The OpenVPN community project team is proud to release OpenVPN 2.7.5.
This is a bugfix release fixing several security issues.
Security fixes:
* Windows: openvpnserv: fix DNS SearchList state pollution on (dis)connect.
specific combinations of --dns
config entries plus local DNS config could lead to corruption of pre-openvpn
DNS config (CVE-2026-13379)
Bug found by 章鱼哥 (www.aipyaipy.com).
* Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed
sequence of control channel +
authentication packets (CVE-2026-12996)
Bug found by multiple researchers:
* 章鱼哥 (www.aipyaipy.com)
* Haiyang Huang
* Haruki Oyama (Waseda University)
* Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence
of dynamic tls-crypt
control-channel packets (CVE-2026-13117)
Bug found by multiple researchers:
* Trace37 Labs (github.com/trace37labs)
* Haiyang Huang
* Fix server crash on reception of suitably malformed auth-token, if
--auth-gen-token external-auth is
active (CVE-2026-13122)
Bug found by Haiyang Huang.
* Fix memory-leak in tls-crypt-v2 client key handling that could lead to
out-of-memory situations and
subsequent server crashes (CVE-2026-12932)
Bug found by Valton Tahiri.
* Fix possible 1-byte buffer overrun on NTLMv2 proxy responses. (CVE-2026-11771)
Bug found by Tristan Madani (@TristanInSec).
* Fix another memory leak on reception of suitable tls-crypt-v2 packets that
could lead to an out of memory
situation and server crash (CVE-2026-13698)
Bug found by Max Fillinger. Overlaps with a report from Valton Tahiri that we
believe to be fixed by this
bugfix as well.
Bugfixes:
* Windows: fix plugin trusted-dir check prefix bypass (this fixes a bug in the
path checking logic we do on
Windows for "is loading a plugin from this path allowed?", but since we could
not find a way to exploit
this unless starting with admin privs or a social engineering attack, not
classified as a security fix)
* Windows: openvpnserv: rework ConvertItfDnsDomains and tests (this fixes a
buffer overread that is not
exploitable and as such not classified as security fix)
* options: fix use-after-free of DNS options on client connect (using suitable
--dns or --dhcp-option DNS
options in a server config - not pushed, but applying to the server itself -
triggers a double free() and
use-after-free condition, possibly crashing the server) (Github:
OpenVPN/openvpn#1060)
* dns: Fix memory leak in dns_server_addr_parse, if too many server addresses
are configured (Github:
OpenVPN/openvpn#1055)
* Improve multi-socket event handling further - multiple open UDP sockets with
concurrent traffic could
lead to inefficient processing, and the old code was also very hard to follow.
(This was initially triggered by a report from Joshua Rogers using ZeroPath,
but turned out to be "just
bad code" not a security vulnerability)
* Null-terminate tls-crypt client keys when testing - non-exploitable strlen()
on a buffer that is not
null-terminated
* mudp: send HMAC reset reply synchronously this fixes a bug where multiple
incoming tls-crypt-v2 RESET
packets on different sockets could end up overwriting each other's control
structures, leading to initial
handshake packets (HMAC reset reply) being sent to the wrong client IP, or on
a non-suitable socket ("v4
packet on a v6 socket"). Since the overall flow here is stateless by nature,
do not artificially create
state by creating elaborate queues, just send-or-drop.
* Fix port-share and multi-socket interaction - port-share needs TCP listeners,
but the check was wrong. So
"as long as any of the listening sockets is TCP, port-share can be used"
(Github: OpenVPN/openvpn#1027)
* Ensure pushed tun-mtu is no lower than TUN_MTU_MIN - this fixes a bug where a
server can push a suitable
combination of options and make the client ASSERT().
(Reported as security issue by Haiyang Huang, but it was decided that the
server always has means to make
the client "not function properly", and it can not be exploited beyond that)
* Windows: socket: assert buffer length before reading prepended sockaddr
family - a misbehaviour in the
windows DCO driver could trigger an overread in the userland client. No such
bug exists, which this was not
treated as a security vulnerability
Documentation improvements:
* improve documentation for --float (Github: OpenVPN/openvpn#358)
* add documentation for --preresolve (Github: OpenVPN/openvpn#532)
* impove documentation around DNS config (Github: OpenVPN/openvpn#937)
More details can be found in the Changes document:
<https://github.com/OpenVPN/openvpn/blob/v2.7.5/Changes.rst>
Source code and Windows installers can be downloaded from our download page:
<https://community.openvpn.net/Downloads>
Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the
various
official Community repositories:
<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>
Kind regards,
--
Frank Lichtenheld
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users