Author Topic: 21.1.5 - OpenVPN Vulnerability (Read 2725 times)

spetrillo · « **on:** April 22, 2021, 07:53:32 pm »

Hello all,

I just upgraded one firewall to 21.1.5. It went fine with the exception of the current OpenVPN software having a vulnerability. Do we have an updated OpenVPN topatch the vulnerability?

Thanks,
Steve

franco · « **Reply #1 on:** April 22, 2021, 07:58:39 pm »

Hi Steve,

Not yet. We deferred the OpenVPN 2.5 update for multiple reasons but tomorrow I will try to provide a full package for testing.

Long story short: FreeBSD removed a patch we do run and also denies building on LibreSSL which are not good signals, but we can work through it.

As for hotfixing 21.1.5 or releasing 21.1.6 soon I am not so sure. I also need to check if 2.4.x is vulnerable at all...

Cheers,
Franco

spetrillo · « **Reply #2 on:** April 22, 2021, 08:14:28 pm »

Hi Franco,

No worries...I do not use OpenVPN yet, so I can wait for 2.5.

Thanks,
Steve

franco · « **Reply #3 on:** April 23, 2021, 09:56:10 am »

So OpenVPN also released 2.4.10 and 2.4.11[1], the latter specifically fixing the security issues mentioned here. We are likely going to update to this version even though it won't appease the vulnerability tracker (it only checks for <= 2.5.1).

If a hotfix is considered I don't know at this point.

Cheers,
Franco

[1] https://github.com/opnsense/ports/commit/87d3ddee18

franco · « **Reply #4 on:** April 29, 2021, 09:07:38 pm »

Also see https://github.com/opnsense/core/issues/4961

Cheers,
Franco

Author Topic: 21.1.5 - OpenVPN Vulnerability (Read 2725 times)

spetrillo

21.1.5 - OpenVPN Vulnerability

franco

Re: 21.1.5 - OpenVPN Vulnerability

spetrillo

Re: 21.1.5 - OpenVPN Vulnerability

franco

Re: 21.1.5 - OpenVPN Vulnerability

franco

Re: 21.1.5 - OpenVPN Vulnerability