Hello all,
I just upgraded one firewall to 21.1.5. It went fine with the exception of the current OpenVPN software having a vulnerability. Do we have an updated OpenVPN topatch the vulnerability?
Thanks,
Steve
Hi Steve,
Not yet. We deferred the OpenVPN 2.5 update for multiple reasons but tomorrow I will try to provide a full package for testing.
Long story short: FreeBSD removed a patch we do run and also denies building on LibreSSL which are not good signals, but we can work through it.
As for hotfixing 21.1.5 or releasing 21.1.6 soon I am not so sure. I also need to check if 2.4.x is vulnerable at all...
Cheers,
Franco
Hi Franco,
No worries...I do not use OpenVPN yet, so I can wait for 2.5.
Thanks,
Steve
So OpenVPN also released 2.4.10 and 2.4.11[1], the latter specifically fixing the security issues mentioned here. We are likely going to update to this version even though it won't appease the vulnerability tracker (it only checks for <= 2.5.1).
If a hotfix is considered I don't know at this point.
Cheers,
Franco
[1] https://github.com/opnsense/ports/commit/87d3ddee18
Also see https://github.com/opnsense/core/issues/4961
Cheers,
Franco