21.1.5 - OpenVPN Vulnerability

Started by spetrillo, April 22, 2021, 07:53:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 22, 2021, 07:53:32 PM
Hello all,

I just upgraded one firewall to 21.1.5. It went fine with the exception of the current OpenVPN software having a vulnerability. Do we have an updated OpenVPN topatch the vulnerability?

Thanks,
Steve
April 22, 2021, 07:58:39 PM #1
Hi Steve,

Not yet. We deferred the OpenVPN 2.5 update for multiple reasons but tomorrow I will try to provide a full package for testing.

Long story short: FreeBSD removed a patch we do run and also denies building on LibreSSL which are not good signals, but we can work through it.

As for hotfixing 21.1.5 or releasing 21.1.6 soon I am not so sure. I also need to check if 2.4.x is vulnerable at all...


Cheers,
Franco
April 22, 2021, 08:14:28 PM #2
Hi Franco,

No worries...I do not use OpenVPN yet, so I can wait for 2.5.

Thanks,
Steve
April 23, 2021, 09:56:10 AM #3 Last Edit: April 23, 2021, 11:04:14 AM by franco
So OpenVPN also released 2.4.10 and 2.4.11[1], the latter specifically fixing the security issues mentioned here. We are likely going to update to this version even though it won't appease the vulnerability tracker (it only checks for <= 2.5.1).

If a hotfix is considered I don't know at this point.


Cheers,
Franco

[1] https://github.com/opnsense/ports/commit/87d3ddee18
April 29, 2021, 09:07:38 PM #4
Print
Go Up Pages1
User actions