UbuntuUpdates.org

Package "openvpn"

Name: openvpn

Description:

virtual private network daemon
Latest version: 2.6.14-0ubuntu0.24.04.1
Release: noble (24.04)
Level: proposed
Repository: main
Homepage: https://openvpn.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "openvpn"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "openvpn" in Noble

Repository Area Version
base main 2.6.9-1ubuntu4
security main 2.6.12-0ubuntu0.24.04.3
updates main 2.6.14-0ubuntu0.24.04.1

Changelog

Version: 2.6.14-0ubuntu0.24.04.1 2025-07-02 16:07:35 UTC

  openvpn (2.6.14-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream version 2.6.14 (LP: #2040467):
    - CVE Fixes:
      + CVE-2025-2704
    - Updates:
      + Send uname() release from client to server as IV_PLAT_VER.
      + Pass --timeout=0 argument to systemd-ask-password, to avoid default
        timeout of 90 seconds.
    - Bug Fixes:
      + Repair source IP selection for --multihome.
      + Allow tls-crypt-v2 to be setup only on initial packet of a session.
      + Fix some missing spaces in messages.
      + Fix parsing of usernames or passwords longer than USER_PASS_LEN on the
        server side to avoid IV variable misparsing and misleading errors.
      + Purge proxy authentication credentials from memory after use (if
        --auth-nocache is in use).
    - See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26 for
      additional bug fixes and information.
  * Remove patches fixed upstream:
    - d/p/CVE-2025-2704.patch
    [Fixed in 2.6.14]
  * d/t/control: Move to isolation-container to enable armhf/LXD coverage (LP 2104146).

 -- Lena Voytek <email address hidden> Fri, 30 May 2025 11:24:52 -0400
2040467 Backport upstream microreleases for questing cycle
CVE-2025-2704 OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and repla

Version: *DELETED* 2024-10-16 05:07:21 UTC
No changelog for deleted or moved packages.

Version: 2.6.12-0ubuntu0.24.04.1 2024-10-02 21:06:53 UTC

  openvpn (2.6.12-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream release 2.6.12 (LP: #2073318):
    - CVE Fixes:
      + CVE-2024-4877, CVE-2024-5594, CVE-2024-28882, CVE-2024-27459,
        CVE-2024-24974, CVE-2024-27903
    - Updates:
      + Allow trailing \r and \n in control channel message
      + Implement --server-poll-timeout on SOCKS proxies
      + Implement Windows CA template match for Crypto-API selector
      + Update sample configuration files
      + Update systemd unit file documentation references
    - Bug Fixes Include:
      + Fix issue with proxy credentials caching
      + Fix LibreSSL crashing when enumerating digests/cipher with workaround
      + Use snprintf instead of sprintf for get_ssl_library_version
      + Fix disabling DCO when proxy is set via management interface
      + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26 for
        additional bug fixes and information
  * Remove patches fixed upstream:
    - d/p/systemd.patch
    [Fixed in 2.6.10]
    - d/p/CVE-2024-28882.patch
    - d/p/CVE-2024-5594.patch
    [Fixed in 2.6.11]

 -- Lena Voytek <email address hidden> Tue, 17 Sep 2024 10:27:52 -0700
2073318 Backport of openvpn for jammy and noble
CVE-2024-28882 OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a
CVE-2024-27459 The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary
CVE-2024-24974 The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to inter
CVE-2024-27903 OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in


About   -   Send Feedback to @ubuntu_updates