Description:

On the 1st of December 2022 an intrusion was detected in one of our systems that contained an encrypted copy of the code signing key used for OpenVPN open source release version 2.5.8 build 603 for Windows. This key was only used to sign that OpenVPN 2.5.8 release build 603 for Windows. It was not used to sign any other software releases or builds. The OpenVPN source code archive files were never at risk, and these were and are safe. We have no evidence or indication that the code signing key was ever obtained by a malicious actor, or that there is anything wrong with the OpenVPN 2.5.8 release build 603. The code signing key was stored encrypted and it is very unlikely it could be abused. However, the mere fact of the intrusion on this system alone has caused us to decide to revoke this code signing key, and re-release OpenVPN 2.5.8 signed with a new code signing key just to be sure, out of an abundance of caution.

Resolution:

We have taken steps to increase security, and we have re-released OpenVPN 2.5.8 with a new code signing key, and revoked the old signing key. For you as end-user, there is no remediation steps you need to take. Out of transparency and a firm belief in open communication, we published this security advisory.