Re: [Openvpn-users] OpenVPN for Debian Wheezy (backports) and Jessie is still at 2.3.2!!

Fri, 01 Aug 2014 02:44:29 -0700 

Hi,

On Fri, Aug 01, 2014 at 11:27:26AM +0200, Lisa Minogue wrote:
> > people in both OpenBSD and Debian usually (always?) do what they think is 
> > right. probably, you will get more luck if you ask them directly why do 
> > they do so.
> 
> I did write to them. Do you remember the Heartbleed vulnerability/bug? Right 
> after OpenSSL issued a fix for it and OpenVPN upgraded their source code to 
> 2.3.4, I wrote to both OpenBSD and Debian, asking them whether they would be 
> upgrading their respective packages to match OpenVPN's version (2.3.4).

Serious misunderstanding here: you do NOT need to update OpenVPN "per se"
to be secure from Heartbleed.  To the contrary, if you just update OpenVPN
to 2.3.4, and leave OpenSSL at a vulnerable version, OpenVPN will *still*
be vulnerable.

The bug is in OpenSSL, not in OpenVPN.

Repeat: the bug is in OpenSSL, not in OpenVPN.

The main reason why we released new versions was:

 - we ship a binary with a bundled openssl library for windows, and that
   library was vulnerable, so we did an update - but the updated 2.3.2
   windows installer with the new OpenSSL library is *safe*, you do not
   need to go to 2.3.4

 - 2.3.3 added "SSL library version" reporting, so you could more easily
   check which version a given client was using - this is not a security
   fix, just a convenience for admins.  Unfortunately, 2.3.3 had problems
   connecting to some servers due to a new feature (TLS version negotiation).

 - 2.3.4 turned off TLS version negotiation by default again

2.3.3 and 2.3.4 releases contain useful stuff and bugfixes to other bugs,
but they are NOT needed to fix heartbleed, as that bug is not in OpenVPN
(and there is nothing in OpenVPN that we could do to work around it if
the system library is broken).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpNRBlg5uyp2.pgp
Description: PGP signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to