Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
OpenVPN CVE-2023-46850 & CVE-2023-46849
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN CVE-2023-46850 & CVE-2023-46849 (Read 2160 times)
pfiatde
Newbie
Posts: 4
Karma: 1
OpenVPN CVE-2023-46850 & CVE-2023-46849
«
on:
November 13, 2023, 09:49:56 am »
Hi,
there are two CVEs regarding OpenVPN.
https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst
Sadly, there is not much information around, but one of them is a memory leak, which might be unauthenticated.
Does anybody have more information, or would it be possible to quickly bump the version to 2.6.7 for the OpenVPN package?
The distros are slow with patches at the moment, which might mean this is not "Heartbleed" like, however the VPN is critical for our infrastructure, so ...
BR,
Matthias
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #1 on:
November 13, 2023, 11:47:02 am »
Hi Matthias,
Thanks for the pointer. I missed this as well.
https://github.com/opnsense/ports/commit/b9d4398ada1
But I can only offer an unvetted snapshot at the moment:
# opnsense-revert -z openvpn
The stable update has to wait for 23.7.9.
Cheers,
Franco
Logged
pfiatde
Newbie
Posts: 4
Karma: 1
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #2 on:
November 13, 2023, 12:23:35 pm »
Thanks for that.
Let's wait and see how critical the vuln is. Might be from no problem up to critical...
Strictly limiting IP addresses for the VPN endpoint should at least reduce the risk.
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #3 on:
November 13, 2023, 06:47:40 pm »
Quote from: franco on November 13, 2023, 11:47:02 am
But I can only offer an unvetted snapshot at the moment:
I have two FWs I can try it on as soon as you have time for the OpenSSL 3.x build
Logged
DEC670airp414user
Full Member
Posts: 161
Karma: 8
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #4 on:
November 13, 2023, 10:21:58 pm »
can't update business edition with that command
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #5 on:
November 13, 2023, 10:51:24 pm »
99.999% of the threads/issues/solutions posted here pertain to the community edition - unless otherwise specified.
For the Business Edition a proper announcement will be made when an update is available.
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #6 on:
November 14, 2023, 08:07:52 am »
To get creative...
# pkg add -f
https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/latest/All/openvpn-2.6.7.pkg
But as I said it hasn't been vetted although risk is pretty low as it's an official OpenVPN release and it builds fine. Same as 2.6.6 update really.
Cheers,
Franco
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #7 on:
November 14, 2023, 08:19:30 am »
I would have tried it on a stock 23.7, but I'm expecting it to be tied to 1.1.1w.
I'll have to wait for the 3.x rebuild - since I don't have anything left on 1.1.1.w
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #8 on:
November 14, 2023, 09:19:30 am »
2.6.7 and pftop are fine on 3.0.12, thanks Franco
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #9 on:
November 14, 2023, 10:47:19 am »
I'm rebuilding snapshots as fast as I can
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #10 on:
November 16, 2023, 08:19:39 am »
There was a regression in 23.6.7 so the port was updated again:
https://github.com/freebsd/freebsd-ports/commit/8d2e9d99db
Cheers,
Franco
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #11 on:
November 16, 2023, 08:44:16 am »
Thank you, I'll keep an eye on it
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: OpenVPN CVE-2023-46850 & CVE-2023-46849
«
Reply #12 on:
November 16, 2023, 08:04:18 pm »
All good so far on 2.6.7_1, no regressions spotted
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
OpenVPN CVE-2023-46850 & CVE-2023-46849