Prepared Corrective releases OpenVPN 2.5. 2 and 2.4.11 , a package to create virtual private networks, which allows you to organize an encrypted connection between two client machines or ensure the operation of a centralized VPN server for the simultaneous operation of several clients. OpenVPN code distributed under the GPLv2 license, ready-made binary packages are formed for debian, ubuntu, centos, rhel and windows.
in new releases Eliminated Vulnerability (CVE-2020-15078), allowing A remote attacking bypassing the authentication and access restrictions to organize the VPN setting data leakage. The problem is manifested only on servers on which the use of postponed authentication is configured ( deferred_auth ). The attacker can force the server to return the Push_Reply message with the data on the VPN settings before sending the AUTH_FAILED message. In combination using the “–auth-gen-token” parameter or using the user’s own token-based authentication scheme, the vulnerability may result in access to VPN using a non-working account.
Not related changes to the expansion of information on TLS-ciphers agreed for use by the client and the server. Including added correct information on support for TLS 1.3 and EC certificates. In addition, the lack of a CRL file with a list of recalculated certificates during the OpenVPN launch is now interpreted as an error leading to the completion.