The OpenVPN community project team is proud to release OpenVPN 2.6.10.

This is a bugfix release containing several security fixes for Windows and 
Windows TAP driver and documentation updates.

Security fixes:

* CVE-2024-27459: Windows: fix a possible stack overflow in the interactive 
service component which might lead to a local privilege escalation.
  Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>
* CVE-2024-24974: Windows: disallow access to the interactive service pipe from 
remote computers.
  Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>
* CVE-2024-27903: Windows: disallow loading of plugins from untrusted 
installation paths, which could be used to attack openvpn.exe
  via a malicious plugin.  Plugins can now only be loaded from the OpenVPN 
install directory, the Windows system directory, and possibly
  from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
  Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>
* CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in 
!TapSharedSendPacket.
  Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>

User visible changes:

* Update copyright notices to 2024

Bug fixes:

* Windows: if the win-dco driver is used (default) and the GUI requests use of 
a proxy server, the connection would fail.
  Disable DCO in this case.  (Github: #522)
* Compression: minor bugfix in checking option consistency vs. compiled-in 
algorithm support
* systemd unit files: remove obsolete syslog.target

Documentation:

* remove license warnings about mbedTLS linking (README.mbedtls)
* update documentation references in systemd unit files
* sample config files: remove obsolete tls-*.conf files
* document that auth-user-pass may be inlined

Windows MSI changes since 2.6.9:

* For the Windows-specific security fixes see above
* Built against OpenSSL 3.2.1
* Included tap6-windows driver updated to 9.27.0
  * Security fix, see above
* Included ovpn-dco-win driver updated to 1.0.1
  * Ensure we don't pass too large key size to CryptoNG. We do not consider 
this a security issue since the CryptoNG API handles
    this gracefully either way.
* Included openvpn-gui updated to 11.48.0.0
  * Position tray tooltip above the taskbar
  * Combine title and message in tray icon tip text
  * Use a custom tooltip window for the tray icon
More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt
_______________________________________________
Openvpn-announce mailing list
Openvpn-announce@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-announce

Reply via email to