Opened 3 years ago
Closed 2 years ago
#1427 closed Bug / Defect (fixed)
Openssl CVE-2021-3711
| Reported by: | krugger | Owned by: | stipa |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.5.5 |
| Component: | Crypto | Version: | OpenVPN 2.5.3 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Samuli Seppänen, stipa |
Description
Vulnerability scan is indicating that OpenVPN 2.5.3 (latest community edition) is using a openssl version that has a vulnerability.
Please update openssl included in OpenVPN from 1.1.1k to 1.1.1l
Change History (3)
comment:1 Changed 3 years ago by
| Cc: | Samuli Seppänen stipa added |
|---|---|
| Milestone: | release 2.5.3 → release 2.5.5 |
| Owner: | changed from Steffan Karger to stipa |
| Status: | new → assigned |
| Version: | → OpenVPN 2.5.3 (Community Ed) |
comment:2 Changed 3 years ago by
2.5.4-I604 rebuild has 1.1.1l (due to commit a0e6707ab3).
So will 2.5.5 -> I think this can be clsoed.
comment:3 Changed 2 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note: See
TracTickets for help on using
tickets.
Thanks for the report.
OpenVPN does not use SM2 crypto, so that vulnerability is not affecting us.
That said, we did ship 2.5.4 with 1.1.1k, which was an oversight - we should have bumped to 1.1.1l when doing a new release anyway (not because a re-release due to the CVE would have been needed, but "new release, upgrade OpenSSL if there is good reason").
We'll ship 2.5.5 soonish, so we should definitely upgrade to OpenSSL 1.1.1-latest.
To @stipa, but maybe this needs to go to @mattock... reassign if needed.