Corrective releases of OpenVPN 2.5.6 and 2.4.12, a package for creating virtual private networks that allow you to organize an encrypted connection between two client machines or provide a centralized VPN server for multiple clients at the same time, have been prepared. The OpenVPN code is distributed under the GPLv2 license, ready-made binary packages are formed for Debian, Ubuntu, CentOS, RHEL and Windows.
The new versions fixed a vulnerability that could potentially bypass authentication by manipulating external plugins that support deferred authentication mode (deferred_auth). The problem occurs when multiple plugins send delayed authentication responses, allowing an external user to gain access based on incompletely valid credentials. Starting with OpenVPN 2.5.6 and 2.4.12 releases, attempts to use lazy authentication with multiple plugins will result in an error.
Other changes include the inclusion of a new sample-plugin/defer/multi-auth.c plugin, which can be useful for testing the simultaneous use of different authentication plugins in order to avoid vulnerabilities like the one discussed above in the future. On the Linux platform, the "--mtu-disc maybe|yes" option has been adjusted. Fixed a memory leak in the procedures for adding routes.
Source: opennet.ru