= Introduction = This page lists all security announcements made by the OpenVPN project. = Announcements = * [wiki:CVE-2021-3547 CVE-2021-3547: OpenVPN 3 Core library 3.6 and 3.6.1 possible certificate authentication bypass with --verify-x509-name] * [wiki:CVE-2021-3606 CVE-2021-3606: OpenVPN 2.5.2 (Windows only) may load an external OpenSSL configuration file] * [wiki:CVE-2020-15078 CVE-2020-15078: partial information leak upon unauthorized client reconnection] (Apr 2021) * [wiki:DUHKattack DUHK attack: ANSI X9.31 RNG and Don't Use Hard-coded Keys] (Oct 2017) * [wiki:NSISBug1125 Code execution and Privilege escalation problems with NSIS installers] (Sep 2017) * [wiki:CVE-2017-12166 CVE-2017-12166: out of bounds write in key-method 1] (Sep 2017) * [wiki:UnquotedServicePathIn24WindowsInstallers Unquoted service paths in OpenVPN 2.4 Windows installers] * [wiki:VulnerabilitiesFixedInOpenVPN243 Vulnerabilities fixed in OpenVPN 2.3.17 and 2.4.3] (June 2017) * [wiki:QuarkslabAndCryptographyEngineerAudits Quarkslab and Cryptography Engineering audits] (May 2017) * [wiki:CVE-2016-10229 Linux kernel, UDP packets and MSG_PEEK (CVE-2016-10229)] (April 2017) * [wiki:SWEET32 OpenVPN and SWEET32] (Aug 2016) * [wiki:TapWindows6BufferOverflowVulnerability Tap-windows6 buffer overflow vulnerability] (May 2016) * [wiki:VulnerabilitiesFixedInOpenSSL1.0.1m Vulnerabilities fixed in OpenSSL 1.0.1m] (Mar 2015) * [wiki:SecurityAnnouncement-FREAK Security announcement: The FREAK vulnerability] (Mar 2015) * [wiki:SecurityAnnouncement-97597e732b Security announcement: critical denial of service vulnerability (CVE-2014-8104)] (Nov 2014) * [wiki:VulnerabilitiesFixedInOpenSSL1.0.1j Vulnerabilities fixed in OpenSSL 1.0.1j] (Oct 2014) * [wiki:VulnerabilitiesFixedInOpenSSL1.0.1i Vulnerabilities fixed in OpenSSL 1.0.1i] (Aug 2014) * [wiki:CCSInjection OpenSSL CCS Injection Vulnerability (CVE-2014-0224) and OpenVPN] (Jun 2014) * [wiki:heartbleed OpenSSL 'Heartbleed' vulnerability and OpenVPN] (Apr 2014) * [wiki:TLSTripleHandshakeVulnerabilityAndOpenVPN TLS Triple Handshake Vulnerability and OpenVPN] (Mar 2013) * [wiki:SecurityAnnouncement-f375aa67cc Security announcement: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt (CVE-2013-2061)] (Mar 2013)