= Background = On 6th August 2014 the OpenSSL project released 1.0.1i that fixed [http://www.openssl.org/news/secadv_20140806.txt several security vulnerabilities] of [http://openssl.6102.n7.nabble.com/Forthcoming-OpenSSL-releases-td52456.html moderate severity or less]. OpenVPN Windows installers bundle OpenSSL 1.0.1, which makes this OpenSSL release relevant for OpenVPN. = List of vulnerabilities = ||'''Vulnerability name'''||'''ID'''||'''Affects OpenVPN?'''|| ||Information leak in pretty printing functions||CVE-2014-3508||Possibly[1].|| ||Crash with SRP ciphersuite in Server Hello message||CVE-2014-5139||No. OpenVPN does not use SRP.|| ||Race condition in ssl_parse_serverhello_tlsext||CVE-2014-3509||No.|| ||Double Free when processing DTLS packets||CVE-2014-3505||No. OpenVPN does not use DTLS.|| ||DTLS memory exhaustion||CVE-2014-3506||No. OpenVPN does not use DTLS.|| ||DTLS memory leak from zero-length fragments||CVE-2014-3507||No. OpenVPN does not use DTLS.|| ||OpenSSL DTLS anonymous EC(DH) denial of service||CVE-2014-3510||No. OpenVPN does not use DTLS.|| ||OpenSSL TLS protocol downgrade attack||CVE-2014-3511||No. OpenVPN already defaults to TLS 1.0 [2].|| ||SRP buffer overrun||CVE-2014-3512||No. OpenVPN does not use SRP.|| [1] This one triggers no direct vulnerability in OpenVPN. Leaked information is not sent to peers by OpenVPN. It might be possible that the leaked information is passed on to a client script / plugin (not sure what form the leaked information has, if the leaked information is after a NUL-byte, it's probably not even exported). Such a plugin/script could then leak the information to the attacker. [2] If you are using OpenVPN 2.3.3 or OpenVPN 2.3.4 and have enabled newer TLS versions by using option tls-version-min in your configuration, your configuration is vulnerable to the protocol downgrade attack. However, it will still be at least as secure as a setup without tls-version-min in its configuration.