The OpenVPN community project team is proud to release OpenVPN 2.6.11.

This is a bugfix release containing several security fixes.

Security fixes:

* CVE-2024-4877: Windows: harden interactive service pipe.
  Security scope: a malicious process with "some" elevated privileges
  (SeImpersonatePrivilege) could open the pipe a second time, tricking
  openvn GUI into providing user credentials (tokens), getting full
  access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
* ​CVE-2024-5594: control channel: refuse control channel messages with
  nonprintable characters in them.
  Security scope: a malicious openvpn peer can send garbage to openvpn
  log, or cause high CPU load. (Reynir Björnsson)
* CVE-2024-28882: only call schedule_exit() once (on a given peer).
  Security scope: an authenticated client can make the server "keep the
  session" even when the server has been told to disconnect this client
  (Reynir Björnsson) 

New features:

* Windows Crypto-API: Implement Windows CA template match for searching
  certificates in windows crypto store.
* Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set
  ifmode p2p/subnet otherwise) 

Bug fixes:

* Fix connect timeout when using SOCKS proxies (trac #328, github ​#267)
* Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
  (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5,
   see also ​
* Add bracket in fingerprint message and do not warn about missing
  verification (github ​#516) 


* Remove "experimental" denotation for --fast-io
* Correctly document ifconfig_* variables passed to scripts
* Documentation: make section levels consistent
* Samples: Update sample configurations (remove compression & old cipher
  settings, add more informative comments) 

Windows MSI changes since 2.6.10:

* For the Windows-specific security fix see above
* Built against OpenSSL 3.3.1
* Included openvpn-gui updated to
  * Contains part of the fix for ​CVE-2024-4877

More details can be found in the Changes document:


Source code and Windows installers can be downloaded from our download page:


Debian and Ubuntu packages are available in the official apt repositories:


On Red Hat derivatives we recommend using the Fedora Copr repository.


  Frank Lichtenheld

Openvpn-announce mailing list

Reply via email to