OpenVPN 2.6.10 released

Announcements from OpenVPN involving bugs, updates, and new features.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
User avatar
uddr
OpenVPN Inc.
Posts: 3
Joined: Tue Jan 24, 2023 8:31 am

OpenVPN 2.6.10 released

Post by uddr » Wed Mar 20, 2024 7:35 pm

The OpenVPN community project team is proud to release OpenVPN 2.6.10. This is a bugfix release containing several security fixes for Windows and Windows TAP driver and documentation updates.
Security fixes:
  • ​​CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  • ​​CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  • CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  • CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in TapSharedSendPacket. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
New features:
  • t_client.sh can now run pre-tests and skip a test block if needed (e.g. skip NTLM proxy tests if SSL library does not support MD4)
User visible changes:
  • Update copyright notices to 2024
Bug fixes:
  • Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail. Disable DCO in this case. (Github: ​#522)
  • Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
  • systemd unit files: remove obsolete syslog.target
Documentation:
  • remove license warnings about mbedTLS linking (README.mbedtls)
  • update documentation references in systemd unit files
  • sample config files: remove obsolete tls-*.conf files
  • document that auth-user-pass may be inlined
Windows MSI changes since 2.6.9:
  • For the Windows-specific security fixes see above
  • Built against OpenSSL 3.2.1
  • Included tap6-windows driver updated to 9.27.0
    • Security fix, see above
  • Included ovpn-dco-win driver updated to 1.0.1
    • Ensure we don't pass too large key size to CryptoNG. We do not consider this a security issue since the CryptoNG API handles this gracefully either way.
  • Included openvpn-gui updated to 11.48.0.0
    • Position tray tooltip above the taskbar
    • Combine title and message in tray icon tip text
    • Use a custom tooltip window for the tray icon

Downloads
Useful resources

Bob65
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 21, 2024 11:14 am

Re: OpenVPN 2.6.10 released

Post by Bob65 » Thu Mar 21, 2024 11:36 am

Hi there, i dont known how to report this:

Official installer of OpenVPN (Community) v2.6.10-i001 Win x64 amd:

h***s://www.virustotal.com/gui/file/013fcdda42e ... /detection

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Thu Mar 21, 2024 1:12 pm

It is still showing version 2.6.9 for all files, but the signature date is 20.3.2024

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Thu Mar 21, 2024 5:19 pm

Bob65 wrote:
Thu Mar 21, 2024 11:36 am
Hi there, i dont known how to report this:

Official installer of OpenVPN (Community) v2.6.10-i001 Win x64 amd:

h***s://www.virustotal.com/gui/file/013fcdda42e ... /detection
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines

CaNbl
OpenVpn Newbie
Posts: 1
Joined: Thu Mar 21, 2024 6:07 pm

Re: OpenVPN 2.6.10 released

Post by CaNbl » Thu Mar 21, 2024 6:09 pm

ukraine_lover wrote:
Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Thu Mar 21, 2024 6:19 pm

CaNbl wrote:
Thu Mar 21, 2024 6:09 pm
ukraine_lover wrote:
Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.
https://www.virustotal.com/gui/file/64e ... e68512d422

The file was detected by 16 engine yesterday. Today only 12 engine detect it. And frankly none of the well known AV companies detect it, except McAfee and Bitdefender, and lately these 2 companies has been giving me so much false positives so much so I don't trust them anymore.

Still, It is up to you to decide. But OpenVPN sure will release a new version soon, as this one is still showing 2.6.9 instead of 2.6.10

Bob65
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 21, 2024 11:14 am

Re: OpenVPN 2.6.10 released

Post by Bob65 » Thu Mar 21, 2024 6:42 pm

CaNbl wrote:
Thu Mar 21, 2024 6:09 pm
ukraine_lover wrote:
Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.
I agreed with that. Installer dll’s is suspicious, the 2.6.9 installer is clean.

@ukraine_lover:

https://www.virustotal.com/gui/file/64e ... ?nocache=1

actually, after force to rescan this file is VT score is: 19/69

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Thu Mar 21, 2024 7:00 pm

Bob65 wrote:
Thu Mar 21, 2024 6:42 pm
CaNbl wrote:
Thu Mar 21, 2024 6:09 pm
ukraine_lover wrote:
Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.
I agreed with that. Installer dll’s is suspicious, the 2.6.9 installer is clean.

@ukraine_lover:

https://www.virustotal.com/gui/file/64e ... ?nocache=1

actually, after force to rescan this file is VT score is: 19/69
Detection for the MSI installer went down to 10 engines, again known of the well known AV engines detect it so far

fsd
OpenVpn Newbie
Posts: 1
Joined: Tue Apr 02, 2024 3:54 pm

Re: OpenVPN 2.6.10 released

Post by fsd » Tue Apr 02, 2024 3:59 pm

hi, after several downloads (msi and sig) I get "BAD signature" message for file "https://swupdate.openvpn.org/community/ ... 01-x86.msi" , gpg 2.4.5 is used, other files arm64, amd64 and source are OK

ranger
OpenVpn Newbie
Posts: 1
Joined: Sun Apr 14, 2024 10:53 pm

Re: OpenVPN 2.6.10 released

Post by ranger » Sun Apr 14, 2024 10:58 pm

I too am getting a bad signature on OpenVPN-2.6.10-I001-x86.msi. That is not good. May be a signing error or may be a hacked msi.
I'm not installing until there is some resolution. Note that OpenVPN-2.6.10-I001-amd64.msi verifies with no errors. Using gpg 2.4.5
gpg: Signature made 03/20/24 08:17:32 Eastern Daylight Time
gpg: using RSA key BE58F539D059B80631C1294A41D20965C2E82DC7
gpg: BAD signature from "OpenVPN - Security Mailing List <security@openvpn.net>" [full]

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Tue Apr 16, 2024 1:24 pm

the 1002 release is still showing 2.6.9 for all files instead of 2.6.10!

virustotal shows now zero detection

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Tue Apr 23, 2024 7:03 pm

ukraine_lover wrote:
Tue Apr 16, 2024 1:24 pm
the 1002 release is still showing 2.6.9 for all files instead of 2.6.10!

virustotal shows now zero detection
I opened an issue https://github.com/OpenVPN/openvpn/issues/536

Can anyone response?, are we using the version 2.6.9 as it says in the files properties, or is it version 2.6.10 as the installer name stats?

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Thu Jun 20, 2024 4:21 pm

2.6.11 fixes the issue, it says now 2.6.11

gasa1971
OpenVpn Newbie
Posts: 1
Joined: Thu Jun 20, 2024 10:51 pm

Re: OpenVPN 2.6.10 released

Post by gasa1971 » Thu Jun 20, 2024 10:53 pm

where do I find the file OpenVPN-2.6.10-I002-amd64.msi?

ukraine_lover
OpenVpn Newbie
Posts: 14
Joined: Sat Jun 25, 2022 11:23 am

Re: OpenVPN 2.6.10 released

Post by ukraine_lover » Fri Jun 21, 2024 3:34 am

gasa1971 wrote:
Thu Jun 20, 2024 10:53 pm
where do I find the file OpenVPN-2.6.10-I002-amd64.msi?
Here https://openvpn.net/community-downloads/

But why would you want to download 2.6.10 while 2.6.11 was released with CVE fixes

Post Reply