Comment 3 for bug 279655

Thierry Carrez (ttx) wrote :

Detailed changelog:

[regressionfix] Fixed --lladdr bug introduced in 2.1-rc9 where input validation code was incorrectly expecting the lladdr parameter to be an IP address when it is actually a MAC address (HoverHell).

[bugfix] Fixed a bug that can cause SSL/TLS negotiations in UDP mode to fail if UDP packets are dropped.

[feature] Added "--server-bridge" (without parameters) to enable DHCP proxy mode: Configure server mode for ethernet bridging using a DHCP-proxy, where clients talk to the OpenVPN server-side DHCP server to receive their IP address allocation and DNS server addresses.

[feature] Added "--route-gateway dhcp", to enable the extraction of the gateway address from a DHCP negotiation with the OpenVPN server-side LAN.

[feature] Warn when ethernet bridging that the IP address of the bridge adapter is probably not the same address that the LAN adapter was set to previously.

[feature] When running as a server, warn if the LAN network address is the all-popular 192.168.[0|1].x, since this condition commonly leads to subnet conflicts down the road.

[bugfix] Primarily on the client, check for subnet conflicts between the local LAN and the VPN subnet.

[buildfix] Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO and USE_SSL flags are enabled (Alon Bar-Lev).

[buildfix] Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new --script-security rules. Also adds retrying if the addresses are in use (Matthias Andree).

[buildfix] Fixed build issue with ./configure --disable-socks --disable-http.

[buildfix] Fixed separate compile errors in options.c and ntlm.c that occur on strict C compilers (such as old versions of gcc) that require that C variable declarations occur at the start of a {} block, not in the middle.

[bugfix] Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which the new implementation of extract_x509_field_ssl depends on.

[bugfix] LZO compression buffer overflow errors will now invalidate the packet rather than trigger a fatal assertion.

[buildfix] Fixed minor compile issue in ntlm.c (mid-block declaration).

[regressionfix] Added --allow-pull-fqdn option which allows client to pull DNS names from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options.

[regressionfix] 2.1_rc8 and earlier did implicit shell expansion on script arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded

[rfc-conformancefix] Modified ip_or_dns_addr_safe, which validates pulled DNS names to more closely conform to RFC 3696

[regressionfix] Fixed bug in intra-session TLS key rollover that was introduced with deferred authentication features in 2.1_rc8.