-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

A new version of OpenVPN-NL (2.3.9-nl2) is available on the OpenVPN-NL website [1]. This version is based on OpenVPN 2.3.9 [2], and PolarSSL 1.2.19 [3].

This new version of OpenVPN-NL includes fixes for a number of minor security issues in both OpenVPN [2] and PolarSSL [4,5,6]. If the recommended tls-auth mechanism is used in an OpenVPN-NL configuration, an attacker must possess the tls-auth key to mount an attack based on these issues.

One issue is not stopped by tls-auth: a denial-of-service attack could be mounted when the --port-share option is enabled (which is disabled by default). In upstream OpenVPN and OpenVPN-NL before 2.3.8-nl1 this issue can cause a heap overflow, but OpenVPN-NL 2.3.8-nl1 already contains a hardening patch that limits this to denial-of-service.

Users are advised to upgrade both OpenVPN-NL clients and servers to 2.3.9-nl2.

References - ---------- [1] https://openvpn.fox-it.com/ [2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 [3] https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-po... [4] https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.0-2.1.3-1.3.15-and-po... [5] https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-pola... [6] https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-pola...