OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.
{
"versions": [
{
"introduced": "0"
},
{
"last_affected": "3.6"
},
{
"introduced": "0"
},
{
"last_affected": "3.6.1"
}
]
}