What's new in OpenVPN 2.4.7
Mar 5, 2019
- Adam Ciarciński (1):
- Fix subnet topology on NetBSD (2.4).
- Antonio Quartulli (3):
- add support for %lu in argv_printf and prevent ASSERT
- buffer_list: add functions documentation
- ifconfig-ipv6(-push): allow using hostnames
- Arne Schwabe (7):
- Properly free tuntap struct on android when emulating persist-tun
- Add OpenSSL compat definition for RSA_meth_set_sign
- Add support for tls-ciphersuites for TLS 1.3
- Add better support for showing TLS 1.3 ciphersuites in --show-tls
- Use right function to set TLS1.3 restrictions in show-tls
- Add message explaining early TLS client hello failure
- Fallback to password authentication when auth-token fails
- Christian Ehrhardt (1):
- systemd: extend CapabilityBoundingSet for auth_pam
- David Sommerseth (1):
- plugin: Export base64 encode and decode functions
- Gert Doering (4):
- Add %d, %u and %lu tests to test_argv unit tests.
- Fix combination of --dev tap and --topology subnet across multiple platforms.
- Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
- preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
- Gert van Dijk (1):
- Minor reliability layer documentation fixes
- James Bekkema (1):
- Resolves small IV_GUI_VER typo in the documentation.
- Jonathan K. Bullard (1):
- Clarify and expand management interface documentation
- Lev Stipakov (5):
- Refactor NCP-negotiable options handling
- init.c: refine functions names and description
- interactive.c: fix usage of potentially uninitialized variable
- options.c: fix broken unary minus usage
- Remove extra token after #endif
- Richard van den Berg via Openvpn-devel (1):
- Fix error message when using RHEL init script
- Samy Mahmoudi (1):
- man: correct a --redirection-gateway option flag
- Selva Nair (7):
- Replace M_DEBUG with D_LOW as the former is too verbose
- Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
- Bump version of openvpn plugin argument structs to 5
- Move get system directory to a separate function
- Enable dhcp on tap adapter using interactive service
- Pass the hash without the DigestInfo header to NCryptSignHash()
- White-list pull-filter and script-security in interactive service
- Simon Rozman (2):
- Add Interactive Service developer documentation
- Detect TAP interfaces with root-enumerated hardware ID
- Steffan Karger (7):
- man: add security considerations to --compress section
- mbedtls: print warning if random personalisation fails
- Fix memory leak after sighup
- travis: add OpenSSL 1.1 Windows build
- Fix --disable-crypto build
- Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
- buffer_list_aggregate_separator(): simplify code
New in OpenVPN 2.4.6 (Apr 24, 2018)
- David Sommerseth (1):
- management: Warn if TCP port is used without password
- Gert Doering (3):
- Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
- Fix potential double-free() in Interactive Service (CVE-2018-9336)
- preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst)
- Gert van Dijk (1):
- manpage: improve description of --status and --status-version
- Joost Rijneveld (1):
- Make return code external tls key match docs
- Selva Nair (3):
- Delete the IPv6 route to the "connected" network on tun close
- Management: warn about password only when the option is in use
- Avoid overflow in wakeup time computation
- Simon Matter (1):
- Add missing #ifdef SSL_OP_NO_TLSv1_1/2
- Steffan Karger (1):
- Check for more data in control channel
New in OpenVPN 2.4.3 (Jun 24, 2017)
- Antonio Quartulli (1):
- Ignore auth-nocache for auth-user-pass if auth-token is pushed
- David Sommerseth (3):
- crypto: Enable SHA256 fingerprint checking in --verify-hash
- copyright: Update GPLv2 license texts
- auth-token with auth-nocache fix broke --disable-crypto builds
- Emmanuel Deloget (8):
- OpenSSL: don't use direct access to the internal of X509
- OpenSSL: don't use direct access to the internal of EVP_PKEY
- OpenSSL: don't use direct access to the internal of RSA
- OpenSSL: don't use direct access to the internal of DSA
- OpenSSL: force meth->name as non-const when we free() it
- OpenSSL: don't use direct access to the internal of EVP_MD_CTX
- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
- OpenSSL: don't use direct access to the internal of HMAC_CTX
- Gert Doering (6):
- Fix NCP behaviour on TLS reconnect.
