Jump to content
Not connected, Your IP: 3.138.125.86
AirVPN
In*the*AIR

ANSWERED OPENSSL security flaw "high severity" to be patched on Thursday 07/08

By In*the*AIR, ... in Troubleshooting and Problems

Recommended Posts

encrypted    13

encrypted
Posted ...

And please consider offering changelog entries for the Experimental versions too so users can find out what's been patched and what version is actually being offered under that "Experimental" tag.

 

While I'm in good voice, maybe add some kind of notification to Eddie to let the user know when an update is available.

Share this post

Link to post

zhang888    1066

zhang888
Posted ...

There are differences in server-side and client-side OpenSSL vulnerabilities.

Not all vulnerabilities that affect servers can affect clients in the same way, if at all.

 

What is important is to see details and apply the patches in the infrastructure where applicable.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

In*the*AIR    1

In*the*AIR
Posted ...

So some more details have been published and actually "openssl version 1.0.1k is not affected"

 

http://openssl.org/news/secadv_20150709.txt

 

 

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2dOpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1pThis issue was reported to OpenSSL on 24th June 2015 by Adam Langley/DavidBenjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.

 Hence no problem with Eddie or airvpn

 

My message was only to raise awareness, there will always be security flaws discovered, the good thing is that they get found and fixed.

 

PS: I got the date wrong, I know

there is no way to edit the title...

Share this post

Link to post

Staff    9971

Staff
Posted ...

Hello!

 

Our servers implement OpenSSL 1.0.1k (not affected), Eddie 2.9.2 includes 1.0.1k (not affected) and Eddie 2.10.1 includes 1.0.2a  (not affected).

 

OpenVPN packages with installers I603 and I003 are now bundled with 1.0.1p, not affected:

https://openvpn.net/index.php/open-source/downloads.html

 

If you're not running our client Eddie and you run OpenVPN for Windows with OpenSSL 1.0.1o, upgrading is recommended.

 

openvpn-connect for Android and iOS uses PolarSSL, not OpenSSL.

 

We are planning to release a new Eddie version soon after some additional bug-check, but currently there is no time pressure.

 

Kind regards

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...