Version 3 (modified by 10 years ago) (diff) | ,
---|
Background
On 6th August 2014 the OpenSSL project released 1.0.1i that fixed several security vulnerabilities of moderate severity or less. OpenVPN Windows installers bundle OpenSSL 1.0.1, which makes this OpenSSL release relevant for OpenVPN.
List of vulnerabilities
Vulnerability name | ID | Affects OpenVPN? |
Information leak in pretty printing functions | CVE-2014-3508 | Possibly[1]. |
Crash with SRP ciphersuite in Server Hello message | CVE-2014-5139 | No. OpenVPN does not use SRP. |
Race condition in ssl_parse_serverhello_tlsext | CVE-2014-3509 | No. |
Double Free when processing DTLS packets | CVE-2014-3505 | No. OpenVPN does not use DTLS. |
DTLS memory exhaustion | CVE-2014-3506 | No. OpenVPN does not use DTLS. |
DTLS memory leak from zero-length fragments | CVE-2014-3507 | No. OpenVPN does not use DTLS. |
OpenSSL DTLS anonymous EC(DH) denial of service | CVE-2014-3510 | No. OpenVPN does not use DTLS. |
OpenSSL TLS protocol downgrade attack | CVE-2014-3511 | No. OpenVPN already defaults to TLS 1.0. |
SRP buffer overrun | CVE-2014-3512 | No. OpenVPN does not use SRP. |
[1] This one triggers direct vulnerability in OpenVPN. Stack information is not leaked to the peer. It might be possible that the leaked information is passed on to a client script / plugin (not sure what form the leaked information has, if it's the leaked information is after a NUL-byte, it's probably not exported). Such a plugin/script could then leak the information to the attacker.