OpenVPN 2.6.11

OpenVPN is a robust and easy-to-set-up open source VPN daemon that allows several private networks to be linked together via an encrypted tunnel over the internet. The OpenSSL library is used for security, which can handle all encryption, authentication and certification. The developers have released version 2.6.11 and the changelog for that release can be found below.

Security fixes

• CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with “some” elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
• CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)
• CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server “keep the session” even when the server has been told to disconnect this client (Reynir Björnsson)

New features

• Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store.
• support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise)

li>

Bug fixes

• fix connect timeout when using SOCKS proxies (trac #328, github #267)
• work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5, see also libressl/openbsd#150)
• Add bracket in fingerprint message and do not warn about missing verification (github #516)

Documentation

• remove “experimental” denotation for –fast-io
• correctly document ifconfig_* variables passed to scripts (script-options.rst)
• documentation: make section levels consistent
• samples: Update sample configurations remove compression & old cipher settings, add more informative comments

Code maintenance

• remove usage of <lzoutils.h> header & macro, discouraged by upstream
• only run coverage scans in OpenVPN/OpenVPN repository (= do not spam owners of cloned repos with “cannot run this” messages)
• replace macOS 11 github runners with macOS 14
• remove some unused code in misc.c (leftover from commit 3a4fb1)
• phase2_tcp_server: fix Coverity issue 'Dereference after null check' – the code itself was correct, just doing needless checks
• Use snprintf instead of sprintf for get_ssl_library_version – the code itself was correct, but macOS clang dislikes sprintf()