Log message:
openvpn: updated to 2.6.2

Overview of changes in 2.6.2

New features

implement byte counter statistics for DCO Linux (p2mp server and client)
implement byte counter statistics for DCO Windows (client only)
'--dns server <n> address ...' now permits up to 8 v4 or v6 addresses
fix a few cases of possibly undefined behaviour detected by ASAN
add more unit tests for Windows cryptoapi interface

Bug fixes

sending of AUTH_PENDING and INFO_PRE messages fixed
Windows: do not treat "setting IPv6 interface metric failed" as fatal \ 
error on "block-dns" install - this can happen if IPv6 is disabled on \ 
the interface and is not harmful in itself
fix '--inactive' if DCO is in use NOTE: on FreeBSD, this is not working yet \ 
(missing per-peer stats)
DCO-Linux: do not print errno on netlink errors (errno is not set by NL)
SOCKS client: improve error reporting on server disconnects
DCO-Linux: fix lockups due to netlink buffer overflows on high client \ 
connect/disconnect activity. See "User visible changes" for more \ 
details of this.
fix some uses of the OpenSSL3 API for non-default providers (enable use of \ 
quantum-crypto OpenSSL provider)
fix memory leak of approx. 1600 bytes per incoming initial TLS packet
fix bug when using ECDSA signatures with OpenSSL 3.0.x and pkcs11-helper (data \ 
format conversion was not done properly)
fix 'make distcheck' - unexpected side effect of 'subdir-objects'
fix ASSERT() with dynamic tls-crypt and --tls-crypt-v2

User visible changes

print (kernel) DCO version on startup - helpful for getting a more complete \ 
picture of the environment in use.
New control packets flow for data channel offloading on Linux. 2.6.2+ changes \ 
the way OpenVPN control packets are handled on Linux when DCO is active, fixing \ 
the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect \ 
activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module \ 
older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must \ 
be upgraded. The kernel module was renamed to "ovpn-dco-v2.ko" in \ 
order to highlight this change and ensure that users and userspace software \ 
could easily understand which version is loaded. Attempting to use the old \ 
ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime.
The client-pending-auth management command now requires also the key id. The \ 
management version has been changed to 5 to indicate this change.
A client will now refuse a connection if pushed compression settings will \ 
contradict the setting of allow-compression as this almost always results in a \ 
non-working connection.

Log message:
openvpn: updated to 2.6.1

Overview of changes in 2.6.1

New features

Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically \ 
create a tls-crypt key that is used for renegotiation. This ensure that only the \ 
previously authenticated peer can do trigger renegotiation and complete \ 
renegotiations.
CryptoAPI (Windows): support issuer name as a selector. Certificate selection \ 
string can now specify a partial issuer name string as "--cryptoapicert \ 
ISSUER:<string>" where <string> is matched as a substring of \ 
the issuer (CA) name in the certificate.

User visible changes

on crypto initialization, move old "quite verbose" messages to --verb \ 
4 and only print a more compact summary about crypto and timing parameters by \ 
default
configure now enables DCO build by default on FreeBSD and Linux, which brings in \ 
a default dependency for libnl-genl (for Linux distributions that are too old to \ 
have this library, use "configure --disable-dco")
make "configure --help" output more consistent
CryptoAPI (Windows): remove support code for OpenSSL before 3.0.1 (this will not \ 
affect official OpenVPN for Windows installers, as they will always be built \ 
with OpenSSL 3.0.x)
CryptoAPI (Windows): log the selected certificate's name
"configure" now uses "subdir-objects", for automake >= \ 
1.16 (less warnings for recent-enough automake versions, will change the way .o \ 
files are created)

Bugfixes / minor improvements

fixed old IPv6 ifconfig race condition for FreeBSD 12.4
fix compile-time breakage related to DCO defines on FreeBSD 14
enforce minimum packet size for "--fragment" (avoid division by zero)
some alignment fixes to avoid unaligned memory accesses, which will bring \ 
problems on some architectures (Sparc64, some ARM versions) - found by USAN \ 
clang checker
windows source code fixes to reduce number of compile time warnings (eventual \ 
goal is to be able to compile with -Werror on MinGW), mostly related to \ 
signed/unsigned char * conversions, printf() format specifiers and unused \ 
variables.
avoid endless loop on logging with --management + --verb 6+
build (but not run) unit tests on MinGW cross compiles, and run them when \ 
building with GitHub Actions.
add unit test for parts of cryptoapi.c
add debug logging to help with diagnosing windows driver selection
disable DCO if proxy config is set via management interface
do not crash on Android if run without --management
improve documentation about cipher negotiation and OpenVPN3
for x86 windows builds, use proper calling conventions for dco-win (__stdcall)
differentiate "dhcp-option ..." options into "needs an interface \ 
with true DHCP service" (tap-windows) and "can also be installed by \ 
IPAPI or service, and can be used on non-DHCP interfaces" (wintun, dco-win)
windows interactive service: fix possible double-free if "--block-dns" \ 
installation fails due to "security products" interfering
"make dist": package ovpn_dco_freebsd.h to permit building from \ 
tarballs on FreeBSD 14

Log message:
openvpn: updated to 2.5.8

Overview of changes in 2.5.8

New features

allow running a default configuration with TLS libraries without BF-CBC (even if \ 
TLS cipher negotiation would not actually use BF-CBC, the long-term \ 
compatibility "default cipher BF-CBC" would trigger an error on such \ 
TLS libraries)

