On 07/04/2014 13:18, Fredrik Strömberg wrote: > ---------- Forwarded message ---------- > From: OpenSSL <open...@openssl.org> > Date: Mon, Apr 7, 2014 at 8:39 PM > Subject: OpenSSL Security Advisory > To: openssl-annou...@openssl.org > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > OpenSSL Security Advisory [07 Apr 2014] > ======================================== > > TLS heartbeat read overrun (CVE-2014-0160) > ========================================== > > A missing bounds check in the handling of the TLS heartbeat extension can be > used to reveal up to 64k of memory to a connected client or server. > > Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including > 1.0.1f and 1.0.2-beta1. > > Thanks for Neel Mehta of Google Security for discovering this bug and to > Adam Langley <a...@chromium.org> and Bodo Moeller <bmoel...@acm.org> for > preparing the fix. > > Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately > upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. > > 1.0.2 will be fixed in 1.0.2-beta2. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQIcBAEBCAAGBQJTQt1bAAoJENNXdQf6QOniGhkP/AjjZgV+g7ZyxnxdnvA2+sdV > sxNso208Cod8DKnDONtXHuPTkTFfyHl72FM1ea99woe3X6JWj3PyiZGvSfeo4Jj/ > QiDJvvcHc5Xq00gAr6MIarhMJbRtYkM+Th6PPXyqODYcb/pDoqy5VWo/R9QkZTPn > zaiXPyapJB/qSYo4UqXWerT9YTLdYmiro//kQN0U/SedF/fNz4CEBcMyz6z7YJAC > LFoE6Vf54PAkNvxjcX9ugIKluBMk5YONRG8PB0X/UDwf9Kj4L6OTT51x1yeFw3Sg > GzTqvKD+2JWzFDCcfJULRCSCEwHhKbjR7n3sI1RPaaEWp5E63+9HSMRYjVOFIwt/ > OTrMPbW1BEiX0A7NB7HSrrvddnYd3sz8A44v00oesr+XaW5nyu79IndQwLhPkKYF > Dkb67quw/tfV6Y1r4sETqSd2FrM7MpFzltywMKzVKWNpMSwOAWSBGUl7VH0m84Ty > zAufUSEnYIA3dMC2DnHie+ot4WnjJlTErBmfUb/QNbNYDt0vjhS60oydP1NJ8AlG > aoUK7mslOlVCauAIeGNbi4PzJ+LvWYmyFFGT+M1/UOBZFFvG7jsReBjTIu9dg3Za > S7NE7CeMvRRpOEm1+T9L8a26/c6C9dwF7JPQvMpTR3BeT2jjkYe8rdTCkT91g1sd > J37YgDNuefzrsA+B5/o7 > =szjb > -----END PGP SIGNATURE----- > > Hi fellow openvpn-users, > > I just got this email. Can someone tell me if this affects OpenVPN > assuming you run a vulnerable version of OpenSSL?
Using the tls-auth option should protect against this vulnerability (assuming that your tls-auth key is not known to the attacker). If you're not using tls-auth and are using a vulnerable version of OpenSSL, you should definitely upgrade to OpenSSL 1.0.1g. James ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
