The OpenVPN community project team is proud to release OpenVPN 2.6.16.
This is a bugfix release containing one security fix.
Security fixes:
* CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way
handshake.
This bug renders the HMAC based protection against state exhaustion on
receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
Bug fixes:
* fix invalid pointer creation in tls_pre_decrypt() - technically this is
a memory over-read issue, in practice, the compilers optimize it away
so no negative effects could be observed.
* Windows: in the interactive service, fix the "undo DNS config" handling.
* Windows: in the interactive service, disallow using of "stdin" for the
config file, unless the caller is authorized OpenVPN Administrator
* Windows: in the interactive service, change all netsh calls to use
interface index and not interface name - sidesteps all possible attack
avenues with special characters in interface names.
* Windows: in the interactive service, improve error handling in
some "unlikely to happen" paths.
* auth plugin/script handling: properly check for errors in creation on
$auth_failed_reason_file (arf).
* for incoming TCP connections, close-on-exec option was applied to
the wrong socket fd, leaking socket FDs to child processes.
* sitnl: set close-on-exec flag on netlink socket
* ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)
Windows MSI changes since 2.6.15-I001:
* Built against OpenSSL 3.6.0
* Included openvpn-gui updated to 11.58.0.0
* Check the return value of GetProp()
* Make config path check similar to that in interactive service
* Escape the type id of password message received from openvpn
* Add a message source for event logging
* Check correct management daemon path when OpenVPN3 is enabled
* Fix OpenVPN3 radio button label size when OVPN3 is enabled
* Use GetTempPath() for debug file in plap as well
* Migrate all saved plain usernames to encrypted format
* Included win-dco driver updated to 2.8.0
More details can be found in the Changes document:
<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>
(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)
Source code and Windows installers can be downloaded from our download page:
<https://openvpn.net/community/>
Debian and Ubuntu packages are available in the official apt repositories:
<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>
On Red Hat derivatives we recommend using the Fedora Copr repository.
<https://copr.fedorainfracloud.org/coprs/g/OpenVPN/openvpn-release-2.6/>
Kind regards,
Yuriy Darnobyt_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
