A patch release of OpenVPN 2.5.3, a package for creating virtual private networks, has been prepared, which allows you to organize an encrypted connection between two client machines or provide a centralized VPN server for multiple clients to work simultaneously. The OpenVPN code is distributed under the GPLv2 license, ready-made binary packages are formed for Debian, Ubuntu, CentOS, RHEL and Windows.
The new version fixes a vulnerability (CVE-2021-3606) that occurs only in the assembly for the Windows platform. The vulnerability allows downloading OpenSSL configuration files from third-party writable directories to change encryption settings. In the new version, downloading of OpenSSL configuration files is completely disabled.
Non-security changes include the addition of the "--auth-token-user" option (similar to "--auth-token" but without the use of "--auth-user-pass"), improved build process for Windows, improved support for the mbedtls library, and updating copyright notices in the code (cosmetic changes).
Additionally, we can note that Opera has disabled its VPN for Russian users at the request of Roskomnadzor. At the moment, VPN functionality has stopped working in beta and developer versions of the browser. Roskomnadzor argues that the restrictions are necessary to βrespond to threats to bypass restrictions on access to child pornography, suicidal, pro-drug and other prohibited content.β In addition to Opera VPN, the blocking is also applied to the VyprVPN service.
Earlier, Roskomnadzor sent out a warning to 10 VPN services with the requirement to βconnect to the state information system (FSIS)β to block access to resources prohibited in the Russian Federation, Opera VPN and VyprVPN were among them. 9 out of 10 services ignored the requirement or refused to cooperate with Roskomnadzor (NordVPN, Hide My Ass!, Hola VPN, OpenVPN, VyprVPN, ExpressVPN, TorGuard, IPVanish, VPN Unlimited). Only Kaspersky Secure Connection fulfilled the requirements.
Source: opennet.ru