Opened 11 months ago

Closed 6 months ago

#1427 closed Bug / Defect (fixed)

Openssl CVE-2021-3711

Reported by: krugger Owned by: stipa
Priority: major Milestone: release 2.5.5
Component: Crypto Version: OpenVPN 2.5.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Samuli Seppänen, stipa

Description

Vulnerability scan is indicating that OpenVPN 2.5.3 (latest community edition) is using a openssl version that has a vulnerability.

Please update openssl included in OpenVPN from 1.1.1k to 1.1.1l

Related:
https://nvd.nist.gov/vuln/detail/CVE-2021-3711

Change History (3)

comment:1 Changed 10 months ago by Gert Döring

Cc: Samuli Seppänen stipa added
Milestone: release 2.5.3release 2.5.5
Owner: changed from Steffan Karger to stipa
Status: newassigned
Version: OpenVPN 2.5.3 (Community Ed)

Thanks for the report.

OpenVPN does not use SM2 crypto, so that vulnerability is not affecting us.

That said, we did ship 2.5.4 with 1.1.1k, which was an oversight - we should have bumped to 1.1.1l when doing a new release anyway (not because a re-release due to the CVE would have been needed, but "new release, upgrade OpenSSL if there is good reason").

We'll ship 2.5.5 soonish, so we should definitely upgrade to OpenSSL 1.1.1-latest.

To @stipa, but maybe this needs to go to @mattock... reassign if needed.

comment:2 Changed 10 months ago by Gert Döring

2.5.4-I604 rebuild has 1.1.1l (due to commit a0e6707ab3).

So will 2.5.5 -> I think this can be clsoed.

comment:3 Changed 6 months ago by Gert Döring

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.