Changes between Initial Version and Version 1 of VulnerabilitiesFixedInOpenSSL1.0.1j


Ignore:
Timestamp:
10/21/14 06:58:26 (9 years ago)
Author:
Samuli Seppänen
Comment:

Added information about OpenSSL 1.0.1j vulnerabilities' impact on OpenVPN

Legend:

Unmodified
Added
Removed
Modified
  • VulnerabilitiesFixedInOpenSSL1.0.1j

    v1 v1  
     1= Background =
     2
     3On 15th Oct 2014 the OpenSSL project released 1.0.1j that fixed [http://www.openssl.org/news/secadv_20141015.txt several security vulnerabilities] of high severity or less. Official OpenVPN Windows installers bundle OpenSSL 1.0.1, which meant that the OpenVPN project had to make a [http://openvpn.net/index.php/download/community-downloads.html new Windows installer release] (I004/I604). On *NIX-based operating systems OpenSSL is typically dynamically linked to OpenVPN and the OS provider handles the OpenSSL upgrades.
     4
     5= List of vulnerabilities =
     6
     7||'''Vulnerability name'''||'''ID'''||'''Affects OpenVPN?'''||'''Mitigation'''||
     8||SRTP Memory Leak||CVE-2014-3513||Denial-of-service only||Use of TLS auth prevents exploitation||
     9||Session Ticket Memory Leak||CVE-2014-3567||Denial-of-service only||Use of TLS auth prevents exploitation||
     10||SSL 3.0 Fallback protection||CVE-2014-3568||No SSLv3 in OpenVPN, not affected||
     11||Build option no-ssl3 is incomplete||-||No SSLv3 in OpenVPN, not affected||
     12
     13Analysis of the impact of these vulnerabilities is taken from [http://thread.gmane.org/gmane.network.openvpn.devel/9133/focus=9139 here].
     14