Hi Michael, On 08/11/2021 17:25, Michael Tremer wrote: > Hello Adolf, > > Thank you for raising this. > >> On 8 Nov 2021, at 13:59, Adolf Belka wrote: >> >> Hallo all, >> >> I had thought, from checks I had made, that there were no security related issues with OpenVPN after the release of 2.5.0 that is currently in IPFire. >> >> However it has been highlighted in the forum that there is CVE-2020-15078. I have had a look at this and very specific conditions have to be in place for this to be feasible. > > IPFire systems should not be vulnerable in any configuration because we do not use the affected feature. However, we should of course still upgrade to a fixed version. > >> So I believe that for the majority of IPFire users this will not be an issue but it could occur if someone is also using one of the OpenVPN plug-ins that are highlighted in the wiki and is also using "--auth-gen-token" or a user-specific token auth solution. >> >> While the above is unlikely it is not impossible. A fix for this CVE was put into 2.5.2 >> >> I have looked through this release and 2.5.1 to see if there are any changes that might cause a problem for people using earlier features. I don't believe so from first glance but I am not 100% sure. I would want to very thoroughly test it to be sure there would be no unexpected impact. >> >> Therefore what I am doing is an update that leaves the 2.5.0 source file being used but where I will apply the patches from the commits in 2.5.2 that fix this CVE. > > We could in theory cherry-pick just the fix for the vulnerability, but on the other hand I do not see anything that has DEPRECATION WARNING in big letters. > > Also 2.5.4 is out already: https://github.com/OpenVPN/openvpn/releases/tag/v2.5.4 > >> This will give us a quick fix to the CVE in IPFire so even any small chance is closed and then I will look more closely at the later/latest versions and build them and test them to see if I can find any issue, similarly to how Erik and I tested out that 2.5.0 would not break anything. This way we can take time to make sure everything is really working as expected. >> >> >> If there is any disagreement to my outlined approach above, please let me know. >> >> PS:- I have also found why I missed the the existence of the CVE. I was only reading the headlines of the changes from 2.4 to 2.5.4 and the CVE's were only mentioned in the detailed change notes from the involved versions. I know better now how to keep a correct eye on the changes. > > Usually this should be at least referred to at the top (“Includes security fixes”), or there should be a separate security advisory. > > I would suggest trying to upgrade to 2.5.4 and see whether that introduces any new regressions. The minor versions should not introduce any change in behaviour. No problem. I will give 2.5.4 a go and see how it goes. Trying just the commit fixes for the CVE has just failed anyway because it couldn't find a member called 'multi_state' so the "simple" fix is not going to be so "simple" anyway. > > However, we are facing a lot of change with 2.6: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions Yes, just had a look at it. All those old weak ciphers will be actually removed. However I would really hope no one is still using ciphers like Blowfish. Regards, Adolf. > > Best, > -Michael > >> >> Regards, >> >> Adolf. >> >