= Background =

On 15th Oct 2014 the OpenSSL project released 1.0.1j that fixed [http://www.openssl.org/news/secadv_20141015.txt several security vulnerabilities] of high severity or less. Official OpenVPN Windows installers bundle OpenSSL 1.0.1, which meant that the OpenVPN project had to make a [http://openvpn.net/index.php/download/community-downloads.html new Windows installer release] (I004/I604). On *NIX-based operating systems OpenSSL is typically dynamically linked to OpenVPN and the OS provider handles the OpenSSL upgrades.

= List of vulnerabilities =

||'''Vulnerability name'''||'''ID'''||'''Affects OpenVPN?'''||'''Mitigation'''||
||SRTP Memory Leak||CVE-2014-3513||Denial-of-service only||TLS auth can[1] protect against this vulnerability||
||Session Ticket Memory Leak||CVE-2014-3567||Denial-of-service only||TLS auth can[1] protect against this vulnerability||
||SSL 3.0 Fallback protection||CVE-2014-3568||No SSLv3 in OpenVPN, not affected||
||Build option no-ssl3 is incomplete||-||No SSLv3 in OpenVPN, not affected||

Analysis of the impact of these vulnerabilities is taken from [http://thread.gmane.org/gmane.network.openvpn.devel/9133/focus=9139 here].

[1] The amount of protection is limited in environments where the TLS auth key is widely distributed (large organizations) or public (VPN service providers).