strideram reacted to
Staff in [COMPLETED] URGENT - OpenSSL upgrade
...
EDIT: UPGRADE HAS BEEN COMPLETED
Hello!
In the next hours we will be upgrading OpenSSL on all of our servers to fix newly discovered OpenSSL vulnerabilities. In particular, we want to close CVE-2014-0224 immediately, that's why we will proceed to the upgrade without early warnings. In order to make sure that no previous OpenSSL functions remain loaded we will restart various services including OpenVPN. Your client will be therefore briefly disconnected from the VPN server. The web sites will remain unavailable just for a fraction of a second and established HTTPS connections will be reset.
What you need to do on your side.
Nothing urgent: the exploit can be performed only when both client and server sides run OpenSSL vulnerable versions. Therefore the patch on our servers will prevent the exploit. Anyway, as an additional precaution:
Linux/FreeBSD/OpenBSD/Unix users: upgrade OpenSSL to latest version of your branch.
Windows users: a patch is not currently available for OpenSSL included in OpenVPN binaries. As soon as it is available we will update our packages. At that time, you will need to upgrade OpenVPN. Upgrade to OpenVPN 2.3.4I002 which includes a non-vulnerable OpenSSL version.
Android / iOS users: if you run "openvpn-connect" nothing is required since it does not use OpenSSL but PolarSSL. If you run "OpenVPN for Android" stand by for instructions.
OS X users: a patch is not currently available for Tunnelblick. When a new version will be released, please upgrade. A new version of Viscosity that includes non-vulnerable OpenSSL is available, please upgrade. Tunnelblick users, please upgrade to versions built on 12 Jun 2014 or later.
Kind regards
AirVPN Staff