[SOLVED] OpenVPN older than 2.3.17 (and 2.4.3) are insecure - still no update?

Started by Marcel_75, July 03, 2017, 04:56:51 PM

Previous topic - Next topic
Hello,

it's well known since over 1 week now that OpenVPN versions older than 2.3.17 or 2.4.3 are not secure anymore!

see:

https://www.packetmischief.ca/2017/06/23/openvpn-2-3-17-on-openbsd-6-0/

and

https://www.heise.de/security/meldung/Sicherheitsluecken-Angreifer-koennten-OpenVPN-crashen-3751852.html

On my device it's still the vulnerable version 2.3.15.

openvpn23
2.3.15

And if you check in the Dashboard for updates, it says "There are no updates available on the selected mirror."

If I do the "Audit now" it talks only about the vulnerable curl version, but not about the openvpn version:

***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.54.0 is vulnerable:
cURL -- URL file scheme drive letter buffer overflow
CVE: CVE-2017-9502
WWW: https://vuxml.freebsd.org/freebsd/9314058e-5204-11e7-b712-b1a44a034d72.html

1 problem(s) in the installed packages found.
***DONE***

I'am really wondering about that and I'am some kind of shocked about this situation.

Any ideas when we will get the updated versions?

PS: PFsense updates are already out, so I'am wondering why OPNsense is so slow ... :/
The fact that we live at the bottom of a deep gravity well, on the surface of a gas covered planet going around a nuclear fireball 90 million miles away and think this to be normal is obviously some indication of how skewed our perspective tends to be. (Douglas Adams)


BTW, you can always install newer versions from the ports tree as they come in fresh:

# opnsense-code tools ports
# cd /usr/ports/security/openvpn
# make reinstall


Cheers,
Franco