Bot releases are hidden (Show)
CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them. Security scope: a malicious openvpn
peer can send garbage to openvpn log, or cause high CPU load.
(Reynir Björnsson)
(Backport of the security fix in 2.6.11 and the fix for the bugfix
in 2.6.12)
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.5.10...v2.5.11
Published by uddr 3 months ago
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.6.11...v2.6.12
Published by flichtenheld 4 months ago
SeImpersonatePrivilege
) could open the pipe a second time, trickingschedule_exit()
once (on a given peer).--fast-io
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.6.10...v2.6.11
Published by flichtenheld 7 months ago
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Note that OpenVPN 2.5.x is in Old Stable Support status (see SupportedVersions). This usually means that we do not provide updated Windows Installers anymore, even for security fixes. Since this release fixes several issues specific to the Windows platform we decided to provide installers anyway. This does not change the support status of 2.5.x branch. We might not provide security updates for issues found in the future. We recommend that everyone switch to the 2.6.x versions of installers as soon as possible.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.5.9...v2.5.10
Published by uddr 7 months ago
openvpn.exe
via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir
.t_client.sh
can now run pre-tests and skip a test block if neededWindows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.6.9...v2.6.10
Published by flichtenheld 8 months ago
--force-tls-key-material-export
to only accept clients--verb 8
to --verb 3
.--tls-crypt
packetsLicense change is now complete, and all code has been re-licensed
under the new license (still GPLv2, but with new linking exception
for Apache2 licensed code). See COPYING for details.
Code that could not be re-licensed has been removed or rewritten.
The original code for the --tls-export-cert
feature has been removed
(due to the re-licensing effort) and rewritten without looking at the
original code. Feature-compatibility has been tested by other developers,
looking at both old and new code and documentation, so there should
not be a user-visible change here.
IPv6 route addition/deletion are now logged on the same level (3) as
for IPv4. Previously IPv6 was always logged at --verb 1
.
Better handling of TLS 1.0 PRF failures in the underlying SSL library
(e.g. on some FIPS builds) - this is now reported on startup, and
clients before 2.6.0 that can not use TLS EKM to generate key material
are rejected by the server. Also, error messages are improved to see
what exactly failed.
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.6.8...v2.6.9
Published by uddr 11 months ago
--dns
option did not work when tap-windows6 driver was used, because internal flag for "apply DNS option to DHCP server" wasn't set (Github #447)--chdir
failures, also caused by error in CMake build system (Github #448)Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.6.7...v2.6.8
Published by uddr 11 months ago
--secret
) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)--fragment
configuration in some circumstances, leading to a division by zero when --fragment
is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash. (Github #400, #417).DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco
.
Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6.
add warning to --show-groups
that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves).
--dns
: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again)
warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations)
DCO-WIN: get and log driver version (for easier debugging).
print "peer temporary key details" in TLS handshake
log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios)
add CMake build system for MinGW and MSVC builds
remove old MSVC build system
improve cmocka unit test building for Windows
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.6.6...v2.6.7
Published by flichtenheld about 1 year ago
OCC exit messages are now logged more visibly
(Github #391)
OpenSSL error messages are now logged with more details (for example,
when loading a provider fails, which .so was tried, and why did it fail)
(Github #361)
print a more user-friendly message when tls-crypt-v2 client auth fails
packaging now includes all documentation in the tarball
route.c was sometimes ignoring return values of add_route3()
(found by coverity)
ntlm: clarify use of buffer in case of truncated NTLM challenge,
no actual code change (reported by Trial of Bits, TOB-OVPN-14)
pkcs11_openssl.c: disable unused code (found by coverity)
options.c: do not hide variable from parent scope (found by coverity)
configure: fix typo in LIBCAPNG_CFALGS (Github #371)
ignore IPv6 route deletion request on Android, reduce IPv4 route-related
message verbosity on Android
manage.c: document missing KID parameter of "client-pending-auth"
(new addition in da083c3b (2.6.2)) in manage interface help text
vpn-network-options.rst: fix typo of "dhcp-option" (Github #313)
tun.c/windows: quote WMIC call to set DHCP/DNS domain with hyphen
(Github #363)
fix CR_RESPONSE management message using wrong key_id
work around false positive compiler warnings with MinGW 12
work around false positive compiler warnings with GCC 12.2.0
fix more compiler warnings on FreeBSD
test_tls_crypt: improve cmocka testing portability
dco-linux: fix counter print format (signed/unsigned)
packaging: include everything that is needed for a MSVC build in tarballs
(Github #344)
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: https://github.com/OpenVPN/openvpn/compare/v2.6.5...v2.6.6