Release: OpenVPN version 2.6.11

This topic is closed.
  • Time
  • Show
Clear All
new posts
  • flichtenheld
    Junior Member
    • Feb 2024
    • 1

    Release: OpenVPN version 2.6.11

    The OpenVPN community project team is proud to release OpenVPN 2.6.11. This is a bugfix release containing several security fixes.

    For details see Changes.rst

    Security fixes:
    • CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
    • CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)
    • CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect his client (Reynir Björnsson)
    New features:
    • Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store.
    • Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise)
    Bug fixes:
    • Fix connect timeout when using SOCKS proxies (trac #328, github #267)
    • Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5, see also LibreSSL/OpenBSD#150)
    • Add bracket in fingerprint message and do not warn about missing verification (github #516)
    • Remove "experimental" denotation for --fast-io
    • Correctly document ifconfig_* variables passed to scripts
    • Documentation: make section levels consistent
    • Samples: Update sample configurations (remove compression & old cipher settings, add more informative comments)

    Windows MSI changes since 2.6.10:
    • For the Windows-specific security fixes see above
    • Built against OpenSSL 3.3.1
    • Included openvpn-gui updated to
    DownloadsUseful resources