Background
On 15th Oct 2014 the OpenSSL project released 1.0.1j that fixed several security vulnerabilities of high severity or less. Official OpenVPN Windows installers bundle OpenSSL 1.0.1, which meant that the OpenVPN project had to make a new Windows installer release (I004/I604). On *NIX-based operating systems OpenSSL is typically dynamically linked to OpenVPN and the OS provider handles the OpenSSL upgrades.
List of vulnerabilities
Vulnerability name | ID | Affects OpenVPN? | Mitigation |
SRTP Memory Leak | CVE-2014-3513 | Denial-of-service only | TLS auth can[1] protect against this vulnerability |
Session Ticket Memory Leak | CVE-2014-3567 | Denial-of-service only | TLS auth can[1] protect against this vulnerability |
SSL 3.0 Fallback protection | CVE-2014-3568 | No SSLv3 in OpenVPN, not affected | |
Build option no-ssl3 is incomplete | - | No SSLv3 in OpenVPN, not affected |
Analysis of the impact of these vulnerabilities is taken from here.
[1] The amount of protection is limited in environments where the TLS auth key is widely distributed (large organizations) or public (VPN service providers).