============================ diff --git a/version.m4 b/version.m4 index 53d1edf57d7..c6afb8bd1d4 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.9]) +define([PRODUCT_VERSION_PATCH], [.10]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,9,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,10,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])