An shirya sakin gyaran gyare-gyare na OpenVPN 2.5.2 da 2.4.11, kunshin don ƙirƙirar cibiyoyin sadarwa masu zaman kansu waɗanda ke ba ku damar tsara haɗin ɓoye tsakanin injunan abokin ciniki guda biyu ko samar da sabar VPN ta tsakiya don aiki tare na abokan ciniki da yawa. An rarraba lambar OpenVPN a ƙarƙashin lasisin GPLv2, an ƙirƙiri fakitin binary shirye-shirye don Debian, Ubuntu, CentOS, RHEL da Windows.
Sabbin abubuwan da aka saki suna gyara lahani (CVE-2020-15078) wanda ke ba da damar maharin nesa ya ketare tantancewa da samun damar hane-hane don zubar da saitunan VPN. Matsalar tana bayyana ne kawai akan sabobin da aka saita don amfani da deferred_auth. A wasu yanayi, maharin na iya tilasta uwar garken dawo da saƙon PUSH_REPLY tare da bayanai game da saitunan VPN kafin aika saƙon AUTH_FAILED. Lokacin da aka haɗa tare da amfani da ma'aunin --auth-gen-token ko kuma amfani da mai amfani da nasu tsarin tantancewa na tushen alama, raunin na iya haifar da wani ya sami damar shiga VPN ta amfani da asusun da ba ya aiki.
Daga cikin canje-canjen da ba tsaro ba, akwai faɗaɗa nunin bayanai game da rukunan TLS da aka amince da su don amfani da abokin ciniki da uwar garken. Ciki har da ingantattun bayanai game da goyan bayan TLS 1.3 da takaddun shaida EC. Bugu da ƙari, rashin fayil ɗin CRL tare da lissafin soke takardar shedar yayin farawa OpenVPN yanzu ana ɗaukarsa azaman kuskuren da ke haifar da ƙarewa.
source: budenet.ru