OpenVPN Release 2.7_rc3

version.m4, ChangeLog, Changes.rst

Changes.rst has not received an "2.7_rc3" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.

Notable changes rc2 -> rc3 are:
    - Windows/Interactive Service bugfixes
        many small bugfixes to registry-related DNS domain handling
    - Windows/Interactive Service: harden service pipe handling
        close a small race condition, and add restrictive ACLs
    - Windows/Interactive Service: CVE-2025-13751
        fix bug where the interactive service would error-exit in
        certain error conditions instead of just logging the fact and
        continuing.  After the error-exit, OpenVPN connections will no
        longer work until the service is restarted (or the system rebooted).
        This can be triggered by any authenticated local user, and has
        thus been classified as a "local denial of service" attack.
    - more type conversion related warnings have been fixed
    - --multihome behaviour regarding egress interface selection has been
      changed.  See Changes.rst and manpage for details.
    - cleanup dead code in event handling code (leftover of the multisocket
      patch set)
    - add new feature, --tls-crypt-v2-max-age n.  See Changes.rst and
      manpage for details.
    - improve documentation to point out the pitfalls of case-insensitive
      filesystems and --client-config-dir
    - split default gateway query logic in two:
        - for --redirect-gateway functionality, query for the gateway towards
          the actual IP address of the VPN server connecting to
        - for the "net_gateway" special destination for --route, and the
          corresponding environment variable, always query for 0.0.0.0 / ::
      (this will only make a difference in certain scenarios using a local
      proxy, or on a system with multiple interfaces, not using the "default
      route" for the VPN connection - see github#890)
    - upgrade embedded pkcs11-helper vcpkg + pkcs11-uri patch to 1.31
    - CMake / autoconf cleanup wrt unused checks, outdated old-Linux checks,
      Windows oddities
    - DCO (primarily Linux): improve handling of bulk notifications from
      kernel (do not lose notifications, do not crash) (github#900)

Signed-off-by: Gert Doering <[email protected]>

Author: cron2

ChangeLog

@@ -1,6 +1,58 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <[email protected]>
 
+2025.11.28 -- Version 2.7_rc3
+
+Frank Lichtenheld (9):
+      doc: Document potential filesystem pitfalls of client-config-dir
+      GHA: Maintenance update November 2025
+      GHA: Add macos-26 and remove OpenSSL 1.1 builds on macOS
+      tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
+      Changes.rst: Fix various syntax errors and typos
+      error: Allow status argument to check_status to be ssize_t
+      Linux: Assume we have a kernel that was release in the last 15 years
+      configure/CMake: Remove unused checks
+      configure/CMake: Unify Windows handling
+
+Gert Doering (4):
+      Change '--multihome' behaviour regarding egress interface selection.
+      extract_x509_field_ssl(): verify that X509_NAME is not NULL.
+      Remove remainders of --no-name-remapping option
+      OpenVPN Release 2.7_rc3
+
+Gianmarco De Gregori (2):
+      multi-socket: remove duplicated/dead code
+      multi-socket: do not return tuntap flags on server-side
+
+Heiko Hund (9):
+      iservice: fix buffer size in call to FormatMessage
+      iservice: make sure buffer size is not zero
+      iservice: make sure registry string is terminated
+      iservice: check for NULL pointer
+      iservice: fix calculation of converted domains size
+      iservice: return correct size when domains are truncated
+      iservice: handle ignoring itf domains correctly
+      iservice: fix off by one error
+      iservice: rename one_glyph to glyph_size
+
+Lev Stipakov (1):
+      interactive.c: harden pipe handling against misbehaving clients
+
+Marco Baffo (1):
+      route: handle default gateway (net_gateway) and nexthop towards VPN server separately
+
+Max Fillinger (1):
+      Add option to check tls-crypt-v2 key timestamps
+
+Ralf Lici (1):
+      dco: process messages immediately after read
+
+Selva Nair (3):
+      vcpkg-ports/pkcs11-helper: bump version to 1.31
+      Harden interactive service pipe
+      Restrict access to the service pipe to SYSTEM and owner
+
+
 2025.11.17 -- Version 2.7_rc2
 
 Antonio Quartulli (4):

Changes.rst

@@ -177,6 +177,10 @@ Improved BYTECOUNT support - more strictly adhere to timing interval
 
 Improve compatibility with OpenSSL 3.6.0 (do not fail t_lpback selftest)
 
+New option ``--tls-crypt-v2-max-age n`` to check tls-crypt-v2 timestamps
+   (When a client is older than n days or has no timestamp, the server
+    will reject it)
+
 
 Deprecated features
 -------------------
@@ -260,7 +264,7 @@ User-visible Changes
 
 - ``--lport 0`` does not imply ``--bind`` anymore.
 
-- ``--redirect--gateway`` now works correctly if the VPN remote is not
+- ``--redirect-gateway`` now works correctly if the VPN remote is not
   reachable by the default gateway.
 
 - ``--show-gateway`` now supports querying the gateway for IPv4 addresses.

version.m4

@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [_rc2])
+define([PRODUCT_VERSION_PATCH], [_rc3])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])