From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] openvpn: Update to version 2.6.16
Date: Sat, 22 Nov 2025 20:45:04 +0100 [thread overview]
Message-ID: <20251122194504.2951584-1-adolf.belka@ipfire.org> (raw)
- Update from version 2.6.15 to 2.6.16
- No change to rootfile
- Changelog
2.6.16
Security fixes:
CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way
handshake. This bug renders the HMAC based protection against state
exhaustion on receiving spoofed TLS handshake packets in the OpenVPN
server inefficient.
Bug fixes:
fix invalid pointer creation in tls_pre_decrypt() - technically this is a
memory over-read issue, in practice, the compilers optimize it away so
no negative effects could be observed.
Windows: in the interactive service, fix the "undo DNS config" handling.
Windows: in the interactive service, disallow using of "stdin" for the
config file, unless the caller is authorized OpenVPN Administrator
Windows: in the interactive service, change all netsh calls to use
interface index and not interface name - sidesteps all possible attack
avenues with special characters in interface names.
Windows: in the interactive service, improve error handling in some
"unlikely to happen" paths.
auth plugin/script handling: properly check for errors in creation on
$auth_failed_reason_file (arf).
for incoming TCP connections, close-on-exec option was applied to the wrong
socket fd, leaking socket FDs to child processes.
sitnl: set close-on-exec flag on netlink socket
ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)
Windows MSI changes since 2.6.15-I001:
Built against OpenSSL 3.6.0
Included openvpn-gui updated to 11.58.0.0
Check the return value of GetProp()
Make config path check similar to that in interactive service
Escape the type id of password message received from openvpn
Add a message source for event logging
Check correct management daemon path when OpenVPN3 is enabled
Fix OpenVPN3 radio button label size when OVPN3 is enabled
Use GetTempPath() for debug file in plap as well
Migrate all saved plain usernames to encrypted format
Included win-dco driver updated to 2.8.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/openvpn | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/openvpn b/lfs/openvpn
index 152e25f63..9252c44f8 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -24,7 +24,7 @@
include Config
-VER = 2.6.15
+VER = 2.6.16
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = d77f8d67bffeb7cdd6fe9b3892add3b62001d7e01d5f9b0703f57a5a5a19c58a9dfb5e86b6ba1acad743c39af1d965b2180d6a5fabd32d40cddf4b13f3d91b46
+$(DL_FILE)_BLAKE2 = d4219d5974ecb0d73b865f436ed5a57874dee7295446a10d47354024564a25098ea2210f3356f3938fd24fb99c2310797bb70936ad5423eafad7cbacc94c71c5
install : $(TARGET)
--
2.51.2
reply other threads:[~2025-11-22 19:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251122194504.2951584-1-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox