gitlab openconnect/ocserv 1.5.0
on GitLab

15 hours ago
  • [SECURITY] Fixed unauthenticated heap buffer overflow in the unprivileged
    worker process via an oversized webvpncontext= cookie value (#719)
  • [SECURITY] Fixed unsigned integer underflow in DTLS MTU negotiation (#717):
    a client advertising an out-of-range X-CSTP-Base-MTU or X-CSTP-MTU value
    could potentially cause a buffer overflow in the unprivileged worker process.
    Requires an authenticated client.
  • Added syslog-facility option to log to specified syslog facility (#691)
  • Fixed worker hang when a client disappears silently (#638)
  • Removed the cgroup configuration option (used for cgroups v1).
    Administrators should use systemd resource controls instead; see
    systemd.resource-control(5).
  • Fixed cached group-select values incorrectly suppressing the group list
    on reconnect (#742)
  • Added service sub-option to the auth = pam[...] directive to allow
    configurable PAM service names, enabling per-vhost PAM stacks (#718)
  • ocserv-fw-nftables: dropped runtime dependency on ipcalc/ipcalc-ng (#709)
  • Fixed sudden disconnects after authentication for AnyConnect clients (#706)
  • Distinguish disconnect reasons in AnyConnect BYE packets (#732)
  • Vhosts now inherit configuration options from the default vhost if
    they are not overridden (#705)
  • Improved PAM handling by raising the provided stack memory to the default
    for the system, and better detect overflow (#657)
  • tunnel-all-dns now works correctly when set in per-user/group config (#708)
  • radius: fixed Framed-IPv6-Prefix routes being silently dropped (#710)
  • Added per-worker memory limit (RLIMIT_DATA) as defense-in-depth against
    memory-exhaustion attacks; controlled by the new limit-worker-memory
    option (enabled by default)
  • Limited HTTP header size to 16 KB to complement the existing 256 KB
    body limit
  • Fixed HTTP request desynchronization: pipelined requests in the same
    TLS record are now rejected instead of being processed out of order (#716)
  • Fixes packet loss when sending large volumes of traffic through the VPN (#423)
  • Fix build issue on FreeBSD (#704)
  • Build against Nettle 4 (#697)
  • Removed unnecessary for openconnect client handlers to reduce attack surface:
    • /cert.pem
    • /cert.cer
    • /ca.pem
    • /ca.cer
  • Fix incorrect local address when using PROXY protocol with IPv6 (#711).
  • Fix calculation of avg_auth_time across sec-mod instances (#736)
  • The bundled llhttp was updated to 9.4.1.
Check out latest releases or
releases around openconnect/ocserv 1.5.0

Don't miss a new ocserv release

NewReleases is sending notifications on new releases.

Get notifications