Corrective releases have been prepared OpenVPN 2.5.6 and 2.4.12, a package for creating virtual private networks, allowing you to organize an encrypted connection between two client machines or provide a centralized VPN server for the simultaneous operation of several clients. Code OpenVPN distributed under the GPLv2 license, ready-made binary packages are generated for Debian, Ubuntu, CentOS, RHEL and Windows.
New versions address a vulnerability that could potentially allow authentication bypass by manipulating external plugins that support deferred authentication (deferred_auth). The issue occurs when multiple plugins send deferred authentication responses, allowing an external user to gain access using incomplete credentials. Starting with releases OpenVPN 2.5.6 and 2.4.12 attempts to use deferred authentication by multiple plugins will result in an error.
Other changes include the inclusion of the new sample-plugin/defer/multi-auth.c plugin, which can be useful for testing the simultaneous use of different authentication plugins to avoid vulnerabilities similar to the one discussed above. Linux The "--mtu-disc maybe|yes" option has been improved. A memory leak in route addition procedures has been fixed.
Source: opennet.ru
