Staff 10328 Posted ... EDIT: UPGRADE HAS BEEN COMPLETED Hello! In the next hours we will be upgrading OpenSSL on all of our servers to fix newly discovered OpenSSL vulnerabilities. In particular, we want to close CVE-2014-0224 immediately, that's why we will proceed to the upgrade without early warnings. In order to make sure that no previous OpenSSL functions remain loaded we will restart various services including OpenVPN. Your client will be therefore briefly disconnected from the VPN server. The web sites will remain unavailable just for a fraction of a second and established HTTPS connections will be reset. What you need to do on your side. Nothing urgent: the exploit can be performed only when both client and server sides run OpenSSL vulnerable versions. Therefore the patch on our servers will prevent the exploit. Anyway, as an additional precaution: Linux/FreeBSD/OpenBSD/Unix users: upgrade OpenSSL to latest version of your branch. Windows users: a patch is not currently available for OpenSSL included in OpenVPN binaries. As soon as it is available we will update our packages. At that time, you will need to upgrade OpenVPN. Upgrade to OpenVPN 2.3.4I002 which includes a non-vulnerable OpenSSL version. Android / iOS users: if you run "openvpn-connect" nothing is required since it does not use OpenSSL but PolarSSL. If you run "OpenVPN for Android" stand by for instructions. OS X users: a patch is not currently available for Tunnelblick. When a new version will be released, please upgrade. A new version of Viscosity that includes non-vulnerable OpenSSL is available, please upgrade. Tunnelblick users, please upgrade to versions built on 12 Jun 2014 or later. Kind regardsAirVPN Staff 10 PirateParty, encrypted, Solex1 and 7 others reacted to this Quote Share this post Link to post
rainmakerraw 94 Posted ... Viscosity was updated on the same day the vulnerability was disclosed. Unfortunately there's still no update for Tunnelblick. Great work AirVPN. 2 nowheyjose and Solex1 reacted to this Quote Share this post Link to post
NaDre 161 Posted ... ... Windows users: a patch is not currently available for OpenSSL included in OpenVPN binaries. As soon as it is available we will update our packages. At that time, you will need to upgrade OpenVPN. ... I think there actually is a new release for OpenVPN for Windows. They are "openvpn-install-2.3.4-I002-i686.exe" and "openvpn-install-2.3.4-I002-x86_64.exe" and are linked to from the OpenVPN download page: http://openvpn.net/index.php/open-source/downloads.html The wording is a bit strange: "WIndows I002 installers bundle OpenSSL 1.0.0h, which fixes several vulnerabilities, including a MITM vulnerability that affects OpenVPN." I think they meant "1.0.1h" , because the "MITM vulnerability" link points to the advisory on the OpenSSL site. And if you check the date in the list of all downloads, these files were created on Thursday: http://swupdate.openvpn.org/community/releases/ Edit: I realized that that I could check the version of OpenSSL in what I installed (I installed the OpenSSL tools too): C:\temp>where openssl C:\Program Files\OpenVPN\bin\openssl.exe C:\temp>openssl version WARNING: can't open config file: /etc/ssl/openssl.cnf OpenSSL 1.0.1h 5 Jun 2014 So clearly updated. 1 rainmakerraw reacted to this Quote Share this post Link to post
Solex1 2 Posted ... Hello Airvpn Staff,Keep up the hard work. You excel were other vpn providers fail, keeping airvpn servers and members up to date on vulnerabilities and patch them ASAP! Kind Regards, Solex1 Quote Share this post Link to post