Discussion:
* UPDATE * OpenVPN v2.4.3 and v2.3.17 releases
Add Reply
David Sommerseth
2017-06-22 13:29:35 UTC
Reply
Permalink
Raw Message
Hi,

We are in an unfortunate situation that our Cloudflare front is
providing various results, depending on a lot of factors (region,
browser, computer, etc, etc). And it causes a massive noise on people
trying to download and verify that these downloads are correct.

As most of this noise have been related to the source code downloads, I
have setup an emergency wiki page where an alternative download URL is
provided ... In addition the proper SHA256 checksums and proper
signature files are available too.

This will hopefully help people to get the right download.

<http://community.openvpn.net/openvpn/wiki/release-packages-2.4.3-2.3.17>


We will go more carefully through our release process and figure out how
to avoid this mess with the next release. The discussion have already
been initiated [1], and we will dig into this for the next release.

[1]
<https://www.mail-archive.com/openvpn-***@lists.sourceforge.net/msg14937.html>


On behalf of the OpenVPN core community team, I am truly sorry for this
mess. This is not how we want our releases to appear.
--
kind regards,

David Sommerseth
OpenVPN Technologies, Inc
Jason Haar
2017-06-22 20:05:40 UTC
Reply
Permalink
Raw Message
Does using tls-auth protect against these latest security issues? ie if you
are running older versions but require tls-auth, then would that block
attacks from hackers who don't have your tls-auth file?

Thanks

On Fri, Jun 23, 2017 at 1:29 AM, David Sommerseth <
Post by David Sommerseth
Hi,
We are in an unfortunate situation that our Cloudflare front is
providing various results, depending on a lot of factors (region,
browser, computer, etc, etc). And it causes a massive noise on people
trying to download and verify that these downloads are correct.
As most of this noise have been related to the source code downloads, I
have setup an emergency wiki page where an alternative download URL is
provided ... In addition the proper SHA256 checksums and proper
signature files are available too.
This will hopefully help people to get the right download.
<http://community.openvpn.net/openvpn/wiki/release-packages-2.4.3-2.3.17>
We will go more carefully through our release process and figure out how
to avoid this mess with the next release. The discussion have already
been initiated [1], and we will dig into this for the next release.
[1]
sourceforge.net/msg14937.html>
On behalf of the OpenVPN core community team, I am truly sorry for this
mess. This is not how we want our releases to appear.
--
kind regards,
David Sommerseth
OpenVPN Technologies, Inc
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Gert Doering
2017-06-23 07:03:58 UTC
Reply
Permalink
Raw Message
Hi,
Post by Jason Haar
Does using tls-auth protect against these latest security issues? ie if you
are running older versions but require tls-auth, then would that block
attacks from hackers who don't have your tls-auth file?
There's a big bag of vulnerabilities in there. Most of them are relevant
in special cases only, so "if you do not use a proxy with NLMv2 auth",
you're not vulnerable to that one (but if you do, tls-auth will not help
as it's failing on connection setup).

Actually, I just went through the logs, and tls-auth will not(!) protect
you in any of the cases.

CVEs 2017-7520, 2017-7521 and 2017-7522 are somewhat niche cases - you
need to use an NTLMv2 authenticating proxy, '--x509-username-field' or
'--x509-track' (on the server) to be vulnerable.

CVE 2017-7508 affects anyone who is using IPv6 *inside* the tunnel, has
--mssfix enabled, and is not using a firewall on the outside that will
sanitize broken IPv6 packets (like BSD's pf(4) would do). In that case,
someone from out there in the wild could send a malformed IPv6 packet
that makes the server ASSERT().

So: if you use tunneled IPv6 in your VPN, and bored kids can find
out which networks you use internally in the VPN and can send packets
there, upgrade.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Loading...