Software-update: OpenVPN 2.6.17

OpenVPN is een robuuste en gemakkelijk in te stellen opensource vpn-daemon waarmee verschillende private netwerken aan elkaar geknoopt kunnen worden via een versleutelde tunnel over internet. Voor de beveiliging wordt gebruikgemaakt van de OpenSSL-library, waarmee alle encryptie, authenticatie en certificatie kunnen worden afgehandeld. Sinds versie 2.6.15 zijn de volgende veranderingen en verbeteringen doorgevoerd:

Bugfixes

Windows/interactive service: fix erroneous exit on error that could be used by a local Windows users to achieve a local denial-of-service (CVE-2025-13751)

Windows/interactive service: fix erroneous exit on error that could be used by a local Windows users to achieve a local denial-of-service (CVE-2025-13751)

Security hardening

Windows/interactive service: improve service pipe robustness against file access races (uuid) and access by unauthorized processes (ACL).Upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper to 1.31, fixing a parser bug

Windows/interactive service: improve service pipe robustness against file access races (uuid) and access by unauthorized processes (ACL).

Upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper to 1.31, fixing a parser bug

Security fixes:

CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion onreceiving spoofed TLS handshake packets in the OpenVPN server inefficient.

CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion onreceiving spoofed TLS handshake packets in the OpenVPN server inefficient.

Code maintenance / Compat changes

Adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these need special handling which we don't do, so the t_lpback self-test failed on them. Exclude from list of allowed ciphers, as there is no strong reason today to make OpenVPN use these.Fix various compile-time warnings

Adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these need special handling which we don't do, so the t_lpback self-test failed on them. Exclude from list of allowed ciphers, as there is no strong reason today to make OpenVPN use these.

Fix various compile-time warnings

Documentation updates

Fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings, manpage, ...)

Fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings, manpage, ...)

Bugfixes

Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion on receiving spoofed TLS handshake packets in the OpenVPN server inefficient. CVE: 2025-13086Fix invalid pointer creation in tls_pre_decrypt() - technically this is a memory over-read issue, in practice, the compilers optimize it away so no negative effects could be observed.Windows: in the interactive service, fix the "undo DNS config" handling.Windows: in the interactive service, disallow using of "stdin" for the config file, unless the caller is authorized OpenVPN AdministratorWindows: in the interactive service, change all netsh calls to use interface index and not interface name - sidesteps all possible attack avenues with special characters in interface names.Windows: in the interactive service, improve error handling in some "unlikely to happen" paths.Auth plugin/script handling: properly check for errors in creation on $auth_failed_reason_file (arf).For incoming TCP connections, close-on-exec option was applied to the wrong socket fd, leaking socket FDs to child processes.sitnl: set close-on-exec flag on netlink socketssl_mbedtls: fix missing perf_pop() call (optional performance profiling)

Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion on receiving spoofed TLS handshake packets in the OpenVPN server inefficient. CVE: 2025-13086

Fix invalid pointer creation in tls_pre_decrypt() - technically this is a memory over-read issue, in practice, the compilers optimize it away so no negative effects could be observed.

Windows: in the interactive service, fix the "undo DNS config" handling.

Windows: in the interactive service, disallow using of "stdin" for the config file, unless the caller is authorized OpenVPN Administrator

Windows: in the interactive service, change all netsh calls to use interface index and not interface name - sidesteps all possible attack avenues with special characters in interface names.

Windows: in the interactive service, improve error handling in some "unlikely to happen" paths.

Auth plugin/script handling: properly check for errors in creation on $auth_failed_reason_file (arf).

For incoming TCP connections, close-on-exec option was applied to the wrong socket fd, leaking socket FDs to child processes.

sitnl: set close-on-exec flag on netlink socket

ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)

Source: Tweakers.net