-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hello!

There are several vulnerabilities in the Windows version of OpenVPN and OpenVPN-NL. The vulnerabilities are as follows (descriptions copied from (https://openvpn.net/community-downloads/):

* CVE-2024-27459: Windows: fix a possible stack overflow in the   interactive service component which might lead to a local privilege   escalation. Reported-by: Vladimir Tokarev vtokarev@microsoft.com * CVE-2024-24974: Windows: disallow access to the interactive service   pipe from remote computers. Reported-by: Vladimir Tokarev   vtokarev@microsoft.com * CVE-2024-27903: Windows: disallow loading of plugins from untrusted   installation paths, which could be used to attack openvpn.exe via a   malicious plugin. Plugins can now only be loaded from the OpenVPN   install directory, the Windows system directory, and possibly from a   directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.   Reported-by: Vladimir Tokarev vtokarev@microsoft.com * CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in   TapSharedSendPacket.   Reported-by: Vladimir Tokarev vtokarev@microsoft.com

We are in the process of preparing an OpenVPN-NL release to fix these vulnerabilities. Note that the local privilege escalations mentioned above require unprivileged users to edit OpenVPN plugin files. Please ensure that if you run OpenVPN-NL with plugins, non-admin users cannot edit those plugin files.

I will let you now when we have the new release ready.

Best regards, Max Fillinger