Solved OpenVPN app appears to be based on the 3-4 years old version 2.4.4
-
The App Store entry for OpenVPN says "This app is based on OpenVPN 2.4.4", whereas the upstream latest is 2.5.3
https://openvpn.net/community-downloads/Looks like there are at least 2 relevant CVEs in the following:-
Openvpn Openvpn : List of security vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.htmlHope we can have an update soon!
-
Thanks for reporting. Indeed, we have to actually update the base image of the app to Ubuntu 20. They changed the CLI of openvpn easy tools entirely, so it requires a bit rework. Will look into this.
-
Updated to 2.4.7 now which is what comes with Ubuntu 20.04
-
@girish said in OpenVPN app appears to be based on the 3-4 years old version 2.4.4:
Updated to 2.4.7 now which is what comes with Ubuntu 20.04
So, we are still vulnerable to the first 2/3 CVEs in:-
https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html2.5.3 is the upstream latest --- but we need at least 2.5.1 to satisfy the CVE list.
-
@hillside502 My understanding is that ubuntu will backport them as needed. See https://ubuntu.com/security/cve?package=openvpn and https://packages.ubuntu.com/focal/openvpn . So it's reall 2.4.7+backported security patches .
That said, I will look into updating it to 2.5, if it's easy. Currently, I am moving things to use easy-rsa 3 .
-
@girish
Superb stuff, that really does solve the situation --- and automatic updates too! -
I have also updated the app to use easyrsa3 now. This will roll out slowly since there is a lot of migration code .
