Jump to content
Not connected, Your IP: 3.129.70.138
Staff

[COMPLETED] URGENT - OpenSSL upgrade

Recommended Posts

EDIT: UPGRADE HAS BEEN COMPLETED

 

Hello!
 
In the next hours we will be upgrading OpenSSL on all of our servers to fix newly discovered OpenSSL vulnerabilities. In particular, we want to close CVE-2014-0224 immediately, that's why we will proceed to the upgrade without early warnings. In order to make sure that no previous OpenSSL functions remain loaded we will restart various services including OpenVPN. Your client will be therefore briefly disconnected from the VPN server. The web sites will remain unavailable just for a fraction of a second and established HTTPS connections will be reset.
 

What you need to do on your side.

 
Nothing urgent: the exploit can be performed only when both client and server sides run OpenSSL vulnerable versions. Therefore the patch on our servers will prevent the exploit. Anyway, as an additional precaution:
 
Linux/FreeBSD/OpenBSD/Unix users: upgrade OpenSSL to latest version of your branch.
 
Windows users: a patch is not currently available for OpenSSL included in OpenVPN binaries. As soon as it is available we will update our packages. At that time, you will need to upgrade OpenVPN. Upgrade to OpenVPN 2.3.4I002 which includes a non-vulnerable OpenSSL version.
 
Android / iOS users: if you run "openvpn-connect" nothing is required since it does not use OpenSSL but PolarSSL. If you run "OpenVPN for Android" stand by for instructions.
 
OS X users: a patch is not currently available for Tunnelblick. When a new version will be released, please upgrade. A new version of Viscosity that includes non-vulnerable OpenSSL is available, please upgrade. Tunnelblick users, please upgrade to versions built on 12 Jun 2014 or later.
 
Kind regards
AirVPN Staff

Share this post


Link to post

...

 

Windows users: a patch is not currently available for OpenSSL included in OpenVPN binaries. As soon as it is available we will update our packages. At that time, you will need to upgrade OpenVPN.

 

...

 

I think there actually is a new release for OpenVPN for Windows. They are "openvpn-install-2.3.4-I002-i686.exe" and "openvpn-install-2.3.4-I002-x86_64.exe" and are linked to from the OpenVPN download page:

 

http://openvpn.net/index.php/open-source/downloads.html

 

The wording is a bit strange: "WIndows I002 installers bundle OpenSSL 1.0.0h, which fixes several vulnerabilities, including a MITM vulnerability that affects OpenVPN." I think they meant "1.0.1h" , because the "MITM vulnerability" link points to the advisory on the OpenSSL site. And if you check the date in the list of all downloads, these files were created on Thursday:

 

http://swupdate.openvpn.org/community/releases/

 

Edit: I realized that that I could check the version of OpenSSL in what I installed (I installed the OpenSSL tools too):

 

C:\temp>where openssl
C:\Program Files\OpenVPN\bin\openssl.exe

C:\temp>openssl version
WARNING: can't open config file: /etc/ssl/openssl.cnf
OpenSSL 1.0.1h 5 Jun 2014
So clearly updated.

Share this post


Link to post

Hello Airvpn Staff,

Keep up the hard work. You excel were other vpn providers fail, keeping airvpn servers and members up to date on vulnerabilities and patch them ASAP! 

Kind Regards,

  Solex1

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...