>>> Hi, >>> >>> Am 08.04.2014 15:42, schrieb Steffan Karger: >>>>> Perhaps a dumb question, but if the server instance is linked >>>>> against an older version of openssl (9.8.x), but the client is >>>>> compiled and linked against the vulnerable version, is it still an >>>>> issue for both sides, or is the client going to leak private >>>>> information ? >>>> The client can then leak keys (both private master key and session >>>> keys), which completely breaks your secure connection, for that >>>> client. >>>> >>>> So when the server is not vulnerable, each client has to be attacked >>>> individually, and not-vulnerable clients have a secure connection to >>>> the server. As long as there are vulnerable clients, you should >>>> consider those as potentially malicious, and thus you should consider >>>> the network as insecure. >>> Then OpenVPN should release new Windows Versions. >>> The current binaries are linked against OpenSSL (ssleay32.dll, >>> libeay32.dll) 1.0.1.5 (-> 1.0.1e). >>> >>> >> Hi all, >> >> We'll try to push OpenVPN 2.3.3 out today. The Windows installer will >> contain OpenSSL 1.0.1g which fixes this particular problem. In addition >> several other small changes and enhancements will be included. >> > Minor correction: I will build and publish OpenVPN 2.3.2 Windows > installers with OpenSSL 1.0.1g today; this will fix the security problem > at hand. OpenVPN 2.3.3 will follow on Thursday, if I encounter no big > problems with the changes it contains. > An updated installer (I004) with OpenSSL 1.0.1g is now out:
<http://openvpn.net/index.php/download/community-downloads.html> I smoketested the installers on Windows 7 64-bit and WinXP 32-bit. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
