The OpenVPN community project team is proud to release OpenVPN 2.7.5.
This is a bugfix release fixing several security issues.

Security fixes:

* Windows: openvpnserv: fix DNS SearchList state pollution on (dis)connect. 
specific combinations of --dns 
  config entries plus local DNS config could lead to corruption of pre-openvpn 
DNS config (CVE-2026-13379)
  Bug found by 章鱼哥 (www.aipyaipy.com).
* Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed 
sequence of control channel + 
  authentication packets (CVE-2026-12996)
  Bug found by multiple researchers:
    * 章鱼哥 (www.aipyaipy.com)
    * Haiyang Huang
    * Haruki Oyama (Waseda University)
* Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence 
of dynamic tls-crypt 
  control-channel packets (CVE-2026-13117)
  Bug found by multiple researchers:
    * Trace37 Labs (github.com/trace37labs)
    * Haiyang Huang
* Fix server crash on reception of suitably malformed auth-token, if 
--auth-gen-token external-auth is 
  active (CVE-2026-13122)
  Bug found by Haiyang Huang.
* Fix memory-leak in tls-crypt-v2 client key handling that could lead to 
out-of-memory situations and 
  subsequent server crashes (CVE-2026-12932)
  Bug found by Valton Tahiri.
* Fix possible 1-byte buffer overrun on NTLMv2 proxy responses. (CVE-2026-11771)
  Bug found by Tristan Madani (@TristanInSec).
* Fix another memory leak on reception of suitable tls-crypt-v2 packets that 
could lead to an out of memory 
  situation and server crash (CVE-2026-13698)
  Bug found by Max Fillinger. Overlaps with a report from Valton Tahiri that we 
believe to be fixed by this 
  bugfix as well.

Bugfixes:

* Windows: fix plugin trusted-dir check prefix bypass (this fixes a bug in the 
path checking logic we do on 
  Windows for "is loading a plugin from this path allowed?", but since we could 
not find a way to exploit 
  this unless starting with admin privs or a social engineering attack, not 
classified as a security fix)
* Windows: openvpnserv: rework ConvertItfDnsDomains and tests (this fixes a 
buffer overread that is not 
  exploitable and as such not classified as security fix)
* options: fix use-after-free of DNS options on client connect (using suitable 
--dns or --dhcp-option DNS 
  options in a server config - not pushed, but applying to the server itself - 
triggers a double free() and 
  use-after-free condition, possibly crashing the server) (Github: 
OpenVPN/openvpn#1060)
* dns: Fix memory leak in dns_server_addr_parse, if too many server addresses 
are configured (Github: 
  OpenVPN/openvpn#1055)
* Improve multi-socket event handling further - multiple open UDP sockets with 
concurrent traffic could 
  lead to inefficient processing, and the old code was also very hard to follow.
  (This was initially triggered by a report from Joshua Rogers using ZeroPath, 
but turned out to be "just 
  bad code" not a security vulnerability)
* Null-terminate tls-crypt client keys when testing - non-exploitable strlen() 
on a buffer that is not 
  null-terminated
* mudp: send HMAC reset reply synchronously this fixes a bug where multiple 
incoming tls-crypt-v2 RESET 
  packets on different sockets could end up overwriting each other's control 
structures, leading to initial 
  handshake packets (HMAC reset reply) being sent to the wrong client IP, or on 
a non-suitable socket ("v4 
  packet on a v6 socket"). Since the overall flow here is stateless by nature, 
do not artificially create 
  state by creating elaborate queues, just send-or-drop.
* Fix port-share and multi-socket interaction - port-share needs TCP listeners, 
but the check was wrong. So 
  "as long as any of the listening sockets is TCP, port-share can be used" 
(Github: OpenVPN/openvpn#1027)
* Ensure pushed tun-mtu is no lower than TUN_MTU_MIN - this fixes a bug where a 
server can push a suitable 
  combination of options and make the client ASSERT().
  (Reported as security issue by Haiyang Huang, but it was decided that the 
server always has means to make 
  the client "not function properly", and it can not be exploited beyond that)
* Windows: socket: assert buffer length before reading prepended sockaddr 
family - a misbehaviour in the 
  windows DCO driver could trigger an overread in the userland client. No such 
bug exists, which this was not 
  treated as a security vulnerability

Documentation improvements:

* improve documentation for --float (Github: OpenVPN/openvpn#358)
* add documentation for --preresolve (Github: OpenVPN/openvpn#532)
* impove documentation around DNS config (Github: OpenVPN/openvpn#937)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/v2.7.5/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://community.openvpn.net/Downloads>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the 
various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
-- 
  Frank Lichtenheld


_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to