OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Marcel_75 on July 03, 2017, 04:56:51 pm

Title: [SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?
Post by: Marcel_75 on July 03, 2017, 04:56:51 pm
Hello,

it's well known since over 1 week now that OpenVPN versions older than 2.3.17 or 2.4.3 are not secure anymore!
 
see:

https://www.packetmischief.ca/2017/06/23/openvpn-2-3-17-on-openbsd-6-0/
 
and
 
https://www.heise.de/security/meldung/Sicherheitsluecken-Angreifer-koennten-OpenVPN-crashen-3751852.html
 
On my device it's still the vulnerable version 2.3.15.
 
openvpn23
2.3.15
 
And if you check in the Dashboard for updates, it says "There are no updates available on the selected mirror."
 
If I do the "Audit now" it talks only about the vulnerable curl version, but not about the openvpn version:
 
***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.54.0 is vulnerable:
cURL -- URL file scheme drive letter buffer overflow
CVE: CVE-2017-9502
WWW: https://vuxml.FreeBSD.org/freebsd/9314058e-5204-11e7-b712-b1a44a034d72.html
 
1 problem(s) in the installed packages found.
***DONE***
 
I'am really wondering about that and I'am some kind of shocked about this situation.

Any ideas when we will get the updated versions?

PS: PFsense updates are already out, so I'am wondering why OPNsense is so slow ... :/
Title: Re: OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?
Post by: franco on July 04, 2017, 03:22:26 pm
Done. ;)
Title: Re: [SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?
Post by: franco on July 04, 2017, 03:25:28 pm
BTW, you can always install newer versions from the ports tree as they come in fresh:

# opnsense-code tools ports
# cd /usr/ports/security/openvpn
# make reinstall


Cheers,
Franco