openvpn

Security fixes:

• CVE-2025-13751: Windows/interactive service: fix erroneous exit on error that could be used by a local Windows users to achieve a local denial-of-service

Bug fixes:

• Windows/interactive service: improve service pipe robustness against file access races (uuid) and access by unauthorized processes (ACL). *...

Security fixes:

• CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion on receiving spoofed TLS handshake packets in the OpenVPN server inefficient.

Bug fixes:

• fix invalid pointer creation in tls_pre_decrypt() - technically thi...

Bug fixes:

• on Windows, do not use "wmic.exe" any longer to set DNS search domain (discontinued by Microsoft), use "powershell" fragment instead.
• on Windows, logging to the windows event log has been improved (and logging of GetLastError() strings repaired). To make this work, a new "openvpnmsgserv.dll" library is now installed and registered.
• DNS domain names are now stric...

Security fixes:

• CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2 Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets. To trigger the...

Feature changes:

• on non-windows clients (MacOS, Linux, Unix) send "release" string from uname() call as IV_PLAT_VER to server - while highly OS specific this is still helpful to keep track of OS versions used on the client side (​#637)
• Windows: protect cached username, password and token in client memory (using the CryptProtectMemory() windows API)
• Windows: use new API to get...