Release OpenVPN 2.5.6 and 2.4.12 with elimination of vulnerability

Prepared Corrective releases OpenVPN 2.5. 6 and 2.4.12 , a package for creating virtual private networks, which allows you to organize an encrypted connection between two client machines or ensure the operation of a centralized VPN server for the simultaneous operation of several customers. OpenVPN code spreads under the GPLv2 license, ready-made binary packages form for Debian, Ubuntu, CentOS, Rhel and Windows.

In the new versions eliminated Vulnerability , potentially allowing to bypass authentication through manipulation with external plugins that support postponed authentication ( deferred_auth ). The problem occurs when several plugins send deferred authentication responses, which allows the external user to access not fully correct accounting data. Starting from OpenVPN 2.5.6 and 2.4.12. Attempts to use deferred authentication by several plugins will lead to an error conclusion.

From other changes you can note the inclusion of the new Sample-Plugin / Defer plugin /multi-auth.c, which can be useful for organizing the simultaneous use of different authentication plug-ins in order to further avoid vulnerabilities like that have been considered above. On the Linux platform, the option “–mtu-Disc Maybe | YES” option is settled. Released memory leaks in route adding procedures.

/Media reports.