Hi, On Thu, Sep 25, 2025 at 05:42:01PM +0300, Yuriy Darnobyt wrote: > Important bug fixes since 2.7_beta1: > > * add proper input sanitation to DNS strings to prevent an attack coming > from a trusted-but-malicous OpenVPN server (CVE-2025-10680, affects > unixoid systems with --dns-updown scripts and windows using the built-in > powershell call)
Let me emphasize this. If you followed my advice to "please go and test
2.7_beta1" and installed a --dns-updown script (for example by compiling
and then "make install"), and there is a risk that you connect to an
openvpn server that is not trustworthy -> please upgrade ASAP.
Also, do not use openvpn configs from untrusted sources with 2.7_beta1
under unixoid OSes.
If your OpenVPN server is fully trusted, and you know where the configs
are coming from, then there is no attack angle.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
