Preparing release 2.5.11

cron2 · cron2 · commit 6fb2a2560845 · 2024-07-18T14:46:01.000+02:00
version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering &lt;gert@greenie.muc.de&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,12 @@
 OpenVPN Change Log
 Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
 
+2024.07.18 -- Version 2.5.11
+
+Arne Schwabe (2):
+      Properly handle null bytes and invalid characters in control messages
+      Allow trailing \r and \n in control channel message
+
 2024.03.21 -- Version 2.5.10
 
 Arne Schwabe (1):
diff --git a/Changes.rst b/Changes.rst
@@ -1,3 +1,15 @@
+Overview of changes in 2.5.11
+=============================
+Security fixes
+--------------
+- CVE-2024-5594: control channel: refuse control channel messages with
+  nonprintable characters in them.  Security scope: a malicious openvpn
+  peer can send garbage to openvpn log, or cause high CPU load.
+  (Reynir Björnsson)
+
+  (Backport of the security fix in 2.6.11 and the fix for the bugfix
+  in 2.6.12)
+
 Overview of changes in 2.5.10
 =============================
 Security fixes
diff --git a/version.m4 b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.10])
+define([PRODUCT_VERSION_PATCH], [.11])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,10,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,11,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