- Remove erroneous limitation on max number of args for --plugin
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
- Fix potential 1-byte overread in TCP option parsing.
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
- Guido Vranken (6):
- refactor my_strupr
- Fix 2 memory leaks in proxy authentication routine
- Fix memory leak in add_option() for option 'connection'
- Ensure option array p[] is always NULL-terminated
- Fix a null-pointer dereference in establish_http_proxy_passthru()
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
- Jérémie Courrèges-Anglas (2):
- Fix an unaligned access on OpenBSD/sparc64
- Missing include for socket-flags TCP_NODELAY on OpenBSD
- Matthias Andree (1):
- Make openvpn-plugin.h self-contained again.
- Selva Nair (1):
- Pass correct buffer size to GetModuleFileNameW()
- Steffan Karger (11):
- Log the negotiated (NCP) cipher
- Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
- Skip tls-crypt unit tests if required crypto mode not supported
- openssl: fix overflow check for long --tls-cipher option
- Add a DSA test key/cert pair to sample-keys
- Fix mbedtls fingerprint calculation
- mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
- mbedtls: require C-string compatible types for --x509-username-field
- Fix remote-triggerable memory leaks (CVE-2017-7521)
- Restrict --x509-alt-username extension types
- Fix potential double-free in --x509-alt-username (CVE-2017-7521)
- Steven McDonald (1):
- Fix gateway detection with OpenBSD routing domains
New in OpenVPN 2.4.2 (May 24, 2017)
- auth-token: Ensure tokens are always wiped on de-auth
- docs: Fixed man-page warnings discoverd by rpmlint
- Make --cipher/--auth none more explicit on the risks
- plugin: Fix documentation typo for type_mask
- plugin: Export secure_memzero() to plug-ins
- Fix extract_x509_field_ssl for external objects, v2
- In auth-pam plugin clear the password after use
- cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
- Don't run packet_id unit tests for --disable-crypto builds
- Fix Changes.rst layout
- Fix memory leak in x509_verify_cert_ku()
- mbedtls: correctly check return value in pkcs11_certificate_dn()
- Restore pre-NCP frame parameters for new sessions
- Always clear username/password from memory on error
- Document tls-crypt security considerations in man page
- Don't assert out on receiving too-large control packets (CVE-2017-7478)
- Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
- Set a low interface metric for tap adapter when block-outside-dns is in use
New in OpenVPN 2.4.1 (Mar 27, 2017)
- Antonio Quartulli (4):
- attempt to add IPv6 route even when no IPv6 address was configured
- fix redirect-gateway behaviour when an IPv4 default route does not exist
- CRL: use time_t instead of struct timespec to store last mtime
- ignore remote-random-hostname if a numeric host is provided
- Christian Hesse (7):
- man: fix formatting for alternative option
- systemd: Use automake tools to install unit files
- systemd: Do not race on RuntimeDirectory
- systemd: Add more security feature for systemd units
- Clean up plugin path handling
- plugin: Remove GNUism in openvpn-plugin.h generation
- fix typo in notification message
- David Sommerseth (6):
- management: >REMOTE operation would overwrite ce change indicator
- management: Remove a redundant #ifdef block
- git: Merge .gitignore files into a single file
- systemd: Move the READY=1 signalling to an earlier point
- plugin: Improve the handling of default plug-in directory
- cleanup: Remove faulty env processing functions
- Emmanuel Deloget (8):
- OpenSSL: check for the SSL reason, not the full error
- OpenSSL: don't use direct access to the internal of X509_STORE_CTX
- OpenSSL: don't use direct access to the internal of SSL_CTX
- OpenSSL: don't use direct access to the internal of X509_STORE
- OpenSSL: don't use direct access to the internal of X509_OBJECT
- OpenSSL: don't use direct access to the internal of RSA_METHOD
- OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
- OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
- Eric Thorpe (1):
- Fix Building Using MSVC
- Gert Doering (5):
- Add openssl_compat.h to openvpn_SOURCES
- Fix '--dev null'
- Fix installation of IPv6 host route to VPN server when using iservice.
