Changes between Version 10 and Version 11 of heartbleed


Ignore:
Timestamp:
04/17/14 10:17:01 (10 years ago)
Author:
_bt
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • heartbleed

    v10 v11  
    11= OpenSSL vulnerability - Heartbleed =
    22
    3 A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 [#ref1 1]. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too.
     3A vulnerability in OpenSSL, nicknamed Heartbleed, was published in April 2014 [#ref1 1]. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too.
    44
    55== What does this mean? ==
     
    2525All OpenVPN Windows client installers are shipped with OpenSSL. However, only installer versions ''2.3-rc2-I001'' through ''2.3.2-I003'' ship a vulnerable version. Installer version ''2.3.2-I004'' fixes this vulnerability by bundling OpenSSL 1.0.1g. The fixed version can be downloaded from [http://openvpn.net/index.php/open-source/downloads.html here].
    2626
    27 If you want to verify whether the version of OpenSSL in your OpenVPN installation is vulnerable, go to ''C:\Program Files\OpenVPN\bin'' using Windows Explorer, right-click on ''libeay32.dll'' and check what ''Details -> Product Version'' says.
     27If you want to verify whether the version of OpenSSL in your OpenVPN installation is vulnerable, go to ''C:\Program Files\OpenVPN\bin'' using Windows Explorer, right-click on ''libeay32.dll'', click properties and check what ''Details -> Product Version'' says.
    2828
    2929== Is Access Server affected? ==
     
    3737
    3838== Do TLS-auth keys protect my setup? ==
    39 To some extent. You are strongly encouraged to use TLS-auth keys. In this scenario an attacker can not attack openvpn instances without the TLS-auth key. With a large user base, you should however consider the possibility of one (or more) of the openvpn instances being compromised. Such a compromised instance could attack other instances (including the server).
     39To some extent. You are strongly encouraged to use TLS-auth keys. In this scenario an attacker can not attack openvpn instances without the TLS-auth key. With a large user base, you should however consider the possibility of one (or more) of the OpenVPN instances being compromised. Such a compromised instance could attack other instances (including the server).
    4040
    4141