User-visible Changes

add git branch name + commit ID to OpenVPN version string on MSVC builds (windows)

Testing Enhancements

t_client.sh: if fping is found and fping6 is not, assume we have fping 4.0 and \ 
up, and call "fping -6" for IPv6 ping tests
t_client.sh: allow to force FAIL on prerequisite fails, so a CI environment will \ 
no longer "silently skip" t_client runs if fping (etc) can not be \ 
found, but will error out

Bugfixes

``--auth-nocache'' was not always correctly clearing username+password after a \ 
renegotiation
ensure that auth-token received from server is cleared if requested by the \ 
management interface ("forget password" or automatically via \ 
``--management-forget-disconnect'')
in a setup without username+password, but with auth-token and \ 
auth-token-username pushed by the server, OpenVPN would start asking for \ 
username+password on token expiry. Fix.
using --auth-token together with --management-client-auth (on the server) would \ 
lead to TLS keys getting out of sync and client being disconnected. Fix.
management interface would sometimes get stuck if client and server try to write \ 
something simultaneously. Fix by allowing a limited level of recursion in \ 
virtual_output_callback()
fix management interface not returning ERROR:/SUCCESS: response on "signal \ 
SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
make man page agree with actual code on replay-window backtrag log message
remove useless empty line from CR_RESPONSE message

Log message:
openvpn*: Update to 2.5.7

Upstream changes: bugfixes

Log message:
openvpn: updated to 2.5.6

OpenVPN 2.5.6.
This is mostly a bugfix release including one security fix ("Disallow \ 
multiple deferred authentication plug-ins.", CVE: 2022-0547).

Log message:
openvpn: updated to 2.5.5

Overview of changes in 2.5.5
============================

User-visible Changes
--------------------
- SWEET32/64bit cipher deprecation change was postponed to 2.7

- Windows: use network address for emulated DHCP server as default
  this enables use of a /30 subnet, which is needed when connecting
  to OpenVPN Cloud.

- require EC support in windows builds
  (this means it's no longer possible to build a Windows OpenVPN binary
  with an OpenSSL lib without EC support)

New features
------------
- Windows build: use CFG and Spectre mitigations on MSVC builds

- bring back OpenSSL config loading to Windows builds.
  OpenSSL config is loaded from %installdir%\SSL\openssl.cfg
  (typically: c:\program files\openvpn\SSL\openssl.cfg) if it exists.

  This is important for some hardware tokens which need special
  OpenSSL config for correct operation.

Bugfixes
--------
- Windows build: enable EKM

- Windows build: improve various vcpkg related build issues

- Windows build: fix regression related to non-writeable status files

- Windows build: fix regression that broke OpenSSL EC support

- Windows build: fix "product version" display (2.5..4 -> 2.5.4)

- Windows build: fix regression preventing use of PKCS12 files

- improve "make check" to notice if "openvpn --show-cipher" \ 
crashes

- improve argv unit tests

- ensure unit tests work with mbedTLS builds without BF-CBC ciphers

- include "--push-remove" in the output of "openvpn --help"

- fix error in iptables syntax in example firewall.sh script

- fix "resolvconf -p" invocation in example "up" script

- fix "common_name" environment for script calls when
  "--username-as-common-name" is in effect

Documentation
-------------
- move "push-peer-info" documentation from "server options" \ 
to "client"
  (where it belongs)

- correct "foreign_option_{n}" typo in manpage

- update IRC information in CONTRIBUTING.rst (libera.chat)

- README.down-root: fix plugin module name

Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch

Log message:
net: Remove SHA1 hashes for distfiles

Log message:
openvpn: updated to 2.5.4

Overview of changes in 2.5.4
============================
Bugfixes
--------
- fix prompting for password on windows console if stderr redirection
  is in use - this breaks 2.5.x on Win11/ARM, and might also break
  on Win11/adm64 when released.

- fix setting MAC address on TAP adapters (--lladdr) to use sitnl
  (was overlooked, and still used "ifconfig" calls)

- various improvements for man page building (rst2man/rst2html etc)

- minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
  at least one platform strictly checking this)

- fix minor memory leak under certain conditions in add_route() and
  add_route_ipv6()

User-visible Changes
--------------------
- documentation improvements

- copyright updates where needed

- better error reporting when win32 console access fails

New features
------------
- also build man page on Windows builds

Log message:
openvpn: updated to 2.5.3

Version 2.5.3
* Add missing free_key_ctx for auth_token
* Add github actions
* Implement auth-token-user
* Update copyrights
* openvpnmsica: properly schedule reboot in the end of installation
* msvc: add ARM64 configuration
* msvc: standalone building
* contrib/vcpkg-ports: add pkcs11-helper port
* vcpkg-ports: restore trailing whitespaces in .patch files
* GitHub actions: add MSVC build
* crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
* contrib/vcpkg-ports: add openssl port with --no-autoload-config option set \ 
(CVE-2121-3606)
* Fix SIGSEGV (NULL deref) receiving push "echo"
* Fix build with mbedtls w/o SSL renegotiation support
* Improve documentation of AUTH_PENDING related directives
* Apply the connect-retry backoff to only one side of a connection