Hi, On 05/22/2014 11:38 PM, Steffan Karger wrote: > On 21-05-14 18:19, Lisa Minogue wrote: >> According to Debian Security Advisory DSA-2931-1 >> (http://www.debian.org/security/2014/dsa-2931) a bug in OpenSSL could result >> in a denial of service. >> >> Is OpenVPN 2.3.4 software (community edition, Microsoft Windows, Mac OS, >> *nix versions) affected by it? > > Yes, if your OpenSSL is vulnerable, OpenVPN probably is too. I glanced > over the code and the affected do_ssl3_write() seems to be in the normal > TLS connection code path.
On a second look, OpenVPN is not vulnerable. The CVE explains: "The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled." But the patch to enable SSL_MODE_RELEASE_BUFFERS has not been merged yet (but probably will, because is reduces memory usage significantly on servers with many connections, see https://community.openvpn.net/openvpn/ticket/157). The advice is as usual: * Update your OpenSSL. * Use TLS auth as an extra layer of protection. Regards, -Steffan
