preparing release 2.6.14

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <[email protected]>

Author: cron2

ChangeLog

@@ -1,6 +1,20 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <[email protected]>
 
+2025.04.02 -- Version 2.6.14
+
+Arne Schwabe (1):
+      Allow tls-crypt-v2 to be setup only on initial packet of a session
+
+Frank Lichtenheld (3):
+      GHA: Drop Ubuntu 20.04 and other maintenance (2.6)
+      crypto_backend: fix type of enc parameter
+      Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
+
+Qingfang Deng (1):
+      dco: fix source IP selection when multihome
+
+
 2025.01.15 -- Version 2.6.13
 
 Arne Schwabe (2):

Changes.rst

@@ -1,3 +1,40 @@
+Overview of changes in 2.6.14
+=============================
+Security fixes
+--------------
+- CVE-2025-2704 fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
+
+  Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using
+  --tls-crypt-v2 can be made to abort with an ASSERT() message by
+  sending a particular combination of authenticated and malformed packets.
+
+  To trigger the bug, a valid tls-crypt-v2 client key is needed, or
+  network observation of a handshake with a valid tls-crypt-v2 client key
+
+  No crypto integrity is violated, no data is leaked, and no remote
+  code execution is possible.
+
+  This bug does not affect OpenVPN clients.
+
+  (Bug found by internal QA at OpenVPN Inc)
+
+
+Code maintenance
+----------------
+- fix compatibility with mbedTLS 2.28.10+ and 3.6.3+: security "hardening"
+  on the mbedTLS side (adding verification of the server certificate
+  *hostname* inside mbedTLS) broke OpenVPN, as OpenVPN does not use
+  hostname-based verification.  Disable mbedTLS "feature".
+
+- fix compilation warnings for mbedTLS builds related to "enc"
+  enum/integer mismatch.
+
+- Github Action builds: drop Ubuntu 20.04 builds, upgrade various packages
+
+Bug fixes
+---------
+- Linux DCO: repair source IP selection for --multihome (Qingfang Deng)
+
 Overview of changes in 2.6.13
 =============================
 New features

version.m4

@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.13])
+define([PRODUCT_VERSION_PATCH], [.14])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [[email protected]])
-define([PRODUCT_VERSION_RESOURCE], [2,6,13,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,14,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])