[OpenVPN-NL] OpenVPN-NL v2.3.5-nl3 released
Steffan Karger
steffan.karger at fox-it.com
Mon Jan 19 16:33:22 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A new version of OpenVPN-NL (2.3.5-nl3) is available on the OpenVPN-NL
site [1]. This version is based on OpenVPN 2.3.5 [2], and PolarSSL
1.2.12 [3].
This new version of OpenVPN-NL fixes a potential double free
vulnerability in PolarSSL [4]. The vulnerability enables an attacker
that can send TLS messages to an OpenVPN-NL instance to trick that
instance to free an uninitialized pointer. This enables an attacker to
mount a denial of service attack, and could potentially lead to remote
code execution. If the recommended tls-auth mechanism is used in an
OpenVPN-NL configuration, an attacker can only attack such an
OpenVPN-NL instance if (s)he is in possession of the tls-auth key.
We have not (yet) seen any exploits targeting this vulnerability.
Users are advised to upgrade both OpenVPN-NL clients and servers to
2.3.5-nl3.
References
- ----------
[1] https://openvpn.fox-it.com/
[2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
[3] https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released
[4]
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUvSPCAAoJEEEwndWOY1w59Y4H/jQP2fqvCDzLc5D0syd650tP
sqo6jW2WLxvLTF0bPKYyyy3A1V2Uu+SKjAwcCmA2+UbFjpFlHW28yFeaMclgrHrm
9DWKIXfSaCgal6VWYTuzFmz+z3KhmCLnOBfjHehDw2bPsfFkbb+ILbZbZ2MLowud
jlnPISOwwuQdeXZTRJRScGhO6iY87DR4QpMnIRYtFsnqKoW4jEF1Ij4naELS8Mxf
jSJZU87/MQsCM3gSAUfAtfV8KFV/AA6nVRg9b459oyOan4eQ2IaYpFZZrIP1Cmy6
U2C8aq4LsIz+WaIIJBoyVqYPeFH6vzWW2me+3heSOIRANWNWHMSoJ/VCH6t2uBI=
=kBi3
-----END PGP SIGNATURE-----
More information about the list-openvpn-nl
mailing list