On 19/05/2017 15:37, David Sommerseth wrote: > On 19/05/17 12:46, Jonathan K. Bullard wrote: >> On Fri, May 19, 2017 at 5:29 AM, Samuli Seppänen <sam...@openvpn.net> wrote: >>> >>> The OpenVPN community project team is proud to release OpenVPN 2.3.16. >>> It can be downloaded from here: >>> >>> <http://openvpn.net/index.php/open-source/downloads.html> >>> >>> This is a minor release that fixes a few bugs. This release was made >>> primarily because CloudFlare managed to serve obsolete pre-release >>> OpenVPN 2.3.15 tarballs which lack a fix for CVE-2017-7478: >> >> Were all copies of openvpn-2.3.15.tar.gz that were downloaded from the >> website pre-release versions and not the final versions, or only some? >> >> If only some were the pre-release version, is there a way to tell if a >> tarball was the pre-release version or was the actual version? (The >> SHA256s of both would be helpful here.) > > I have asked Samuli to re-upload the real v2.3.15 source tarballs once > again, just to be on the safe side. But beware, there are some caching > proxies in front of our download servers ... so until the caches have > been properly purged, there will be some confusion. > > Attached is a list with all the v2.3.15 source tarballs and their SHA256 > checksums. This file is signed by our new signing key [1]. This is the > proper v2.3.15 release. > > Any other checksums for v2.3.15 than the ones in this list are invalid > and must not be used. > > > [1] secur...@openvpn.net > F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7 > <http://pgp.mit.edu/pks/lookup?op=get&search=0x12F5F7B42F2B01E7> >
Hi, I pushed the new 2.3.15 tarballs to our download servers and purged CloudFlare caches for the matching URLs. I also updated file signatures documentation here: <https://openvpn.net/index.php/open-source/documentation/sig.html> Note that the 2.3.15 Windows installers are still signed with my personal GPG key (40864578) as documented on the page above. The tar.gz, tar.xz and zip files have been signed with the security list key (2F2B01E7). This was a conscious choice to prevent further problems with the 2.3.15 release. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
