Re: [Openvpn-users] OpenVPN 2.7_beta2 released

[Gert D. <ge...@gr...>]

Hi,

On Thu, Sep 25, 2025 at 05:42:01PM +0300, Yuriy Darnobyt wrote:
> Important bug fixes since 2.7_beta1:
> 
> * add proper input sanitation to DNS strings to prevent an attack coming 
> from a trusted-but-malicous OpenVPN server (CVE-2025-10680, affects
> unixoid systems with --dns-updown scripts and windows using the built-in
> powershell call)

Let me emphasize this.  If you followed my advice to "please go and test
2.7_beta1" and installed a --dns-updown script (for example by compiling
and then "make install"), and there is a risk that you connect to an
openvpn server that is not trustworthy -> please upgrade ASAP.

Also, do not use openvpn configs from untrusted sources with 2.7_beta1
under unixoid OSes.

If your OpenVPN server is fully trusted, and you know where the configs
are coming from, then there is no attack angle.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             ge...@gr...