Corrective release of the package for creating virtual private networks . In the new version A vulnerability (CVE-2020-11810) that could allow a client session to be transferred to a new IP address that was not previously authorized. The problem can be used to a newly connected client at the stage when the peer-id has already been formed, but the negotiation of session keys has not been completed (one client can stop the sessions of other clients).
Among other changes:
- On the Windows platform, it is allowed to use unicode search strings in the "--cryptoapicert" option;
- Provided skipping of expired certificates in the Windows certificate store;
- Fixed the problem with the inability to load several CRLs (Certificate Revocation List) located in one file when using the "--crl-verify" option on systems with OpenSSL;
- When using the "-auth-user-pass file" option, if the file contains only the username, the password request now requires an interface for managing credentials (password request by OpenVPN tools through the console prompt is discontinued);
- Changed the order of checking interactive user services (in Windows, the location of the configuration is checked first, and then the request is sent to the domain controller);
- Fixed issues with building on the FreeBSD platform when using the "--enable-async-push" flag.
Source: opennet.ru