The OpenVPN community project team is proud to release OpenVPN 2.6.21.
This is a bugfix release fixing several security issues.

Security fixes:

* Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed 
sequence of control channel +
  authentication packets (CVE-2026-12996)
  Bug found by multiple researchers:
    * 章鱼哥 (www.aipyaipy.com)
    * Haiyang Huang
    * Haruki Oyama (Waseda University)
* Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence 
of dynamic tls-crypt
  control-channel packets (CVE-2026-13117)
  Bug found by multiple researchers:
    * Trace37 Labs (github.com/trace37labs)
    * Haiyang Huang
* Fix server crash on reception of suitably malformed auth-token, if 
--auth-gen-token external-auth is
  active (CVE-2026-13122)
  Bug found by Haiyang Huang.
* Fix memory-leak in tls-crypt-v2 client key handling that could lead to 
out-of-memory situations and
  subsequent server crashes (CVE-2026-12932)
  Bug found by Valton Tahiri.
* Fix possible 1-byte buffer overrun on NTLMv2 proxy responses. (CVE-2026-11771)
  Bug found by Tristan Madani (@TristanInSec).
* Fix another memory leak on reception of suitable tls-crypt-v2 packets that 
could lead to an out of memory
  situation and server crash (CVE-2026-13698)
  Bug found by Max Fillinger. Overlaps with a report from Valton Tahiri that we 
believe to be fixed by this
  bugfix as well.

Bugfixes:

* Windows: fix plugin trusted-dir check prefix bypass (this fixes a bug in the 
path checking logic we do on
  Windows for "is loading a plugin from this path allowed?", but since we could 
not find a way to exploit
  this unless starting with admin privs or a social engineering attack, not 
classified as a security fix)
* options: fix use-after-free of DNS options on client connect (using suitable 
--dns or --dhcp-option DNS
  options in a server config - not pushed, but applying to the server itself - 
triggers a double free() and
  use-after-free condition, possibly crashing the server) (Github: 
OpenVPN/openvpn#1060)
* Null-terminate tls-crypt client keys when testing - non-exploitable strlen() 
on a buffer that is not
  null-terminated
* Ensure pushed tun-mtu is no lower than TUN_MTU_MIN - this fixes a bug where a 
server can push a suitable
  combination of options and make the client ASSERT().
  (Reported as security issue by Haiyang Huang, but it was decided that the 
server always has means to make
  the client "not function properly", and it can not be exploited beyond that)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/v2.6.21/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://community.openvpn.net/Downloads>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the 
various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
-- 
  Frank Lichtenheld


_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to