Announcements from OpenVPN involving bugs, updates, and new features.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
uddr
- OpenVPN Inc.
- Posts: 3
- Joined: Tue Jan 24, 2023 8:31 am
Post
by uddr » Wed Mar 20, 2024 7:35 pm
The OpenVPN community project team is proud to release OpenVPN 2.6.10. This is a bugfix release containing several security fixes for Windows and Windows TAP driver and documentation updates.
Security fixes:
- CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in TapSharedSendPacket. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
New features:
- t_client.sh can now run pre-tests and skip a test block if needed (e.g. skip NTLM proxy tests if SSL library does not support MD4)
User visible changes:
- Update copyright notices to 2024
Bug fixes:
- Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail. Disable DCO in this case. (Github: #522)
- Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
- systemd unit files: remove obsolete syslog.target
Documentation:
- remove license warnings about mbedTLS linking (README.mbedtls)
- update documentation references in systemd unit files
- sample config files: remove obsolete tls-*.conf files
- document that auth-user-pass may be inlined
Windows MSI changes since 2.6.9:
- For the Windows-specific security fixes see above
- Built against OpenSSL 3.2.1
- Included tap6-windows driver updated to 9.27.0
- Included ovpn-dco-win driver updated to 1.0.1
- Ensure we don't pass too large key size to CryptoNG. We do not consider this a security issue since the CryptoNG API handles this gracefully either way.
- Included openvpn-gui updated to 11.48.0.0
- Position tray tooltip above the taskbar
- Combine title and message in tray icon tip text
- Use a custom tooltip window for the tray icon
Downloads
Useful resources
-
ukraine_lover
- OpenVpn Newbie
- Posts: 14
- Joined: Sat Jun 25, 2022 11:23 am
Post
by ukraine_lover » Thu Mar 21, 2024 1:12 pm
It is still showing version 2.6.9 for all files, but the signature date is 20.3.2024
-
ukraine_lover
- OpenVpn Newbie
- Posts: 14
- Joined: Sat Jun 25, 2022 11:23 am
Post
by ukraine_lover » Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.
It is 100% false positive by some engines
-
CaNbl
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Mar 21, 2024 6:07 pm
Post
by CaNbl » Thu Mar 21, 2024 6:09 pm
ukraine_lover wrote: ↑Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.
It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.
-
ukraine_lover
- OpenVpn Newbie
- Posts: 14
- Joined: Sat Jun 25, 2022 11:23 am
Post
by ukraine_lover » Thu Mar 21, 2024 6:19 pm
CaNbl wrote: ↑Thu Mar 21, 2024 6:09 pm
ukraine_lover wrote: ↑Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.
It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.
https://www.virustotal.com/gui/file/64e ... e68512d422
The file was detected by 16 engine yesterday. Today only 12 engine detect it. And frankly none of the well known AV companies detect it, except McAfee and Bitdefender, and lately these 2 companies has been giving me so much false positives so much so I don't trust them anymore.
Still, It is up to you to decide. But OpenVPN sure will release a new version soon, as this one is still showing 2.6.9 instead of 2.6.10
-
Bob65
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Mar 21, 2024 11:14 am
Post
by Bob65 » Thu Mar 21, 2024 6:42 pm
CaNbl wrote: ↑Thu Mar 21, 2024 6:09 pm
ukraine_lover wrote: ↑Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.
It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.
I agreed with that. Installer dll’s is suspicious, the 2.6.9 installer is clean.
@ukraine_lover:
https://www.virustotal.com/gui/file/64e ... ?nocache=1
actually, after force to rescan this file is VT score is: 19/69
-
ukraine_lover
- OpenVpn Newbie
- Posts: 14
- Joined: Sat Jun 25, 2022 11:23 am
Post
by ukraine_lover » Thu Mar 21, 2024 7:00 pm
Bob65 wrote: ↑Thu Mar 21, 2024 6:42 pm
CaNbl wrote: ↑Thu Mar 21, 2024 6:09 pm
ukraine_lover wrote: ↑Thu Mar 21, 2024 5:19 pm
If you go to relation tab, it is only one file detected as a "trojan", it is installer.dll and all other files are clean.
It is 100% false positive by some engines
Hello, this "false positive" doesn't exist in previous versions of OpenVPN, something's wrong with this one. The fact that the infected file is installer.dll makes it even more suspicious. I wouldn't recommend anyone to install this new version until we got official confirmation that the file isn't compromised.
I agreed with that. Installer dll’s is suspicious, the 2.6.9 installer is clean.
@ukraine_lover:
https://www.virustotal.com/gui/file/64e ... ?nocache=1
actually, after force to rescan this file is VT score is: 19/69
Detection for the MSI installer went down to 10 engines, again known of the well known AV engines detect it so far
-
ranger
- OpenVpn Newbie
- Posts: 1
- Joined: Sun Apr 14, 2024 10:53 pm
Post
by ranger » Sun Apr 14, 2024 10:58 pm
I too am getting a bad signature on OpenVPN-2.6.10-I001-x86.msi. That is not good. May be a signing error or may be a hacked msi.
I'm not installing until there is some resolution. Note that OpenVPN-2.6.10-I001-amd64.msi verifies with no errors. Using gpg 2.4.5
gpg: Signature made 03/20/24 08:17:32 Eastern Daylight Time
gpg: using RSA key BE58F539D059B80631C1294A41D20965C2E82DC7
gpg: BAD signature from "OpenVPN - Security Mailing List <
security@openvpn.net>" [full]
-
ukraine_lover
- OpenVpn Newbie
- Posts: 14
- Joined: Sat Jun 25, 2022 11:23 am
Post
by ukraine_lover » Tue Apr 16, 2024 1:24 pm
the 1002 release is still showing 2.6.9 for all files instead of 2.6.10!
virustotal shows now zero detection
-
ukraine_lover
- OpenVpn Newbie
- Posts: 14
- Joined: Sat Jun 25, 2022 11:23 am
Post
by ukraine_lover » Tue Apr 23, 2024 7:03 pm
ukraine_lover wrote: ↑Tue Apr 16, 2024 1:24 pm
the 1002 release is still showing 2.6.9 for all files instead of 2.6.10!
virustotal shows now zero detection
I opened an issue
https://github.com/OpenVPN/openvpn/issues/536
Can anyone response?, are we using the version 2.6.9 as it says in the files properties, or is it version 2.6.10 as the installer name stats?
-
ukraine_lover
- OpenVpn Newbie
- Posts: 14
- Joined: Sat Jun 25, 2022 11:23 am
Post
by ukraine_lover » Thu Jun 20, 2024 4:21 pm
2.6.11 fixes the issue, it says now 2.6.11
-
gasa1971
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jun 20, 2024 10:51 pm
Post
by gasa1971 » Thu Jun 20, 2024 10:53 pm
where do I find the file OpenVPN-2.6.10-I002-amd64.msi?