From 5c4e4c08679c6c754928d4f6c31ab6180b3cff3d Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Mon, 30 Mar 2026 16:40:46 +0200 Subject: [PATCH] OpenVPN Release 2.7.1 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering --- ChangeLog | 62 +++++++++++++++++++++++++++++++++++++++++++++++ Changes.rst | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++ version.m4 | 4 ++-- 3 files changed, 133 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aff3519d..d10475cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,68 @@ OpenVPN ChangeLog Copyright (C) 2002-2026 OpenVPN Inc +2026.03.31 -- Version 2.7.1 + +Antonio Quartulli (1): + options: drop useless init_gc param for init_options() + +Arne Schwabe (12): + Change stream_buf_read_setup_dowork parameter to struct steam_buf + DCO Linux: Fix setting DCO ifmode failing on big endian archs + Merge stream_buf_get_next and stream_buf_set_next + AWS-LC: Add missing return and cast in ssl_tls1_PRF + GHA: Install aws-lc under /opt/aws-lc + Show version and double check we use the right TLS library in Github Actions + Remove unnecessary OpenSSL init and cleanup commands in unit tests + GHA: Cache built crypto libraries + Use openssl_err_t typedef to deal with difference between TLS libraries + Do not support tls_ctx_set_cert_profile on AWS-LC + Use const specifices in extract_x509_field_ssl + Increase default size of internal hash maps to 4 * --max-clients + +Frank Lichtenheld (7): + clang-format: Add missing InsertBraces: true + auth-pam: fix discards 'const' qualifier from pointer target type + GHA: Maintenance update February 2026 + buffer: Add checked_snprintf function and use it in the code + vcpkg-ports: Review pkcs11-helper port + systemd: Change LimitNPROC to TasksMax and increase limit + ssl_verify_openssl: Clean up extract_x509_extension + +Gert Doering (4): + port-share: log incoming connections at verb 3 only + rework all occurrences of 'M_ERR | M_ERRNO' + configure.ac: adjust to native inotify support for FreeBSD 15+ + dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver + +Gianmarco De Gregori (1): + socket: restore per-connection lport override over global default + +Haixiao Yan (1): + tests: skip test execution when cross-compiling + +Heiko Hund (2): + doc: improve Windows-specific options section + doc: fix typo with --ingore-unknown-option + +Max Fillinger (1): + Avoid unbounded allocations in pkcs11_mbedtls.c + +Ralf Lici (1): + doc: fix client-nat syntax and examples + +Rudi Heitbaum (3): + dns: fix discards 'const' qualifier from pointer target type + ntlm: fix discards 'const' qualifier from pointer target type + ssl_verify_openssl: use official ASN1_STRING_ API + +Selva Nair (4): + Fixup version command on management interface + Document management client versions + Use USER_PASS_LEN for private key password buffer size + Add an optional username-only flag for auth-user-pass + + 2026.02.11 -- Version 2.7.0 Frank Lichtenheld (3): diff --git a/Changes.rst b/Changes.rst index 7de5f10f..8dc38685 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,72 @@ +Overview of changes in 2.7.1 +============================ +Bugfixes +-------- +- Fix usage of ``--lport`` inside a ```` block - this got + broken with the multi-socket patchset (GH OpenVPN/openvpn#995) + +- Do not try to run auto-pam unit test when cross-compiling. + +- Do not break private-key passphrases of length >= 64 + (GH OpenVPN/openvpn#993) + +- Fix obscure ASSERT() crash on TCP connects with TAP and no ip config. + +- Make DCO work on FreeBSD systems that have no IPv4 support in kernel + (FreeBSD PR 286263) + +- Make DCO work on Linux on big endian systems (namely, MIPS and PowerPC) + (GH OpenVPN/ovpn-dco#96) + +New features +------------ +- Add a new ``username-only`` flag argument to ``--auth-user-pass`` which + will now make OpenVPN only query for username and send a dummy password + to the server. This is only useful if auth schemes are used on the + server side that will do some sort of external challenge base on username, + and not password authentication. See discussion in GH OpenVPN/openvpn#501 + (starting Jan 30, 2024). + +- Increase default sizing of internal hash maps to ``4 * --max-clients``. + The default used to be ``256`` with a ``--max-clients`` default of + 1024 - this is bad for performance, while the memory savings are + minimal. On a very memory constrained system, reduce ``--max-clients``. + +Long-term code maintenance +-------------------------- +- Work on OpenSSL 4.0 API support, reducing use of ASN1_STRING members. + +- Remove obsolete OpenSSL 1.0.x support code from unit tests. + +- Improve documentation of management client versioning, replace magic + numbers in the code with an enum type. + +- Fixup responses to management interface ``version`` command (for >= 4). + +- Make ``--enable-async-push`` work on FreeBSD 15 (which has native + inotify support, and consequently no libinotify.pc anymore) + +- Adjust some code parts to new "const" handling on string function + returns (ISO C23, as implemented by glibc 2.43 and newer). + +- Remove erroneous usage of ``M_ERR | M_ERRNO`` throughout the code. + + +User-visible Changes +-------------------- +- When compiled with the AWS-LC SSL library, using ``--tls-cert-profile`` + will now print a run-time warning - the library does not support it, + so it would silently do nothing. + +- Systemd unit files: change LimitNPROC to TasksMax and increase limit + (GH: OpenVPN/openvpn#929) + +- Documentation improvements. + +- port-share: log incoming connections at ``verb 3``, not on ``error`` + level anymore (GH: OpenVPN/openvpn#976). + + Overview of changes in 2.7 ========================== New features diff --git a/version.m4 b/version.m4 index 60294d4b..5d946b75 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [.0]) +define([PRODUCT_VERSION_PATCH], [.1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,7,0,0]) +define([PRODUCT_VERSION_RESOURCE], [2,7,1,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])