Corrective releases of OpenVPN 2.5.2 and 2.4.11, a package for creating virtual private networks that allow you to organize an encrypted connection between two client machines or provide a centralized VPN server for multiple clients at the same time, have been prepared. The OpenVPN code is distributed under the GPLv2 license, ready-made binary packages are formed for Debian, Ubuntu, CentOS, RHEL and Windows.
New releases resolve a vulnerability (CVE-2020-15078) that could allow a remote attacker to bypass authentication and access restrictions to leak VPN settings. The issue only occurs on servers configured to use deferred authentication (deferred_auth). An attacker, under certain circumstances, can force the server to return a PUSH_REPLY message with data about the VPN settings before sending the AUTH_FAILED message. In combination with the use of the "--auth-gen-token" option, or the user's use of their own token-based authentication scheme, the vulnerability could lead to VPN access using a non-working account.
Of the non-security-related changes, there has been an increase in the output of information about the TLS ciphers negotiated for use by the client and server. Including the correct information about the support of TLS 1.3 and EC certificates has been added. In addition, the absence of a CRL CRL file during OpenVPN startup is now treated as a shutdown error.
Source: opennet.ru