In*the*AIR 1 Posted ... Hi, this has been announced herehttps://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html the security flaw is impacting versions 1.0.1 and 1.0.2 of Openssl. From eddie (mac version) it states openssl version 1.0.1k, so it is affected. Will you repack Eddie with the 1.0.1p version patched soon? Thanks Quote Share this post Link to post
encrypted 13 Posted ... And please consider offering changelog entries for the Experimental versions too so users can find out what's been patched and what version is actually being offered under that "Experimental" tag. While I'm in good voice, maybe add some kind of notification to Eddie to let the user know when an update is available. Quote Share this post Link to post
zhang888 1066 Posted ... There are differences in server-side and client-side OpenSSL vulnerabilities.Not all vulnerabilities that affect servers can affect clients in the same way, if at all. What is important is to see details and apply the patches in the infrastructure where applicable. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
In*the*AIR 1 Posted ... So some more details have been published and actually "openssl version 1.0.1k is not affected" http://openssl.org/news/secadv_20150709.txt This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2dOpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1pThis issue was reported to OpenSSL on 24th June 2015 by Adam Langley/DavidBenjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. Hence no problem with Eddie or airvpn My message was only to raise awareness, there will always be security flaws discovered, the good thing is that they get found and fixed. PS: I got the date wrong, I know there is no way to edit the title... Quote Share this post Link to post
Staff 10016 Posted ... Hello! Our servers implement OpenSSL 1.0.1k (not affected), Eddie 2.9.2 includes 1.0.1k (not affected) and Eddie 2.10.1 includes 1.0.2a (not affected). OpenVPN packages with installers I603 and I003 are now bundled with 1.0.1p, not affected:https://openvpn.net/index.php/open-source/downloads.html If you're not running our client Eddie and you run OpenVPN for Windows with OpenSSL 1.0.1o, upgrading is recommended. openvpn-connect for Android and iOS uses PolarSSL, not OpenSSL. We are planning to release a new Eddie version soon after some additional bug-check, but currently there is no time pressure. Kind regards Quote Share this post Link to post