Security fixes:
- CVE-2024-27459: Windows: fix a possible stack overflow in the
interactive service component which might lead to a local privilege escalation.
Reported-by: Vladimir Tokarev vtokarev@microsoft.com - CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers.
Reported-by: Vladimir Tokarev vtokarev@microsoft.com - CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack
openvpn.exevia a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified byHKLM\SOFTWARE\OpenVPN\plugin_dir.
Reported-by: Vladimir Tokarev vtokarev@microsoft.com - CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in !TapSharedSendPacket.
Reported-by: Vladimir Tokarev vtokarev@microsoft.com
New features:
t_client.shcan now run pre-tests and skip a test block if needed
(e.g. skip NTLM proxy tests if SSL library does not support MD4)
User visible changes:
- Update copyright notices to 2024
Bug fixes:
- Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail. Disable DCO in this case. (#522)
- Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
- systemd unit files: remove obsolete syslog.target
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: v2.6.9...v2.6.10