From 375a373310ec2e4f2d9ede63484bb56a1d389851 Mon Sep 17 00:00:00 2001 From: james Date: Wed, 10 Sep 2008 07:16:14 +0000 Subject: Version 2.1_rc10 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3323 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ChangeLog | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 28ee632..1da49bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,99 @@ Copyright (C) 2002-2008 Telethra, Inc. $Id$ +2008.09.10 -- Version 2.1_rc10 + +* Added "--server-bridge" (without parameters) to enable + DHCP proxy mode: Configure server mode for ethernet + bridging using a DHCP-proxy, where clients talk to the + OpenVPN server-side DHCP server to receive their IP address + allocation and DNS server addresses. + +* Added "--route-gateway dhcp", to enable the extraction + of the gateway address from a DHCP negotiation with the + OpenVPN server-side LAN. + +* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns + on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, + ignore it. + +* Warn when ethernet bridging that the IP address of the bridge adapter + is probably not the same address that the LAN adapter was set to + previously. + +* When running as a server, warn if the LAN network address is + the all-popular 192.168.[0|1].x, since this condition commonly + leads to subnet conflicts down the road. + +* Primarily on the client, check for subnet conflicts between + the local LAN and the VPN subnet. + +* Added a 'netmask' parameter to get_default_gateway, to return + the netmask of the adapter containing the default gateway. + Only implemented on Windows so far. Other platforms will + return 255.255.255.0. Currently the netmask information is + only used to warn about subnet conflicts. + +* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO + and USE_SSL flags are enabled (Alon Bar-Lev). + +* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new + --script-security rules. Also adds retrying if the addresses are in + use (Matthias Andree). + +* Fixed build issue with ./configure --disable-socks --disable-http. + +* Fixed separate compile errors in options.c and ntlm.c that occur + on strict C compilers (such as old versions of gcc) that require + that C variable declarations occur at the start of a {} block, + not in the middle. + +* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which + the new implementation of extract_x509_field_ssl depends on. + +* LZO compression buffer overflow errors will now invalidate + the packet rather than trigger a fatal assertion. + +* Fixed minor compile issue in ntlm.c (mid-block declaration). + +* Added --allow-pull-fqdn option which allows client to pull DNS names + from server (rather than only IP address) for --ifconfig, --route, and + --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names + for these options to be pulled and translated to IP addresses by default. + Now --allow-pull-fqdn will be explicitly required on the client to enable + DNS-name-to-IP-address translation of pulled options. + +* 2.1_rc8 and earlier did implicit shell expansion on script + arguments since all scripts were called by system(). + The security hardening changes made to 2.1_rc9 no longer + use system(), but rather use the safer execve or CreateProcess + system calls. The security hardening also introduced a + backward incompatibility with 2.1_rc8 and earlier in that + script parameters were no longer shell-expanded, so + for example: + + client-connect "docc CLIENT-CONNECT" + + would fail to work because execve would try to execute + a script called "docc CLIENT-CONNECT" instead of "docc" + with "CLIENT-CONNECT" as the first argument. + + This patch fixes the issue, bringing the script argument + semantics back to pre 2.1_rc9 behavior in order to preserve + backward compatibility while still using execve or CreateProcess + to execute the script/executable. + +* Modified ip_or_dns_addr_safe, which validates pulled DNS names, + to more closely conform to RFC 3696: + + (1) DNS name length must not exceed 255 characters + + (2) DNS name characters must be limited to alphanumeric, + dash ('-'), and dot ('.') + +* Fixed bug in intra-session TLS key rollover that was introduced with + deferred authentication features in 2.1_rc8. + 2008.07.31 -- Version 2.1_rc9 * Security Fix -- affects non-Windows OpenVPN clients running -- cgit v1.2.3