OpenVPN Release 2.7_rc2

version.m4, ChangeLog, Changes.rst

Changes.rst has not received an "2.7_rc2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.

Notable changes rc1 -> rc2 are:
    - IPv6 address parsing: fix buffer overread on invalid input
      (CVE-2025-12106)
    - HMAC verification check: fix incorrect memcmp() call
      (CVE-2025-13086)
    - even more type conversion related warnings have been fixed
    - DCO FreeBSD improvements:
        improving debug messages (verb 6)
        implement client-side counter handling
        repair --inactive (and document shortcomings)
        repair handling of DCO disconnection notifications in --client mode
    - Windows/Service improvements, hardening, bugfixes
        fix DNS address list generation (if 3 or more --dns addresses in use)
        fix DNS server undo_list
        disallow "stdin" as config name unless user has OpenVPN admin privs
        fix compilation errors with MSVC v19
        iservice: improve validation of config path (pathcc lib)
           [NOTE: this breaks OpenVPN compatibility with Windows 7]
        tapctl: refactor, improve output, change driver default to ovpn-dco
        iservice: when restoring iface metrics, enforce correct ifindex
    - improve cmocka unit test assert() handling
    - PUSH_UPDATE server: fix reporting of client IPs in ``status`` output
      after pushing a new IPv4/IPv6 address to client
    - AEAD cipher safety margins: fix calculation of AEAD blocks in use
      (old code would undercount blocks)
    - fix invalid pointer creation / memory overread in tls_pre_decrypt
    - deprecate ``--opt-verify`` (change into no-op + warning)

Signed-off-by: Gert Doering <[email protected]>

Author: cron2

ChangeLog

@@ -1,6 +1,72 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <[email protected]>
 
+2025.11.17 -- Version 2.7_rc2
+
+Antonio Quartulli (4):
+      test_networking: use appropriate assert helpers
+      unit_tests: prefer proper cmocka assert helpers
+      init: make some functions static
+      options: remove --opt-verify functionality
+
+Arne Schwabe (3):
+      Do not underestimate number of encrypted/decrypted AEAD blocks
+      Fix construction of invalid pointer in tls_pre_decrypt
+      Fix memcmp check for the hmac verification in the 3way handshake being inverted
+
+Frank Lichtenheld (17):
+      manage: Correctly handle port 65535 in man_kill
+      pkcs11_openssl: Silence a conversion warning
+      Enable -Wtype-limits by default (via -Wextra)
+      ssl: Change tls_send_payload size argument to size_t
+      openssl_compat: Avoid conversion warning for SSL_get_negotiated_group
+      pkcs11: Avoid some conversion warnings
+      ssl: change return type of calc_control_channel_frame_overhead to size_t
+      otime: Fix various conversion warnings
+      interval: Fix conversion warning
+      forward: Change context_reschedule_sec sec argument to time_t
+      tls_crypt: Avoid some conversion warnings
+      ssl: Fix conversion warning in tls_prepend_opcode_v1
+      ssl: Change update argument of compute_earliest_wakeup to time_t
+      ssl: Clean up type handling in write_string()
+      ssl: Clean up type handling in export_user_keying_material()
+      ssl: Clean up type handling in parse_early_negotiation_tlvs()
+      ssl_pkt: Avoid conversion warnings
+
+Gert Doering (5):
+      FreeBSD DCO: repair incoming 'delete peer' notifications in p2p client mode
+      dco_freebsd.c: add D_DCO_DEBUG messages for counters and notifications
+      dco_freebsd: implement dco_get_peer_stats()
+      FreeBSD DCO: repair --inactive
+      dco_freebsd.c: fix integer warnings
+
+Heiko Hund (7):
+      iservice: fix DNS address list generation
+      msvc: fix struct initialization for v19 compilers
+      iservice: validate config path better
+      win: remove checks for PATHCCH_ENSURE_TRAILING_SLASH
+      iservice: validate config path case-insensitive
+      iservice: make sure directories have trailing backslash
+      iservice: use saved iface index to restore metric
+
+Lev Stipakov (5):
+      tapctl: use better wording for adapters
+      tapctl: factor out command handlers
+      recursive routing: fixes and clean-ups
+      tapctl: make output of 'list' and 'create' commands more verbose
+      tapctl: refactor 'create' command
+
+Marco Baffo (1):
+      PUSH_UPDATE server: update reporting_addr after ifconfig update
+
+Mikhail Khachaiants (1):
+      socket: reject mismatched address family in get_addr_generic
+
+Selva Nair (2):
+      openvpnserv: Disallow stdin as config unless user is authorized
+      Use correct undo_list when clearing DNS addresses
+
+
 2025.10.29 -- Version 2.7_rc1
 
 Antonio Quartulli (1):

Changes.rst

@@ -236,9 +236,6 @@ Using ``--push`` in a mode that is not ``--mode server`` will now print a
 ``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will
     now print an appropriate warning.
 
-``--opt-verify`` feature removed
-    This option was already deprecated and it is now being converted to a
-    no-op. Using this option will only print a warning.
 
 User-visible Changes
 --------------------
@@ -324,6 +321,17 @@ User-visible Changes
   options cache, and will be restored to pre-connect values on reconnects
   if the server stops pushing the respective option.
 
+- `tapctl.exe` helper binary on Windows has been reworked to improve
+  help texts (making clear that it can not only do TAP-Adapters but
+  Win-DCO as well), add printing of the hwid to all adapter outputs, and
+  change the default adapter type created to `ovpn-dco`.
+
+Deprecated features
+-------------------
+``--opt-verify`` feature removed
+    This option was already deprecated and it is now being converted to a
+    no-op. Using this option will only print a warning.
+
 
 Overview of changes in 2.6
 ==========================

version.m4

@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [_rc1])
+define([PRODUCT_VERSION_PATCH], [_rc2])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])