- Make ENABLE_OCC no longer depend on !ENABLE_SMALL
- Preparing for release v2.4.1 (ChangeLog, version.m4)
- Gisle Vanem (1):
- Crash in options.c
- Ilya Shipitsin (2):
- Resolve several travis-ci issues
- travis-ci: remove unused files
- Olivier Wahrenberger (1):
- Fix building with LibreSSL 2.5.1 by cleaning a hack.
- Selva Nair (4):
- Fix push options digest update
- Always release dhcp address in close_tun() on Windows.
- Add a check for -Wl, --wrap support in linker
- Fix user's group membership check in interactive service to work with domains
- Simon Matter (1):
- Fix segfault when using crypto lib without AES-256-CTR or SHA256
- Steffan Karger (8):
- More broadly enforce Allman style and braces-around-conditionals
- Use SHA256 for the internal digest, instead of MD5
- OpenSSL: 1.1 fallout - fix configure on old autoconf
- Fix types in WIN32 socket_listen_accept()
- Remove duplicate X509 env variables
- Fix non-C99-compliant builds: don't use const size_t as array length
- Deprecate --ns-cert-type
- Be less picky about keyUsage extensions
New in OpenVPN 2.3.14 (Dec 8, 2016)
- Christian Hesse (1):
- update year in copyright message
- David Sommerseth (2):
- man: Improve the --keepalive section
- Document the --auth-token option
- Gert Doering (3):
- Repair topology subnet on FreeBSD 11
- Repair topology subnet on OpenBSD
- Preparing release of v2.3.14
- Lev Stipakov (1):
- Drop recursively routed packets
- Selva Nair (4):
- Support --block-outside-dns on multiple tunnels
- When parsing '--setenv opt xx ..' make sure a third parameter is present
- Map restart signals from event loop to SIGTERM during exit-notification wait
- Correctly state the default dhcp server address in man page
- Steffan Karger (1):
- Clean up format_hex_ex()
New in OpenVPN 2.3.8 (Sep 14, 2015)
- Arne Schwabe (2):
- Report missing endtags of inline files as warnings
- Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
- Gert Doering (3):
- Produce a meaningful error message if --daemon gets in the way of asking for passwords.
- Document --daemon changes and consequences (--askpass, --auth-nocache).
- Preparing for release v2.3.8 (ChangeLog, version.m4)
- Holger Kummert (1):
- Del ipv6 addr on close of linux tun interface
- James Geboski (1):
- Fix --askpass not allowing for password input via stdin
- Steffan Karger (5):
- write pid file immediately after daemonizing
- Make __func__ work with Visual Studio too
- fix regression: query password before becoming daemon
- Fix using management interface to get passwords.
- Fix overflow check in openvpn_decrypt()
New in OpenVPN 2.3.5 (Oct 31, 2014)
- Andris Kalnozols (2):
- Fix some typos in the man page.
- Do not upcase x509-username-field for mixed-case arguments.
- Arne Schwabe (1):
- Fix server routes not working in topology subnet with --server [v3]
- David Sommerseth (4):
- Improve error reporting on file access to --client-config-dir and --ccd-exclusive
- Don't let openvpn_popen() keep zombies around
- Add systemd unit file for OpenVPN
- systemd: Use systemd functions to consider systemd availability
- Gert Doering (4):
- Drop incoming fe80:: packets silently now.
- Fix t_lpback.sh platform-dependent failures
- Call init script helpers with explicit path (./)
- Preparing for release v2.3.5 (ChangeLog, version.m4)
- Heiko Hund (1):
- refine assertion to allow other modes than CBC
- Hubert Kario (2):
- ocsp_check - signature verification and cert staus results are separate
- ocsp_check - double check if ocsp didn't report any errors in execution
- James Bekkema (1):
- Fix socket-flag/TCP_NODELAY on Mac OS X
- James Yonan (6):
- Fixed several instances of declarations after statements.
- In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
- Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
- MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
- Define PATH_SEPARATOR for MSVC builds.
