Meeting summary for 19 November 2025:
*
*Updated: Release 2.7*
OpenVPN 2.7rc2 went out containing among other things 2 CVE fixes.
CVE-2025-12106: IPv6 address parsing: fix buffer overread on invalid
input
CVE-2025-13086: HMAC verification check: fix incorrect memcmp() call
The latter of these two also applies to the 2.6 branch, therefore a
2.6.16 release was done.
*
*Updated: Release 2.6.16*
Some of the issues for 2.7 also affected 2.6 code, therefore 2.6.16
with a fix for a CVE issue was released.
CVE-2025-13086: HMAC verification check: fix incorrect memcmp() call
*
*Updated: 2.7 security audit*
ordex arranged mostly through STF funding to get a security audit of
OpenVPN 2.7 (currently in release candidate phase).
Recently this has kicked off and 2.7 is being put through the meat
grinder now by SRLabs.
We are processing these reports as well as reports from ZeroPath and
addressing concerns raised.
*
*Updated: t_server and t_client testing framework*
mattock asked where to put the t_server stack as it is currently on
ordex's open source fund funded AWS account but funds might dry up
there.
Discussed option to move it to OpenVPN Inc. funded AWS community
account. Will explore this option.
As always you're welcome to join at #openvpn-meeting on Libera IRC
network every Wednesday at 14:00 Central European Time.
Kind regards,
Johan Draaisma
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
