The OpenVPN community project team is proud to release OpenVPN 2.6.10.
This is a bugfix release containing several security fixes for Windows and
Windows TAP driver and documentation updates.
Security fixes:
* CVE-2024-27459: Windows: fix a possible stack overflow in the interactive
service component which might lead to a local privilege escalation.
Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>
* CVE-2024-24974: Windows: disallow access to the interactive service pipe from
remote computers.
Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>
* CVE-2024-27903: Windows: disallow loading of plugins from untrusted
installation paths, which could be used to attack openvpn.exe
via a malicious plugin. Plugins can now only be loaded from the OpenVPN
install directory, the Windows system directory, and possibly
from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>
* CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in
!TapSharedSendPacket.
Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>
User visible changes:
* Update copyright notices to 2024
Bug fixes:
* Windows: if the win-dco driver is used (default) and the GUI requests use of
a proxy server, the connection would fail.
Disable DCO in this case. (Github: #522)
* Compression: minor bugfix in checking option consistency vs. compiled-in
algorithm support
* systemd unit files: remove obsolete syslog.target
Documentation:
* remove license warnings about mbedTLS linking (README.mbedtls)
* update documentation references in systemd unit files
* sample config files: remove obsolete tls-*.conf files
* document that auth-user-pass may be inlined
Windows MSI changes since 2.6.9:
* For the Windows-specific security fixes see above
* Built against OpenSSL 3.2.1
* Included tap6-windows driver updated to 9.27.0
* Security fix, see above
* Included ovpn-dco-win driver updated to 1.0.1
* Ensure we don't pass too large key size to CryptoNG. We do not consider
this a security issue since the CryptoNG API handles
this gracefully either way.
* Included openvpn-gui updated to 11.48.0.0
* Position tray tooltip above the taskbar
* Combine title and message in tray icon tip text
* Use a custom tooltip window for the tray icon
More details can be found in the Changes document:
<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>
(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)
Source code and Windows installers can be downloaded from our download page:
<https://openvpn.net/community-downloads/>
Debian and Ubuntu packages are available in the official apt repositories:
<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>
On Red Hat derivatives we recommend using the Fedora Copr repository.
<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>
Kind regards,
Yuriy Darnobyt_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
