As part of the 2.7.5 and 2.6.21 security releases the OpenVPN community project team also decided to release backports of several of the fixes to the OpenVPN 2.5 code base.
Since 2.5 is not officially supported anymore, there will be no official release and no preparation of source archives or builds of Windows installers. However, the fixes are available in the Git repositories in the release/2.5 branch for people that still produce releases based on 2.5 (e.g. long-term supported Linux distros). The fixes backported are: * Clean up metadata handling in tls_crypt_v2_extract_client_key. An attacker could repeatedly trigger a memory leak on servers that use tls-crypt-v2 and cause the server to crash. (CVE-2026-12932) * Ensure tls-crypt keys are not setup twice. An attacker with a valid tls-crypt-v2 client key could repeatedly trigger a memory leak on the server and cause it to crash. (CVE-2026-13698) * Fix ack_write_buf use after free. A race-condition could trigger an use-after-free error. (CVE-2026-12996) * fix server ASSERT() on receiving a suitably malformed packet with a valid tls-crypt-v2 key (CVE-2026-35058) Bug found by XlabAI Team of Tencent Xuanwu Lab ([email protected]), and independently by Emma Reuter of Cisco ASIG (TALOS-2026-2381). (backported from 2.7.2) * fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances (CVE-2026-40215) Bug found by XlabAI Team of Tencent Xuanwu Lab ([email protected]). (backported from 2.7.2) The OpenVPN support policy is documented at <https://community.openvpn.net/Pages/Supported%20versions> Kind regards, -- Frank Lichtenheld _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
