Hello,
it's well known since over 1 week now that OpenVPN versions older than 2.3.17 or 2.4.3 are not secure anymore!
see:
https://www.packetmischief.ca/2017/06/23/openvpn-2-3-17-on-openbsd-6-0/
and
https://www.heise.de/security/meldung/Sicherheitsluecken-Angreifer-koennten-OpenVPN-crashen-3751852.html
On my device it's still the vulnerable version 2.3.15.
openvpn23
2.3.15
And if you check in the Dashboard for updates, it says "There are no updates available on the selected mirror."
If I do the "Audit now" it talks only about the vulnerable curl version, but not about the openvpn version:
***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.54.0 is vulnerable:
cURL -- URL file scheme drive letter buffer overflow
CVE: CVE-2017-9502
WWW: https://vuxml.FreeBSD.org/freebsd/9314058e-5204-11e7-b712-b1a44a034d72.html
1 problem(s) in the installed packages found.
***DONE***
I'am really wondering about that and I'am some kind of shocked about this situation.
Any ideas when we will get the updated versions?
PS: PFsense updates are already out, so I'am wondering why OPNsense is so slow ... :/
Done. ;)
BTW, you can always install newer versions from the ports tree as they come in fresh:
# opnsense-code tools ports
# cd /usr/ports/security/openvpn
# make reinstall
Cheers,
Franco