Hi, On 19-03-15 21:09, Mike Tancsa wrote: > Has anyone had a chance to look at the impact of the latest OpenSSL > security issues ? > > https://www.openssl.org/news/secadv_20150319.txt
Depending on your configuration and OpenSSL version used, the following advisories from the list can apply to OpenVPN setups: * OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) * Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) * Multiblock corrupted pointer (CVE-2015-0290) * Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) * Segmentation fault for invalid PSS parameters (CVE-2015-0208) * ASN.1 structure reuse memory corruption (CVE-2015-0287) * Base64 decode (CVE-2015-0292) * Empty CKE with client auth and DHE (CVE-2015-1787) Note that CVE-2015-0291, CVE-2015-0290, CVE-2015-0208 and CVE-2015-1787 affect OpenSSL 1.0.2 only (which is quite new and not yet used very often). The following do *not* apply to OpenVPN: * Segmentation fault in DTLSv1_listen (CVE-2015-0207) (OpenVPN does not use DTLS) * PKCS7 NULL pointer dereferences (CVE-2015-0289) (TLS does not use PKCS#7) * DoS via reachable assert in SSLv2 servers (CVE-2015-0293) (OpenVPN only does TLSv1.0+) * Handshake with unseeded PRNG (CVE-2015-0285) (OpenVPN manually seeds the PRNG) * Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) (OpenVPN 2.3, the current version, does not support EC certs yet. Note however that the git master branch *does*.) * X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) (OpenVPN, nor the OpenSSL ssl functions call X509_to_X509_REQ() ) -Steffan ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
