Hello Netanal,
For security related issues, especially those under embargo, use
secur...@openvpn.net only. Do not include the developer mailing list. It
is also not appreciated to add in other security reporting lists. If you
have something to report in terms of security for OpenVPN, then report
it only to OpenVPN (secur...@openvpn.net).
However since there is nothing known and that is not a secret I can
answer all 3 of your questions with a simple; no.
Your idea of reporting security issues and doing security testing does
not seem to meet (our) standards, sorry. You've found nothing yet
continue to claim that you think there is something. We've proven there
isn't. You provide no proof there is. And your recent response to
"Please investigate, Tnx" is quite frankly hilarious as well as entirely
useless.
We gave you explicit advice and instructions to make a decent report
that you just seem to ignore. You've proven nothing. You're quite
frankly embarrassing yourself in the community. Being inexperienced at
something is not a crime, we all had to start somewhere, and I've made
mistakes in the past too. But that's okay, we learn and get better.
However, there is a lot of information out there on the Internet and
also given in these email conversations that can help you to become a
decent security researcher and make sensible reports, if you would care
to actually follow that advice. It does not seem you are willing to do
what is necessary. Because of that, I am going to ignore messages from
you going forward, unless you actually have something relevant to report.
Kind regards,
Johan Draaisma
On 18-11-2024 15:30, נתי שטרן wrote:
Dear OpenVPN Security Team,
I hope this message finds you well. I am writing to inquire about
recent vulnerabilities disclosed in OpenVPN, specifically related to
Data Channel Offload (DCO) and associated components.
Our current deployment uses OpenVPN version *2.6.12*, which appears to
include patches for the vulnerabilities described under
CVE-2024-27459, CVE-2024-24974, CVE-2024-27903, and CVE-2024-1305.
However, I would like to confirm the following:
1. Are there additional security recommendations for mitigating
potential exploitation of DCO-specific features?
2. Are there any newly identified vulnerabilities in OpenVPN 2.6.12
that have not yet been disclosed in advisories?
3. Could you provide more detailed guidance or best practices for
hardening configurations against these and similar vulnerabilities?
If you require any additional information from our side, I am happy to
provide details within the limits of operational confidentiality.
TNX,
NETANEL
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
