* Version 1.4.1 (released 2026-02-28)
- [SECURITY] Fixed authentication bypass (medium severity) when using
certificate authentication with cert-user-oid set to SAN(rfc822name):
a client presenting a valid CA-signed certificate without the expected
RFC822 SAN field could authenticate using password credentials alone,
bypassing the intended certificate-to-username binding. Requires the
attacker to possess both a valid CA-signed certificate and valid user
credentials (694)
- The bundled inih was updated to r62.
- The bundled protobuf-c was updated to 1.5.2.
- Fixed a bug where session timeout could be bypassed by reconnecting
(e.g., closing/opening laptop lid) (599)
- occtl: 'show user' command now includes a 'Session started at:' field,
indicating when the VPN session was established
- occtl: Fix column misalignment in ban command outputs
- occtl: Fix 'show ip bans' may produce invalid JSON (683)
- Handle dotted client hostnames (e.g., .local) by stripping the domain suffix
- Renamed `min-reauth-time` configuration option to `ban-time` to better reflect
its purpose (676). This option defines the duration (in seconds) for which
an IP address is banned after exceeding the maximum allowed `max-ban-score`.
Default is 300 seconds (5 minutes).
- Fixed ocserv-worker process title
- Fixed ignored udp-port in vhost (612)
* Version 1.4.0 (released 2026-01-04)
- The bundled llhtp was updated to 9.3.0.
- The bundled protobuf-c was updated to 1.5.1.
- Fixed issues with PAM authentication when combined with pam_sssd (618)
- Enhanced the seccomp filters to address issue in testing (627)
- Fixed "unexpected URL" errors for Cisco AnyConnect clients
- Fixed the 'ping-leases' option, which was broken since version 1.1.1
- Fixed maximum MTU tracking in server statistics
- Fixed 'iroute' option processing to handle multiple routes (625)
- Fixed session accounting for roaming users (674)
- occtl: fix invalid JSON output in `occtl -j show iroutes` (661)
- occtl: fix regression with trailing commas in `occtl -j show sessions` (669)
- occtl: fix missing column headers in 'show ip bans' output (677)
- occtl: 'show ip bans' no longer shows expired bans (675)
- Fixed DTLS not working with systemd socket activation (647)
- Fixed a bug in the ban timer logic that could prevent IP addresses
from being banned or cause premature unbans (678)
- Session statistics are now reported at consistent intervals
for RADIUS compatibility (630)
- Single form to enter username and password (551)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
glibc 2.39 has removed libcrypt completely.
solution: link against libxcrypt built with glibc compatibility.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
This commit comments out the `log-level` line in the template
config file to use default value from upstream, default should be 2.
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
This is a mandatory tool for the test suite, but we do not run it.
Fixes compilation.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
and also fix build error:
Package ocserv is missing dependencies for the following libraries:
liboath.so.0
Signed-off-by: Thlv Alivs <zgmzzzz18@gmail.com>
See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with
PKG_BUILD_FLAGS:=no-mips16" on the main repository.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Disable libmaxminddb detection to fix a build error
due to missing dependency.
(the libmaxminddb library is now detected, but is unncessary.)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
libseccomp can't be built on ARC, so we must disable the option here as
well. A different fix was first proposed by @zxlhhyccc in #15377.
Fixes: #15313
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Added a new config entry udp_port to split UDP port from TCP. This is
useful when particular port is blocked by the ISP.
udp_port falls back to port if not set to be compatible with current
config file.
Also fixed an ifname typo from the last commit.
Signed-off-by: Qian Sheng <billsq@billsq.me>
This version of ocserv needs us to explicitly specify the prefix
for libev. Add a --with-libev-prefix parameter to make the
configure stage to get the right library.
Signed-off-by: Angelo G. Del Regno <kholk11@gmail.com>
Explicitely disable liblz4 and external libtalloc support in order to avoid
implicit dependencies leading to the following error on build environments
that happen to provide liblz4 and libtalloc:
Package ocserv is missing dependencies for the following libraries:
liblz4.so.1
libtalloc.so.2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Yanase Yuki