[Openvpn-devel] OpenVPN and SSL vulnerability CVE-2010-3864

[James Yonan]

Regarding the recently discovered SSL vulnerability CVE-2010-3864, 
OpenVPN should not be affected because it is single-threaded.


James

[Openvpn-devel] Summary of the IRC meeting (18th Nov 2010)

[Samuli Seppänen]

Hi,

Here's the summary of the previous community meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thursday, 18th Nov 2010
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:



Next meeting will be announced in advance, but will be on the same
weekday and at the same time. Your local meeting time is easy to check
from services such as



or with

$ date -u


SUMMARY

Discussed next 2.2 release, which will include quite a few bugfixes and
few small new features compared to 2.2-beta3: see the attached changelog
for details. Because of the new features it was agreed that a new beta
is needed, even though no 2.2-beta3 -specific issues have been reported
so far. Decided to release 2.2-beta4 next week.

Discussed the "Dynamic iroute patch" which had been discussed in an
earlier meeting:




Decided to not include the patch in Git as it's author would not have
time maintain it.

Discussed the "MacOSX Keychain Certificate support" patch:



The patch itself has been ready for inclusion into Git for a long time,
but nobody has reported if works. Ecrist agreed to test the patch.
Mattock promised to advertise the patch on the "tunnelblick-discuss"
group to get more testers.

---

Full chatlog as an attachment

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(20:08:30) mattock: ok, which topic first?
(20:08:42) mattock: security issue may have to wait until James arrives
(20:08:45) mattock: issues
(20:08:47) dazo: agreed
(20:09:25) dazo: OpenVPN-2.2-beta4?
(20:09:45) mattock: my thoughts exactly
(20:10:10) mattock: have there been any issues with beta3 specifically?
(20:10:43) mattock: to me it seems way too stable for a beta
(20:10:43) dazo: I have not noticed anything particular ... ecrist / krzee  
have you heard anything?
(20:11:04) dazo: hence my question if a RC round is needed for this release
(20:11:28) ecrist: nothing at all.
(20:11:30) dazo: I'm running 2.2-beta3 on a server and a client ... 24/7 
operations, without any issues
(20:11:34) mattock: I don't think we need an RC if nobody has reported beta3 
-specific problems
(20:11:39) ecrist: I'm running beta3 in a fairly simple vpn without issues.
(20:11:45) ecrist: only as a client, though, not as a server.
(20:12:24) dazo: I'm having a TAP setup, with the eurephia plug-in on the 
server side ... and it servers both 2.1 and the 2.2-beta client
(20:14:05) mattock: perhaps the changes between 2.1.x and 2.2-beta3 have been 
too modest to introduce any serious issues
(20:14:25) mattock: dazo: what changes you think would go to beta4?
(20:14:38) ***dazo is looking at that right now :)
(20:15:07) ecrist: is there a draft release-notes somewhere for 2.2?
(20:15:29) dazo: nope, but that's a really good idea to have!
(20:15:37) mattock: if there are new features queued then perhaps one more beta 
followed quickly by a RC would make sense
(20:15:44) mattock: dazo: agreed
(20:16:04) mattock: or instead of RC the official 2.2 release
(20:17:25) dazo: maybe, we could just release RC1 now instead ... as the beta 
has been so stable
(20:17:42) ecrist: imho, once you go RC, you stop adding features.
(20:17:59) ecrist: so, if you want to add features, go beta4
(20:18:02) mattock: ecrist: I was about to mention that... 
(20:18:19) mattock: dazo: is beta4 going to get anything that would classify as 
a "new feature"?
(20:18:23) mattock: instead of bugfix
(20:18:34) dazo: I'm posting the changes shortly now
(20:19:47) dazo: http://www.fpaste.org/1b9a/
(20:20:26) dazo: I think the gap is somewhat smaller, I think I might have 
taken the wrong "starting commit" from what I see now
(20:21:11) dazo: There are a few new features, but mostly fixes
(20:21:38) mattock: so this is beta3 -> beta4?
(20:21:50) dazo: probably then
(20:22:50) mattock: I would go for a new beta... and if that's stable, then 
make an official release right after that
(20:23:06) dazo: I'll double check the changelog better  as the bugfix2.1 
and feat_misc branches are a bit fuzzy due to some nasty merges, this log is a 
bit misguiding ... I see several things (new features) now which has been 
included in beta3 already
(20:23:07) mattock: just to follow the normal alpha-beta-rc conventions
(20:23:17) dazo: ack
(20:23:39) dazo: let's go that path  the only reason for RC, is that more 
people might be willing to jump on the test-wagon
(20:24:12) mattock: yeah, that might be true
(20:24:51) mattock: btw. do we know how quickly *NIX distributions start 
distributing our latest releases?
(20:24:53) dazo: but if I discover when going more carefully through it, that 
it's only bugfixes ... we can have