OpenVPN is een robuuste en gemakkelijk in te stellen opensource-vpn-daemon waarmee verschillende private netwerken aan elkaar geknoopt kunnen worden via een versleutelde tunnel over internet. Voor de beveiliging wordt gebruikgemaakt van de OpenSSL-library, waarmee alle encryptie, authenticatie en certificatie kunnen worden afgehandeld. De ontwikkelaars hebben versie 2.6.7 uitgebracht en de changelog voor die uitgave kan hieronder worden gevonden.
Bug fixes / Code cleanupUser visible changes
- CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)
- CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.
- Cleanup bits and pieces of documentation
- Cleanup code to remove strlen() related warnings in buf_catrunc()
- DCO on Linux: fix NULL-pointer crash if "--multihome" is used together with "--proto tcp"
- Work around build fails caused by LibreSSL not longer having engine support
New features
- DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use "--disable-dco".
- Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
- Add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6.
- Add warning to "--show-groups" that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves).
- "--dns": remove support for "exclude-domains" argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again)
- Warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations)
- DCO-WIN: get and log driver version (for easier debugging).
- Print "peer temporary key details" in TLS handshake
- Log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs#11 scenarios)
- Add CMake build system for MinGW and MSVC builds
- Remove old MSVC build system
- Improve cmocka unit test building for Windows
:fill(white):strip_exif()/i/2003549196.jpeg?f=thumbmedium)