Log message:
net/openvpn: Update to 2.6.7

Upstream NEWS:

Security Fixes:

* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send \ 
buffer after
 it has been free()d in some circumstances, causing some free()d memory to be \ 
sent to the peer.
 All configurations using TLS (e.g. not using --secret) are affected by this issue.
 (found while tracking down CVE-2023-46849 / Github #400, #417)
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore \ 
--fragment configuration
 in some circumstances, leading to a division by zero when --fragment is used. \ 
On platforms where
 division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417).

User visible changes:

* DCO: warn if DATA_V1 packets are sent by the other side - this a hard \ 
incompatibility between
 a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use \ 
--disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be removed because \ 
the original author
 did not agree to relicensing the code with the new linking exception added. \ 
This was a somewhat
 obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a \ 
combination that used to work
 without cipher negotiation (pre 2.6 on both ends), but would fail in \ 
non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are listed (this is
 due the internal enumeration in OpenSSL being a bit weird, omitting X448 and \ 
X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new 2.6 option,
 with no backend support implemented yet on any platform, and it turns out that
 no platform supported it at all - so remove option again)
* warn user if INFO control message too long, do not forward to management client
 (safeguard against protocol-violating server implementations)

New features:

* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the \ 
algorithms used
 are in acceptable to OpenSSL (misleading message would be printed in cryptoapi \ 
/ pkcs11 scenarios)
* add CMake build system for MinGW and MSVC builds
* remove old MSVC build system
* improve cmocka unit test building for Windows

Log message:
*: recursive bump for icu 74.1

Log message:
*: bump for openssl 3

Log message:
net/openvpn: Update to 2.6.6

upstream change summary:

New features
------------
- set WINS server via interactive service - this adds support for
  "dhcp-option WINS 192.0.2.1" for DCO + wintun interfaces where no
  DHCP server is used (Github #373).

Log message:
net/openvpn: Update to 2.6.5

Upstream changes are bugfixes and minor improvements

Log message:
openvpn: updated to 2.6.4

Overview of changes in 2.6.4

User visible changes

License amendment: all NEW commits fall under a modified license that explicitly \ 
permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see COPYING for \ 
details. Existing code will fall under the new license as soon as all \ 
contributors have agreed to the change - work ongoing.

New features

DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 packets). \ 
This is the userland side, accepting a message from kernel, and initiating a TLS \ 
renegotiation. As of release, only implemented in FreeBSD kernel.

Bug fixes

fix pkcs#11 usage with OpenSSL 3.x and PSS signing
fix compile error on TARGET_ANDROID
fix typo in help text
manpage updates (--topology)
encoding of non-ASCII windows error messages in log + management fixed (use UTF8 \ 
"as for everything else", not ANSI codepages)

Log message:
openvpn: updated to 2.6.3

Version 2.6.3

GHA: remove Ubuntu 18.04 builds
vcpkg: request "tools" feature of openssl for MSVC build
doc: run rst2* with --strict to catch warnings
Support of DNS domain for DHCP-less drivers
Bug-fix: segfault in dco_get_peer_stats()

Log message:
revbump after textproc/icu update

Log message:
openvpn: updated to 2.6.2

Overview of changes in 2.6.2

New features

implement byte counter statistics for DCO Linux (p2mp server and client)
implement byte counter statistics for DCO Windows (client only)
'--dns server <n> address ...' now permits up to 8 v4 or v6 addresses
fix a few cases of possibly undefined behaviour detected by ASAN
add more unit tests for Windows cryptoapi interface

Bug fixes

sending of AUTH_PENDING and INFO_PRE messages fixed
Windows: do not treat "setting IPv6 interface metric failed" as fatal \ 
error on "block-dns" install - this can happen if IPv6 is disabled on \ 
the interface and is not harmful in itself
fix '--inactive' if DCO is in use NOTE: on FreeBSD, this is not working yet \ 
(missing per-peer stats)
DCO-Linux: do not print errno on netlink errors (errno is not set by NL)
SOCKS client: improve error reporting on server disconnects
DCO-Linux: fix lockups due to netlink buffer overflows on high client \ 
connect/disconnect activity. See "User visible changes" for more \ 
details of this.
fix some uses of the OpenSSL3 API for non-default providers (enable use of \ 
quantum-crypto OpenSSL provider)
fix memory leak of approx. 1600 bytes per incoming initial TLS packet
fix bug when using ECDSA signatures with OpenSSL 3.0.x and pkcs11-helper (data \ 
format conversion was not done properly)
fix 'make distcheck' - unexpected side effect of 'subdir-objects'
fix ASSERT() with dynamic tls-crypt and --tls-crypt-v2

User visible changes

print (kernel) DCO version on startup - helpful for getting a more complete \ 
picture of the environment in use.
New control packets flow for data channel offloading on Linux. 2.6.2+ changes \ 
the way OpenVPN control packets are handled on Linux when DCO is active, fixing \ 
the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect \ 
activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module \ 
older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must \ 
be upgraded. The kernel module was renamed to "ovpn-dco-v2.ko" in \ 
order to highlight this change and ensure that users and userspace software \ 
could easily understand which version is loaded. Attempting to use the old \ 
ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime.
The client-pending-auth management command now requires also the key id. The \ 
management version has been changed to 5 to indicate this change.
A client will now refuse a connection if pushed compression settings will \ 
contradict the setting of allow-compression as this almost always results in a \ 
non-working connection.

Log message:
openvpn: --disable-dco. Needs kernel support.