OpenVPN 2.6.10 released

[uddr]

The OpenVPN community project team is proud to release OpenVPN 2.6.10. This is a bugfix release containing several security fixes for Windows and Windows TAP driver and documentation updates.

• For details see ​Changes.rst

Security fixes:

• ​​CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
• ​​CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  ​
• ​CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  ​
• ​CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in TapSharedSendPacket. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>

New features:

• t_client.sh can now run pre-tests and skip a test block if needed (e.g. skip NTLM proxy tests if SSL library does not support MD4)

User visible changes:

• Update copyright notices to 2024

Bug fixes:

• Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail. Disable DCO in this case. (Github: ​#522)
• Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
• systemd unit files: remove obsolete syslog.target

Documentation:

• remove license warnings about mbedTLS linking (README.mbedtls)
• update documentation references in systemd unit files
• sample config files: remove obsolete tls-*.conf files
• document that auth-user-pass may be inlined

Windows MSI changes since 2.6.9:

• For the Windows-specific security fixes see above
• Built against OpenSSL 3.2.1
• Included tap6-windows driver updated to 9.27.0
  • Security fix, see above
• Included ovpn-dco-win driver updated to 1.0.1
  • Ensure we don't pass too large key size to CryptoNG. We do not consider this a security issue since the CryptoNG API handles this gracefully either way.
• Included openvpn-gui updated to 11.48.0.0
  • Position tray tooltip above the taskbar
  • Combine title and message in tray icon tip text
  • Use a custom tooltip window for the tray icon

Downloads

• Windows installers
• Official OpenVPN Linux package repositories
• Source archive file

Useful resources

• Documentation
• Community wiki
• Report issues
• User mailing list
• Easy RSA 3 HOWTO
• User IRC channel: #openvpn at irc.libera.chat

[Bob65]

Hi there, i dont known how to report this:

Official installer of OpenVPN (Community) v2.6.10-i001 Win x64 amd:

h***s://www.virustotal.com/gui/file/013fcdda42e ... /detection

[ukraine_lover]

It is still showing version 2.6.9 for all files, but the signature date is 20.3.2024

[ukraine_lover]

Hi there, i dont known how to report this:

Official installer of OpenVPN (Community) v2.6.10-i001 Win x64 amd:

h***s://www.virustotal.com/gui/file/013fcdda42e ... /detection

If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines

[CaNbl]

If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines

Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.

[ukraine_lover]

If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines

Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.

https://www.virustotal.com/gui/file/64e ... e68512d422

The file was detected by 16 engine yesterday. Today only 12 engine detect it. And frankly none of the well known AV companies detect it, except McAfee and Bitdefender, and lately these 2 companies has been giving me so much false positives so much so I don't trust them anymore.

Still, It is up to you to decide. But OpenVPN sure will release a new version soon, as this one is still showing 2.6.9 instead of 2.6.10

[Bob65]

If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines

Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.

I agreed with that. Installer dll’s is suspicious, the 2.6.9 installer is clean.

@ukraine_lover:

https://www.virustotal.com/gui/file/64e ... ?nocache=1

actually, after force to rescan this file is VT score is: 19/69

[ukraine_lover]

If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.

It is 100% false positive by some engines

Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.

I agreed with that. Installer dll’s is suspicious, the 2.6.9 installer is clean.

@ukraine_lover:

https://www.virustotal.com/gui/file/64e ... ?nocache=1

actually, after force to rescan this file is VT score is: 19/69

Detection for the MSI installer went down to 10 engines, again known of the well known AV engines detect it so far

[fsd]

hi, after several downloads (msi and sig) I get "BAD signature" message for file "https://swupdate.openvpn.org/community/ ... 01-x86.msi" , gpg 2.4.5 is used, other files arm64, amd64 and source are OK

[ranger]

I too am getting a bad signature on OpenVPN-2.6.10-I001-x86.msi. That is not good. May be a signing error or may be a hacked msi.
I'm not installing until there is some resolution. Note that OpenVPN-2.6.10-I001-amd64.msi verifies with no errors. Using gpg 2.4.5
gpg: Signature made 03/20/24 08:17:32 Eastern Daylight Time
gpg: using RSA key BE58F539D059B80631C1294A41D20965C2E82DC7
gpg: BAD signature from "OpenVPN - Security Mailing List <security@openvpn.net>" [full]

[ukraine_lover]

the 1002 release is still showing 2.6.9 for all files instead of 2.6.10!

virustotal shows now zero detection

[ukraine_lover]

the 1002 release is still showing 2.6.9 for all files instead of 2.6.10!

virustotal shows now zero detection

I opened an issue https://github.com/OpenVPN/openvpn/issues/536

Can anyone response?, are we using the version 2.6.9 as it says in the files properties, or is it version 2.6.10 as the installer name stats?