- Fixed some compile issues with show_library_versions()
- Jann Horn (1):
- Remove quadratic complexity from openvpn_base64_decode()
- Mike Gilbert (1):
- Add configure check for the path to systemd-ask-password
- Philipp Hagemeister (2):
- Add topology in sample server configuration file
- Implement on-link route adding for iproute2
- Samuel Thibault (1):
- Ensure that client-connect files are always deleted
- Steffan Karger (13):
- Remove function without effect (cipher_ok() always returned true).
- Remove unneeded wrapper functions in crypto_openssl.c
- Fix bug that incorrectly refuses oid representation eku's in polar builds
- Update README.polarssl
- Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
- Add proper check for crypto modes (CBC or OFB/CFB)
- Improve --show-ciphers to show if a cipher can be used in static key mode
- Extend t_lpback tests to test all ciphers reported by --show-ciphers
- Don't exit daemon if opening or parsing the CRL fails.
- Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
- Fix regression with password protected private keys (polarssl)
- ssl_polarssl.c: fix includes and make casts explicit
- Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
- TDivine (1):
- Fix "code=995" bug with windows NDIS6 tap driver.
New in OpenVPN 2.3.4 (May 16, 2014)
- Fix man page and OSCP script: tls_serial_{n} is decimal
- Fix is_ipv6 in case of tap interface.
- IPv6 address/route delete fix for Win8
- Add SSL library version reporting.
- Minor t_client.sh cleanups
- Repair --multihome on FreeBSD for IPv4 sockets.
- Rewrite manpage section about --multihome
- More IPv6-related updates to the openvpn man page.
- Conditionalize calls to print_default_gateway on !ENABLE_SMALL
- Preparing for release v2.3.4 (ChangeLog, version.m4)
- Use native strtoull() with MSVC 2013.
- When tls-version-min is unspecified, revert to original versioning approach.
- Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
- Fix OCSP_check.sh to also use decimal for stdout verification.
- Fix build system to accept non-system crypto library locations for plugins.
- Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
- Fix SOCKSv5 method selection
- Fix typo in sample build script to use LDFLAGS
New in OpenVPN 2.3.3 (Apr 11, 2014)
- pkcs11: use generic evp key instead of rsa
- Add support of utun devices under Mac OS X
- Add support to ignore specific options.
- Add a note what setenv opt does for OpenVPN < 2.3.3
- Add reporting of UI version to basic push-peer-info set.
- Fix compile error in ssl_openssl introduced by polar external-management patch
- Fix assertion when SIGUSR1 is received while getaddrinfo is successful
- Add warning for using connection block variables after connection blocks
- Introduce safety check for http proxy options
- man page: Update man page about the tls_digest_{n} environment variable
- Remove the --disable-eurephia configure option
- plugin: Extend the plug-in v3 API to identify the SSL implementation used
- autoconf: Fix typo
- Fix file checks when --chroot is being used
- Document authfile for socks server
- Fix IPv6 examples in t_client.rc-sample
- Fix slow memory drain on each client renegotiation.
- t_client.sh: ignore fields from "ip -6 route show" output that distort results.
- Make code and documentation for --remote-random-hostname consistent.
- Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
- Document issue with --chroot, /dev/urandom and PolarSSL.
- Rename 'struct route' to 'struct route_ipv4'
- Replace copied structure elements with including
- Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
- Always load intermediate certificates from a PKCS#12 file
- Support non-ASCII TAP adapter names on Windows
- Support non-ASCII characters in Windows tmp path
- TLS version negotiation
- Added "setenv opt" directive prefix.
- Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
- Fix spurious ignoring of pushed config options (trac#349).
- Refactor tls_ctx_use_external_private_key()
- --management-external-key for PolarSSL
- external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
- Correct error text when no Windows TAP device is present
- Require a 1.2.x PolarSSL version
- tls_ctx_load_ca: Improve certificate error messages
- Remove duplicate cipher entries from TLS translation table.
- Fix configure interaction with static OpenSSL libraries
- Do not pass struct tls_session* as void* in key_state_ssl_init().
- Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
- Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
- Also update TLSv1_method() calls in support code to SSLv23_method() calls.
- Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
- If --tls-cipher is supplied, make --show-tls parse the list.
- Add openssl-specific common cipher list names to ssl.c.
- Add support for client-cert-not-required for PolarSSL.
- Fix "." in description of utun.
