>> Hi, >> >> Am 08.04.2014 15:42, schrieb Steffan Karger: >>>> Perhaps a dumb question, but if the server instance is linked >>>> against an older version of openssl (9.8.x), but the client is >>>> compiled and linked against the vulnerable version, is it still an >>>> issue for both sides, or is the client going to leak private >>>> information ? >>> The client can then leak keys (both private master key and session >>> keys), which completely breaks your secure connection, for that >>> client. >>> >>> So when the server is not vulnerable, each client has to be attacked >>> individually, and not-vulnerable clients have a secure connection to >>> the server. As long as there are vulnerable clients, you should >>> consider those as potentially malicious, and thus you should consider >>> the network as insecure. >> Then OpenVPN should release new Windows Versions. >> The current binaries are linked against OpenSSL (ssleay32.dll, >> libeay32.dll) 1.0.1.5 (-> 1.0.1e). >> >> > Hi all, > > We'll try to push OpenVPN 2.3.3 out today. The Windows installer will > contain OpenSSL 1.0.1g which fixes this particular problem. In addition > several other small changes and enhancements will be included. > Minor correction: I will build and publish OpenVPN 2.3.2 Windows installers with OpenSSL 1.0.1g today; this will fix the security problem at hand. OpenVPN 2.3.3 will follow on Thursday, if I encounter no big problems with the changes it contains.
-- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
