OpenVPN Release 2.7_beta2

version.m4, ChangeLog, Changes.rst

Changes.rst has not received an "2.7_beta2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.

Notable changes beta1 -> beta2 are:
   - even more of signed/unsigned related warnings have been fixed
   - #pragmas have been added to all to-be-fixed source files, so we can
     now always enable -Wconversion to see if new code brings new warnings
     (and the CI infra builds with -Werror)
   - add proper input sanitation to DNS strings to prevent an attack
     coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680,
     affects unixoid systems with --dns-updown scripts and windows using
     the built-in powershell call)
   - greatly improved event log handling for the Windows interactive service
     - this brings build system changes and a new openvpnservmsg.dll
   - bugfixes when using multi-socket on windows
     (properly recognize that TCP server mode does not work with DCO,
     properly handle TCP multi-socket server setups without DCO)
   - bring back configuring of IPv4 broadcast addresses on Linux
     (also backported to 2.6.15)
   - Rename Fox Crypto to Sentyron in copyright notices
   - Switch test_ssl certificate from RSA 2048 to secp384r1
     (so "make check" runs with OpenSSL set to @SECLEVEL=3)
   - repair "--dhcp-option DNS" setting in combination with DHCP (TAP)
     or --up scripts (GH issue #839, #840)
   - clean up MI prefix handling
   - replace all assert() calls with OpenVPN ASSERT()

Author: cron2

ChangeLog

@@ -1,6 +1,66 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <[email protected]>
 
+2025.09.25 -- Version 2.7_beta2
+
+Antonio Quartulli (1):
+      dco: add standard mi prefix handling to multi_process_incoming_dco()
+
+Arne Schwabe (1):
+      Switch test_ssl certificate from RSA 2048 to secp384r1
+
+Frank Lichtenheld (22):
+      openvpn_PRF: Change API to use size_t for lengths
+      ssl_common: Make sure ssl flags are treated as unsigned
+      options: Factor out usages of strtoll and atoll
+      ps: Clean up conversion warnings in journal_add function
+      events: Make sure rwflags are treated as unsigned
+      manage: Change command_line_* API to use size_t for lengths
+      Introduce msglvl_t to unify msglevel type handling
+      socket: Change resolve flags to unsigned int
+      list: Make types of hash elements consistent
+      ssl: Fix -Wconversion warnings in pem_password_callback
+      ssl_verify: Change backend_x509_* functions to size_t for lengths
+      Handle return type of EVP_MD_size
+      Clean up conversion warnings related to base64_{en, de}code
+      configure.ac: Make ACL_CHECK_ADD_COMPILE_FLAGS append instead of prepend
+      Enable a subset of -Wextra
+      socks: factor out socks_proxy_recv_char()
+      multi_io_init: simplify
+      dns: Fix bug in error handling when talking to script
+      Enable -Wconversion -Wno-sign-conversion by default
+      Make unit tests -Wconversion clean
+      ps: Fix conversion warnings related to send/recv return values
+      event: Silence conversion warning in tv_to_ms_timeout
+
+Gert Doering (5):
+      replace assert() calls with ASSERT()
+      remove newline characters at the end of msg() calls
+      dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message
+      fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
+      Fix t_net.sh / networking_testdriver after 'broadcast' change
+
+Gianmarco De Gregori (2):
+      Multi-socket win: avoid repeated socket_set()
+      Fix multi-socket and dco-win interaction
+
+Lev Stipakov (5):
+      Preserve --dhcp-option values from local config
+      win: replace wmic invocation with powershell
+      openvpnserv: Fix writing messages to the event log
+      GHA: collect more artifacts for mingw builds
+      Validate DNS parameters
+
+Marco Baffo (1):
+      push-update-server: comment about buf_string_compare_advance() usage in send_single_push_update()
+
+Max Fillinger (1):
+      Rename Fox Crypto to Sentyron in copyright notices
+
+Sebastian Marsching (1):
+      Bugfix: Set broadcast address on interface.
+
+
 2025.09.04 -- Version 2.7_beta1
 
 Arne Schwabe (1):

Changes.rst

@@ -45,6 +45,9 @@ Windows network adapters are now generated on demand
 Windows automatic service now runs as an unpriviledged user
     All tasks that need privileges are now delegated to the interactive
     service.
+    **NOTE** this has the risk of breaking existing setups if the
+    Windows certificate store is used (cryptoapi), and the certificates
+    are not readable for ``NT SERVICE\OpenVPNService``.
 
 Support for new version of Linux DCO module
     OpenVPN DCO module is moving upstream and being merged into the
@@ -148,6 +151,8 @@ Two new environment variables have been introduced to communicate desired
     ``route_redirect_gateway_ipv4`` and ``route_redirect_gateway_ipv6``.
     See the "Environmental Variables" section in the man page
 
+Improved logging of service events/errors to event log on Windows.
+
 
 Deprecated features
 -------------------
@@ -265,6 +270,14 @@ User-visible Changes
   to ``clang-format``.  This reformatted quite a bit of code, and requires
   that regular committers change their pre-commit checks accordingly.
 
+- on Linux, on interfaces where applicable, OpenVPN explicitly configures
+  the broadcast address again.  This was dropped for 2.6.0 "because
+  computers are smart and can do it themselves", but the kernel netlink
+  interface isn't, and will install "0.0.0.0".  This does not normally
+  matter, but for broadcast-based applications that get the address to
+  use from "ifconfig", this change repairs functionality (this has
+  been backported to 2.6.15, but is not in earlier 2.6 versions).
+
 
 Overview of changes in 2.6
 ==========================

version.m4

@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [_beta1])
+define([PRODUCT_VERSION_PATCH], [_beta2])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])