[OpenVPN-NL] OpenVPN-NL 2.3.9-nl2 released

[Steffan Karger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

A new version of OpenVPN-NL (2.3.9-nl2) is available on the OpenVPN-NL website
[1]. This version is based on OpenVPN 2.3.9 [2], and PolarSSL 1.2.19 [3].

This new version of OpenVPN-NL includes fixes for a number of minor security
issues in both OpenVPN [2] and PolarSSL [4,5,6].  If the recommended tls-auth
mechanism is used in an OpenVPN-NL configuration, an attacker must possess the
tls-auth key to mount an attack based on these issues.

One issue is not stopped by tls-auth: a denial-of-service attack could be
mounted when the --port-share option is enabled (which is disabled by default).
In upstream OpenVPN and OpenVPN-NL before 2.3.8-nl1 this issue can cause a heap
overflow, but OpenVPN-NL 2.3.8-nl1 already contains a hardening patch that
limits this to denial-of-service.

Users are advised to upgrade both OpenVPN-NL clients and servers to 2.3.9-nl2.

References
- ----------
[1] https://openvpn.fox-it.com/
[2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
[3] https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released
[4] https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.0-2.1.3-1.3.15-and-polarssl.1.2.18-released
[5] https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released
[6] https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXMzxiAAoJEEEwndWOY1w5TmcH/0F/G+frzd66SikvVe9VWupQ
WyBswExUGD7wfRphluzOsvs2a+cawWJmJrsBEORz5oTHt95TFRfZgWzHKXrjW5yM
py0sc3boV6Sxqkb5WiJc5+bnEa6DOQ5OouFzw22L3Q2rEmyq8T1eBUpKbt+1XDTc
cgqGOnrlEi7WW1Ii3rgG5cbGk8wRzld8/ZgxkDWXUOkOVw+pVMrXCXFKqkLlMZIi
MGuBMuP7veATlZ5j0p66VqGqBUmBnki523GiSqLdYz0nhS8i7weyfhIobax4HPnW
ivi5Cq2O/4IkBJLqLCsBnsylAVOtM2YBy8HcJPtZanjxkfxjx3vfQGit+7CON2Y=
=Geon
-----END PGP SIGNATURE-----