New in OpenVPN 2.3.2 (Nov 14, 2013)
- Only print script warnings when a script is used. Remove stray mention of script-security system.
- Move settings of user script into set_user_script function
- Move checking of script file access into set_user_script
- Provide more accurate warning message
- Fix NULL-pointer crash in route_list_add_vpn_gateway().
- Fix problem with UDP tunneling due to mishandled pktinfo structures.
- Preparing for v2.3.2 (ChangeLog, version.m4)
- Always push basic set of peer info values to server.
- make 'explicit-exit-notify' pullable again
- Fix proto tcp6 for server & non-P2MP modes
- Fix Windows script execution when called from script hooks
- Fixed tls-cipher translation bug in openssl-build
- Fixed usage of stale define USE_SSL to ENABLE_SSL
- Fix segfault when enabling pf plug-ins
New in OpenVPN 2.2.2 (Feb 11, 2012)
- Only warn about non-tackled IPv6 packets once
- Add missing break between "case IPv4" and "case IPv6", leading to the
- Bump tap driver version from 9.8 to 9.9
- Log error message and exit for "win32, tun mode, tap driver version 9.8"
- Backported pkcs11-related parts of 7a8d707237bb18 to 2.2 branch
New in OpenVPN 2.2.2 (Feb 11, 2012)
- Only warn about non-tackled IPv6 packets once
New in OpenVPN 2.2 Beta 5 (Dec 21, 2010)
- Fixed an issue causing a build failure with MS Visual Studio 2008.
New in OpenVPN 2.1.4 (Dec 21, 2010)
- Fix problem with special case route targets ('remote_host')
- The init_route() function will leave &netlist untouched for get_special_addr() routes ("remote_host" being one of them).
- netlist is on stack, contains random garbage, and netlist.len will not be 0 - thus, random stack data is copied from netlist.data[] until the route_list is full.
New in OpenVPN 2.1 (Oct 22, 2010)
- Windows security issue:
- Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there.
- Credit:
- Scott Laurie, MWR InfoSecurity
- Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory).
- When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted.
- Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication.
- Don't advance to the next connection profile on AUTH_FAILED errors.
- Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried.
- Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period.
- Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string:
- >PASSWORD:Verification Failed:
- 'AUTH_TYPE' ['REASON_STRING']
- Enable exponential backoff in reliability layer retransmits.
- Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen.
- Management interface performance optimizations:
- 1. Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth 2. man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o
- Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly.
- Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in.
- Proxy improvements:
- Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy. Added http-auth "auto-nct" flag to reject weak proxy auth methods. Added HTTP proxy digest authentication method. Removed extraneous openvpn_sleep calls from proxy.c.
- Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails.
- Implemented a key/value auth channel from client to server.
- Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds.
- Added support for MSVC debugging of openvpn.exe in settings.in:
- # Build debugging version of openvpn.exe !define PRODUCT_OPENVPN_DEBUG
- Implemented multi-address DNS expansion on the network field of route commands. When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection.
- Added --register-dns option for Windows. Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection.
- Fixed an issue where application payload transmissions on the TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped.
- Added warning about tls-remote option in man page.
New in OpenVPN 2.2 Beta 3 (Oct 22, 2010)
- Attempt to fix issue where domake-win build system was not properly
- signing drivers and .exe files.
- Added win/tap_span.py for building multiple versions of the TAP driver
- and tapinstall binaries using different DDK versions to span from Win2K
- to Win7 and beyond.
- Community patches
- David Sommerseth (2):
- Test framework improvment - Do not FAIL if t_client.rc is missing
- More t_client.sh updates - exit with SKIP when we want to skip
- Gert Doering (4):
- Fix compile problems on NetBSD and OpenBSD
- Fix compile time problems on OpenBSD for good
- full "VPN client connect" test framework for OpenVPN
- Build t_client.sh by configure at run-time.
- chantra (1):
- Fixes openssl-1.0.0 compilation warning
New in OpenVPN 2.1.1 (Dec 13, 2009)
- Fixed some breakage in openvpn.spec (which is required to build an RPM distribution) where it was referencing a non-existent subdirectory in the tarball, causing it to fail (patch from David Sommerseth).