Author Topic: [SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update? (Read 2444 times)

Marcel_75 · « **on:** July 03, 2017, 04:56:51 pm »

Hello,

it's well known since over 1 week now that OpenVPN versions older than 2.3.17 or 2.4.3 are not secure anymore!

see:

https://www.packetmischief.ca/2017/06/23/openvpn-2-3-17-on-openbsd-6-0/

and

https://www.heise.de/security/meldung/Sicherheitsluecken-Angreifer-koennten-OpenVPN-crashen-3751852.html

On my device it's still the vulnerable version 2.3.15.

openvpn23
2.3.15

And if you check in the Dashboard for updates, it says "There are no updates available on the selected mirror."

If I do the "Audit now" it talks only about the vulnerable curl version, but not about the openvpn version:

***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.54.0 is vulnerable:
cURL -- URL file scheme drive letter buffer overflow
CVE: CVE-2017-9502
WWW: https://vuxml.FreeBSD.org/freebsd/9314058e-5204-11e7-b712-b1a44a034d72.html

1 problem(s) in the installed packages found.
***DONE***

I'am really wondering about that and I'am some kind of shocked about this situation.

Any ideas when we will get the updated versions?

PS: PFsense updates are already out, so I'am wondering why OPNsense is so slow ... :/

franco · « **Reply #1 on:** July 04, 2017, 03:22:26 pm »

Done.

franco · « **Reply #2 on:** July 04, 2017, 03:25:28 pm »

BTW, you can always install newer versions from the ports tree as they come in fresh:

# opnsense-code tools ports
# cd /usr/ports/security/openvpn
# make reinstall

Cheers,
Franco

Author Topic: [SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update? (Read 2444 times)

Marcel_75

[SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?

franco

Re: OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?

franco

Re: [SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?