Security fixes:
- CVE-2025-2704: fix possible
ASSERT()on OpenVPN servers using--tls-crypt-v2
Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using
--tls-crypt-v2can be made to abort with anASSERT()message by
sending a particular combination of authenticated and malformed packets.
To trigger the bug, a valid tls-crypt-v2 client key is needed, or
network observation of a handshake with a valid tls-crypt-v2 client key.
No crypto integrity is violated, no data is leaked, and no remote
code execution is possible.
This bug does not affect OpenVPN clients.
(Bug found by internal QA at OpenVPN Inc)
Bug fixes:
- Linux DCO: repair source IP selection for
--multihome(Qingfang Deng)
Windows Client: Community MSI installer for Windows client can be found at Community Downloads.
Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.
Full Changelog: v2.6.13...v2.6.14