Changes.rst has not received an "2.7_rc2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
Notable changes rc1 -> rc2 are:
- IPv6 address parsing: fix buffer overread on invalid input
(CVE-2025-12106)
- HMAC verification check: fix incorrect memcmp() call
(CVE-2025-13086)
- even more type conversion related warnings have been fixed
- DCO FreeBSD improvements:
improving debug messages (verb 6)
implement client-side counter handling
repair --inactive (and document shortcomings)
repair handling of DCO disconnection notifications in --client mode
- Windows/Service improvements, hardening, bugfixes
fix DNS address list generation (if 3 or more --dns addresses in use)
fix DNS server undo_list
disallow "stdin" as config name unless user has OpenVPN admin privs
fix compilation errors with MSVC v19
iservice: improve validation of config path (pathcc lib)
[NOTE: this breaks OpenVPN compatibility with Windows 7]
tapctl: refactor, improve output, change driver default to ovpn-dco
iservice: when restoring iface metrics, enforce correct ifindex
- improve cmocka unit test assert() handling
- PUSH_UPDATE server: fix reporting of client IPs in ``status`` output
after pushing a new IPv4/IPv6 address to client
- AEAD cipher safety margins: fix calculation of AEAD blocks in use
(old code would undercount blocks)
- fix invalid pointer creation / memory overread in tls_pre_decrypt
- deprecate ``--opt-verify`` (change into no-op + warning)
projects / 0xmirror / openvpn.git / commit