Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update? (Read 4025 times)
Marcel_75
Full Member
Posts: 177
Karma: 5
[SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?
«
on:
July 03, 2017, 04:56:51 pm »
Hello,
it's well known since over 1 week now that OpenVPN versions older than 2.3.17 or 2.4.3 are not secure anymore!
see:
https://www.packetmischief.ca/2017/06/23/openvpn-2-3-17-on-openbsd-6-0/
and
https://www.heise.de/security/meldung/Sicherheitsluecken-Angreifer-koennten-OpenVPN-crashen-3751852.html
On my device it's still the vulnerable version 2.3.15.
openvpn23
2.3.15
And if you check in the Dashboard for updates, it says "There are no updates available on the selected mirror."
If I do the "Audit now" it talks only about the vulnerable curl version, but not about the openvpn version:
***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.54.0 is vulnerable:
cURL -- URL file scheme drive letter buffer overflow
CVE: CVE-2017-9502
WWW:
https://vuxml.FreeBSD.org/freebsd/9314058e-5204-11e7-b712-b1a44a034d72.html
1 problem(s) in the installed packages found.
***DONE***
I'am really wondering about that and I'am some kind of shocked about this situation.
Any ideas when we will get the updated versions?
PS: PFsense updates are already out, so I'am wondering why OPNsense is so slow ... :/
«
Last Edit: July 04, 2017, 03:22:37 pm by franco
»
Logged
The fact that we live at the bottom of a deep gravity well, on the surface of a gas covered planet going around a nuclear fireball 90 million miles away and think this to be normal is obviously some indication of how skewed our perspective tends to be. (Douglas Adams)
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?
«
Reply #1 on:
July 04, 2017, 03:22:26 pm »
Done.
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: [SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?
«
Reply #2 on:
July 04, 2017, 03:25:28 pm »
BTW, you can always install newer versions from the ports tree as they come in fresh:
# opnsense-code tools ports
# cd /usr/ports/security/openvpn
# make reinstall
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
[SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?