| Version 1 (modified by , 10 years ago) (diff) |
|---|
Background
On 15th Oct 2014 the OpenSSL project released 1.0.1j that fixed several security vulnerabilities of high severity or less. Official OpenVPN Windows installers bundle OpenSSL 1.0.1, which meant that the OpenVPN project had to make a new Windows installer release (I004/I604). On *NIX-based operating systems OpenSSL is typically dynamically linked to OpenVPN and the OS provider handles the OpenSSL upgrades.
List of vulnerabilities
| Vulnerability name | ID | Affects OpenVPN? | Mitigation |
| SRTP Memory Leak | CVE-2014-3513 | Denial-of-service only | Use of TLS auth prevents exploitation |
| Session Ticket Memory Leak | CVE-2014-3567 | Denial-of-service only | Use of TLS auth prevents exploitation |
| SSL 3.0 Fallback protection | CVE-2014-3568 | No SSLv3 in OpenVPN, not affected | |
| Build option no-ssl3 is incomplete | - | No SSLv3 in OpenVPN, not affected |
Analysis of the impact of these vulnerabilities is taken from here.
