Security fixes:
- CVE-2024-4877: Windows: harden interactive service pipe.
Security scope: a malicious process with "some" elevated privileges
(SeImpersonatePrivilege) could open the pipe a second time, tricking
openvn GUI into providing user credentials (tokens), getting full
access to the account openvpn-gui.exe runs as.
(Zeze with TeamT5) - CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them. Security scope: a malicious openvpn
peer can send garbage to openvpn log, or cause high CPU load.
(Reynir Björnsson) - CVE-2024-28882: only call
schedule_exit()once (on a given peer).
Security scope: an authenticated client can make the server "keep the
session" even when the server has been told to disconnect this client
(Reynir Björnsson)
New features:
- Windows Crypto-API: Implement Windows CA template match for searching
certificates in windows crypto store. - Support pre-created DCO interface on FreeBSD (OpenVPN would fail to
set ifmode p2p/subnet otherwise)
Bug fixes:
- Fix connect timeout when using SOCKS proxies (trac #328, github #267)
- Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
(LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5,
see also libressl/openbsd#150) - Add bracket in fingerprint message and do not warn about missing
verification (github #516)
Documentation:
- Remove "experimental" denotation for
--fast-io - Correctly document ifconfig_* variables passed to scripts
- Documentation: make section levels consistent
- Samples: Update sample configurations (remove compression & old cipher settings, add more informative comments)
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: v2.6.10...v2.6.11