The OpenVPN community project team is proud to release OpenVPN 2.6.14.
This is a bugfix release containing one security fix.
Security fixes:
* CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
Security scope: OpenVPN servers
between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an
ASSERT() message by sending a particular
combination of authenticated and malformed packets. To trigger the bug, a
valid tls-crypt-v2 client key is needed, or network
observation of a handshake with a valid tls-crypt-v2 client key. No crypto
integrity is violated, no data is leaked, and no remote
code execution is possible. This bug does not affect OpenVPN clients. (Bug
found by internal QA at OpenVPN Inc)
Bug fixes:
* Linux DCO: repair source IP selection for --multihome (Qingfang Deng)
Windows MSI changes since 2.6.13:
* Built against OpenSSL 3.4.1
* Included openvpn-gui updated to 11.52.0.0
* Use correct %TEMP% directory for debug log file.
* Disable config in menu listing if its ovpn file becomes inaccessible
(github openvpn-gui#729)
More details can be found in the Changes document:
<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>
(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)
Source code and Windows installers can be downloaded from our download page:
<https://openvpn.net/community-downloads/>
Debian and Ubuntu packages are available in the official apt repositories:
<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>
On Red Hat derivatives we recommend using the Fedora Copr repository.
<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>
Kind regards,
Yuriy Darnobyt_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
