• [SECURITY] Fixed authentication bypass (medium severity) when using
  certificate authentication with cert-user-oid set to SAN(rfc822name):
  a client presenting a valid CA-signed certificate without the expected
  RFC822 SAN field could authenticate using password credentials alone,
  bypassing the intended certificate-to-username binding. Requires the
  attacker to possess both a valid CA-signed certificate and valid user
  credentials (#694)
  
• The bundled inih was updated to r62.
  
• The bundled protobuf-c was updated to 1.5.2.
  
• Fixed a bug where session timeout could be bypassed by reconnecting
  (e.g., closing/opening laptop lid) (#599)
  
• occtl: show user command now includes a Session started at: field,
  indicating when the VPN session was established
  
• occtl: Fix column misalignment in ban command outputs
  
• occtl: Fix show ip bans may produce invalid JSON (#683)
  
• Handle dotted client hostnames (e.g., .local) by stripping the domain suffix
  
• Renamed min-reauth-time configuration option to ban-time to better reflect
  its purpose (#676). This option defines the duration (in seconds) for which
  an IP address is banned after exceeding the maximum allowed max-ban-score.
  Default is 300 seconds (5 minutes).
  
• Fixed ocserv-worker process title
  
• Fixed ignored udp-port in vhost (#612)