Opened 2 months ago

Last modified 5 weeks ago

#1427 assigned Bug / Defect

Openssl CVE-2021-3711

Reported by: krugger Owned by: stipa
Priority: major Milestone: release 2.5.5
Component: Crypto Version: OpenVPN 2.5.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Samuli Seppänen, stipa

Description

Vulnerability scan is indicating that OpenVPN 2.5.3 (latest community edition) is using a openssl version that has a vulnerability.

Please update openssl included in OpenVPN from 1.1.1k to 1.1.1l

Related:
https://nvd.nist.gov/vuln/detail/CVE-2021-3711

Change History (2)

comment:1 Changed 6 weeks ago by Gert Döring

Cc: Samuli Seppänen stipa added
Milestone: release 2.5.3release 2.5.5
Owner: changed from Steffan Karger to stipa
Status: newassigned
Version: OpenVPN 2.5.3 (Community Ed)

Thanks for the report.

OpenVPN does not use SM2 crypto, so that vulnerability is not affecting us.

That said, we did ship 2.5.4 with 1.1.1k, which was an oversight - we should have bumped to 1.1.1l when doing a new release anyway (not because a re-release due to the CVE would have been needed, but "new release, upgrade OpenSSL if there is good reason").

We'll ship 2.5.5 soonish, so we should definitely upgrade to OpenSSL 1.1.1-latest.

To @stipa, but maybe this needs to go to @mattock... reassign if needed.

comment:2 Changed 5 weeks ago by Gert Döring

2.5.4-I604 rebuild has 1.1.1l (due to commit a0e6707ab3).

So will 2.5.5 -> I think this can be clsoed.

Note: See TracTickets for help on using tickets.