OpenVPN is een robuuste en gemakkelijk in te stellen opensource-vpn-daemon waarmee verschillende private netwerken aan elkaar geknoopt kunnen worden via een versleutelde tunnel over internet. Voor de beveiliging wordt gebruikgemaakt van de OpenSSL-library, waarmee alle encryptie, authenticatie en certificatie kunnen worden afgehandeld. De ontwikkelaars hebben versie 2.6.11 uitgebracht en de changelog voor die uitgave kan hieronder worden gevonden.
Security fixesNew features
- CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
- CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)
- CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client (Reynir Björnsson)
Bugfixes
- Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store.
- support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise)
Documentation
- fix connect timeout when using SOCKS proxies (trac #328, github #267)
- work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5, see also libressl/openbsd#150)
- Add bracket in fingerprint message and do not warn about missing verification (github #516)
Code maintenance
- remove "experimental" denotation for --fast-io
- correctly document ifconfig_* variables passed to scripts (script-options.rst)
- documentation: make section levels consistent
- samples: Update sample configurations
- remove compression & old cipher settings, add more informative comments
- remove usage of <lzoutils.h> header & macro, discouraged by upstream
- only run coverity scans in OpenVPN/OpenVPN repository (= do not spam owners of cloned repos with "cannot run this" messages)
- replace macOS 11 github runners with macOS 14
- remove some unused code in misc.c (leftover from commit 3a4fb1)
- phase2_tcp_server: fix Coverity issue 'Dereference after null check' - the code itself was correct, just doing needless checks
- Use snprintf instead of sprintf for get_ssl_library_version - the code itself was correct, but macOS clang dislikes sprintf()
:fill(white):strip_exif()/i/2003549196.jpeg?f=thumbmedium)