OpenVPN CVE-2023-46850 & CVE-2023-46849

Started by pfiatde, November 13, 2023, 09:49:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 13, 2023, 09:49:56 AM
Hi,
there are two CVEs regarding OpenVPN.
https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst
Sadly, there is not much information around, but one of them is a memory leak, which might be unauthenticated.

Does anybody have more information, or would it be possible to quickly bump the version to 2.6.7 for the OpenVPN package?
The distros are slow with patches at the moment, which might mean this is not "Heartbleed" like, however the VPN is critical for our infrastructure, so ...

BR,
Matthias
November 13, 2023, 11:47:02 AM #1
Hi Matthias,

Thanks for the pointer. I missed this as well.

https://github.com/opnsense/ports/commit/b9d4398ada1

But I can only offer an unvetted snapshot at the moment:

# opnsense-revert -z openvpn

The stable update has to wait for 23.7.9.


Cheers,
Franco
November 13, 2023, 12:23:35 PM #2
Thanks for that.
Let's wait and see how critical the vuln is. Might be from no problem up to critical...

Strictly limiting IP addresses for the VPN endpoint should at least reduce the risk.
November 13, 2023, 06:47:40 PM #3
Quote from: franco on November 13, 2023, 11:47:02 AM

But I can only offer an unvetted snapshot at the moment:


I have two FWs I can try it on as soon as you have time for the OpenSSL 3.x build :)
November 13, 2023, 10:21:58 PM #4
can't update business edition with that command  :(
November 13, 2023, 10:51:24 PM #5
99.999% of the threads/issues/solutions posted here pertain to the community edition - unless otherwise specified.

For the Business Edition a proper announcement will be made when an update is available.
November 14, 2023, 08:07:52 AM #6
To get creative... ;)

# pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/latest/All/openvpn-2.6.7.pkg

But as I said it hasn't been vetted although risk is pretty low as it's an official OpenVPN release and it builds fine. Same as 2.6.6 update really.


Cheers,
Franco
November 14, 2023, 08:19:30 AM #7
I would have tried it on a stock 23.7, but I'm expecting it to be tied to 1.1.1w.

I'll have to wait for the 3.x rebuild  - since I don't have anything left on 1.1.1.w
November 14, 2023, 09:19:30 AM #8
2.6.7 and pftop are fine on 3.0.12, thanks Franco
November 14, 2023, 10:47:19 AM #9
I'm rebuilding snapshots as fast as I can ;)


Cheers,
Franco
November 16, 2023, 08:19:39 AM #10
There was a regression in 23.6.7 so the port was updated again:

https://github.com/freebsd/freebsd-ports/commit/8d2e9d99db


Cheers,
Franco
November 16, 2023, 08:44:16 AM #11
Thank you, I'll keep an eye on it
November 16, 2023, 08:04:18 PM #12
All good so far on 2.6.7_1, no regressions spotted
Print
Go Up Pages1
User actions