preparing release 2.6.16

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>

Author: cron2

ChangeLog

@@ -1,6 +1,40 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 
+2025.11.17 -- Version 2.6.16
+
+Antonio Quartulli (1):
+      sitnl: set FD_CLOEXEC on socket to prevent abuse
+
+Arne Schwabe (4):
+      Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
+      fix key_state_gen_auth_control_files probably checking file creation
+      Fix construction of invalid pointer in tls_pre_decrypt
+      Fix memcmp check for the hmac verification in the 3way handshake being inverted
+
+Christian Kujau (2):
+      doc: Fix hyperlinks in openvpn(8)
+      doc: HTTPS upgrades and URL fixes throughout the tree
+
+Frank Lichtenheld (2):
+      route: Fix a unused-but-set-variable warning on OpenBSD
+      route: Add #endif comment for uncrustify compliance
+
+Heiko Hund (2):
+      iservice: check return value of MultiByteToWideChar
+      iservice: use interface index with netsh
+
+Joshua Rogers (1):
+      tcp: apply CLOEXEC to accepted socket, not listener
+
+Selva Nair (2):
+      openvpnserv: Disallow stdin as config unless user is authorized
+      Use correct undo_list when clearing DNS addresses
+
+Steffan Karger (1):
+      ssl_mbedtls: fix missing perf_pop() call
+
+
 2025.09.22 -- Version 2.6.15
 
 Antonio Quartulli (1):

Changes.rst

@@ -1,3 +1,53 @@
+Overview of changes in 2.6.16
+=============================
+Code maintenance / Compat changes
+---------------------------------
+- adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these
+  need special handling which we don't do, so the t_lpback self-test
+  failed on them.  Exclude from list of allowed ciphers, as there is no
+  strong reason today to make OpenVPN use these.
+
+- fix various compile-time warnings
+
+Documentation updates
+---------------------
+- fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings,
+  manpage, ...)
+
+Bugfixes
+--------
+- Fix memcmp check for the hmac verification in the 3way handshake.
+  This bug renders the HMAC based protection against state exhaustion on
+  receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
+  CVE: 2025-13086
+
+- fix invalid pointer creation in tls_pre_decrypt() - technically this is
+  a memory over-read issue, in practice, the compilers optimize it away
+  so no negative effects could be observed.
+
+- Windows: in the interactive service, fix the "undo DNS config" handling.
+
+- Windows: in the interactive service, disallow using of "stdin" for the
+  config file, unless the caller is authorized OpenVPN Administrator
+
+- Windows: in the interactive service, change all netsh calls to use
+  interface index and not interface name - sidesteps all possible attack
+  avenues with special characters in interface names.
+
+- Windows: in the interactive service, improve error handling in
+  some "unlikely to happen" paths.
+
+- auth plugin/script handling: properly check for errors in creation on
+  $auth_failed_reason_file (arf).
+
+- for incoming TCP connections, close-on-exec option was applied to
+  the wrong socket fd, leaking socket FDs to child processes.
+
+- sitnl: set close-on-exec flag on netlink socket
+
+- ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)
+
+
 Overview of changes in 2.6.15
 =============================
 New features / User visible changes

version.m4

@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [6])
-define([PRODUCT_VERSION_PATCH], [.15])
+define([PRODUCT_VERSION_PATCH], [.16])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,6,15,0])
+define([PRODUCT_VERSION_RESOURCE], [2,6,16,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])