Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-29 Thread Samuli Seppänen
Might an in-depth investigation on these issues take more time than building an updated installer? Indeed. I will produce new Windows installers later today. From now on I'll produce new installers for every OpenSSL release, whether OpenVPN is affected or not. -- Samuli Seppänen Community

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-26 Thread Joseph S. Testa II
On 06/26/2015 07:48 AM, Jan Just Keijser wrote: On 26/06/15 13:28, Gert Doering wrote: Hi, On Fri, Jun 26, 2015 at 12:16:43PM +0200, David Sommerseth wrote: * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) This might be an issue on OpenVPN on the server side. However,

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-26 Thread Jan Just Keijser
On 26/06/15 13:28, Gert Doering wrote: Hi, On Fri, Jun 26, 2015 at 12:16:43PM +0200, David Sommerseth wrote: * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) This might be an issue on OpenVPN on the server side. However, --tls-auth will reduce the attack vector to one of your

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-26 Thread Gert Doering
Hi, On Fri, Jun 26, 2015 at 12:16:43PM +0200, David Sommerseth wrote: > * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) > This might be an issue on OpenVPN on the server side. However, > --tls-auth will reduce the attack vector to one of your own users. As we're not using

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-26 Thread David Sommerseth
On 25/06/15 17:42, Joseph S. Testa II wrote: > On 06/25/2015 10:46 AM, Jan Just Keijser wrote: >> Joseph S. Testa II wrote: >>> Hi all, >>> >>> I was wondering if an updated Windows build is being planned for >>> release soon to fix CVE-2015-4000, et. al, as described in >>>

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-25 Thread Joseph S. Testa II
On 06/25/2015 10:46 AM, Jan Just Keijser wrote: Joseph S. Testa II wrote: Hi all, I was wondering if an updated Windows build is being planned for release soon to fix CVE-2015-4000, et. al, as described in http://www.openssl.org/news/secadv_20150611.txt. I haven't seen anyone talk

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-25 Thread Jan Just Keijser
Joseph S. Testa II wrote: Hi all, I was wondering if an updated Windows build is being planned for release soon to fix CVE-2015-4000, et. al, as described in http://www.openssl.org/news/secadv_20150611.txt. I haven't seen anyone talk about this on the mailing list since the

[Openvpn-devel] Windows build fix for CVE-2015-4000

2015-06-25 Thread Joseph S. Testa II
Hi all, I was wondering if an updated Windows build is being planned for release soon to fix CVE-2015-4000, et. al, as described in http://www.openssl.org/news/secadv_20150611.txt. I haven't seen anyone talk about this on the mailing list since the advisory came out two weeks ago, so