From what I understand, versions 2.4.0 and 2.4.1 suffer from multiple vulnerabilities. Here are the most serious issues which were fixed in version 2.4.2: " - Correction of a pre-authentication Denial of Service attack. An attacker can crash any OpenVPN client or server without any credentials or keys. - Correction of an authenticated user Denial of Service attack. An attacker can crash an OpenVPN client or server using an AEAD mode cipher by sending crafted data to exhaust the packet counter. Requires authentication. - Correction of issues in mbedtls (PolarSSL) X509 certificate handling. Verify return values of mbedtls_x509_dn_gets and mbedtls_x509_serial_gets correctly. - Correction of usernames and passwords not being properly erased. for the new bootloader. (keystrokes not erased after authentication) - Correction of null pointer dereferences. Because this issue is low-severity and not exploitable, this fix is reserved for a future release. - Correction of service handling for OpenVPN GUI. The OpenVPN GUI did not properly terminate the service when closed. - Improvements to documentation of the OpenVPN protocol. Improving transparency of functionality for developers working with the OpenVPN protocol. - Updates to user documentation for other vulnerabilities that can be closed by user practices. Such as selecting more secure options, and deprecating antiquated options that are unsafe. " See the audit results and the OpenVPN download page for more info: https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/ https://openvpn.net/index.php/open-source/downloads.html There should be more info there but I can't access the site at the moment: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
Removed all vulnerable versions except current stable. Added fixed versions 2.3.15 and 2.4.2
Maintainer(s), Thank you for your work. Closing - noglsa
I think there's been a mistake here. This bug was closed, although the current stable version (2.3.12) is still vulnerable to most of these issues. It seems stabilization was forgotten.
Correct, arches please stabilize 2.4.2 Keywords for net-vpn/openvpn: | | u | | a a p s a n r | n | | l m h i p p r m m i i s | e u s | r | p d a p a p c a x m i 6 o s 3 | a s l | e | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o ---------+---------------------------------+-------+------- 2.3.12 | + + + + + + + + + o ~ o o o ~ ~ | 5 o 0 | gentoo 2.3.15 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o o o ~ ~ | 6 # | gentoo [I]2.4.2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o o o ~ ~ | 6 o | gentoo 9999 | o o o o o o o o o o o o o o o o | 6 o | gentoo
Stable on alpha.
Stable for HPPA.
amd64 stable
x86 stable
Stable on macOS x64 (see https://github.com/gentoo/gentoo/pull/4636).
ppc64 stable
ppc stable.
Hanno, thank you for catching that. My fault.
sparc stable
openvpn-2.4.2 does not start for me. [ebuild R ] net-vpn/openvpn-2.4.2::gentoo USE="examples lzo pam plugins ssl -down-root -inotify -iproute2 (-libressl) -lz4 -mbedtls -pkcs11 (-polarssl) (-selinux) -static -systemd {-test}" 0 KiB When trying to start... /etc/init.d/openvpn start * Caching service dependencies ... [ ok ] * Starting openvpn ... * start-stop-daemon: failed to start `/usr/sbin/openvpn' * Check your logs to see why startup failed [ !! ] * ERROR: openvpn failed to start Nothing in my logs. Rolling back to openvpn-2.3.15, I can again start the service.
(In reply to lou from comment #14) > openvpn-2.4.2 does not start for me. Please file a new bug.
arm stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No Tree is clean.
