The OpenVPN community project team is proud to release OpenVPN 2.6.11.

This is a bugfix release containing several security fixes.

Security fixes:

* CVE-2024-4877: Windows: harden interactive service pipe.
  Security scope: a malicious process with "some" elevated privileges
  (SeImpersonatePrivilege) could open the pipe a second time, tricking
  openvn GUI into providing user credentials (tokens), getting full
  access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
* ​CVE-2024-5594: control channel: refuse control channel messages with
  nonprintable characters in them.
  Security scope: a malicious openvpn peer can send garbage to openvpn
  log, or cause high CPU load. (Reynir Björnsson)
* CVE-2024-28882: only call schedule_exit() once (on a given peer).
  Security scope: an authenticated client can make the server "keep the
  session" even when the server has been told to disconnect this client
  (Reynir Björnsson) 

New features:

* Windows Crypto-API: Implement Windows CA template match for searching
  certificates in windows crypto store.
* Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set
  ifmode p2p/subnet otherwise) 

Bug fixes:

* Fix connect timeout when using SOCKS proxies (trac #328, github ​#267)
* Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
  (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5,
   see also ​https://github.com/libressl/openbsd/issues/150)
* Add bracket in fingerprint message and do not warn about missing
  verification (github ​#516) 

Documentation:

* Remove "experimental" denotation for --fast-io
* Correctly document ifconfig_* variables passed to scripts
* Documentation: make section levels consistent
* Samples: Update sample configurations (remove compression & old cipher
  settings, add more informative comments) 

Windows MSI changes since 2.6.10:

* For the Windows-specific security fix see above
* Built against OpenSSL 3.3.1
* Included openvpn-gui updated to 11.49.0.0
  * Contains part of the fix for ​CVE-2024-4877

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Regards,
-- 
  Frank Lichtenheld


_______________________________________________
Openvpn-announce mailing list
Openvpn-announce@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-announce

Reply via email to