A release of a package for creating virtual private networks has been published. OpenVPN 2.6.13, which allows for an encrypted connection between two client machines or a centralized VPN server for multiple clients. The new version fixes a security issue that caused a server-side buffer overflow. OpenVPN When receiving a login or password from a client that exceeds the USER_PASS_LEN value, the vulnerability is vulnerable. A CVE identifier has not yet been assigned, and it is unclear how suitable this issue is for creating working exploits.
Among the non-security related changes, the following can be noted:
- The client has implemented sending of the IV_PLAT_VER parameter, containing information about the operating system release, issued by the uname() function, which allows серверах collect statistics about the OS versions used by clients.
- On systems with Linux The systemd-ask-password process is now started with the "--timeout=0" parameter to disable the default 90-second timeout.
- Fixed memory leaks that occurred in FreeBSD.
- When running with the "--auth-nocache" option, authentication parameters for the proxy are now removed from memory after they have been used.
- В WindowsThe client uses the CryptProtectMemory() function to securely store cached passwords and tokens in memory. A new API is used to obtain the dco-win driver version.
Source: opennet.ru
