Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved OpenVPN app appears to be based on the 3-4 years old version 2.4.4

    OpenVPN
    2
    7
    421
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User last edited by

      The App Store entry for OpenVPN says "This app is based on OpenVPN 2.4.4", whereas the upstream latest is 2.5.3
      https://openvpn.net/community-downloads/

      Looks like there are at least 2 relevant CVEs in the following:-

      Openvpn Openvpn : List of security vulnerabilities
      https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

      Hope we can have an update soon!

      1 Reply Last reply Reply Quote 1
      • girish
        girish Staff last edited by

        Thanks for reporting. Indeed, we have to actually update the base image of the app to Ubuntu 20. They changed the CLI of openvpn easy tools entirely, so it requires a bit rework. Will look into this.

        1 Reply Last reply Reply Quote 2
        • girish
          girish Staff last edited by

          Updated to 2.4.7 now which is what comes with Ubuntu 20.04

          ? 1 Reply Last reply Reply Quote 3
          • ?
            A Former User @girish last edited by

            @girish said in OpenVPN app appears to be based on the 3-4 years old version 2.4.4:

            Updated to 2.4.7 now which is what comes with Ubuntu 20.04

            So, we are still vulnerable to the first 2/3 CVEs in:-
            https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

            2.5.3 is the upstream latest --- but we need at least 2.5.1 to satisfy the CVE list.

            girish 1 Reply Last reply Reply Quote 0
            • girish
              girish Staff @Guest last edited by

              @hillside502 My understanding is that ubuntu will backport them as needed. See https://ubuntu.com/security/cve?package=openvpn and https://packages.ubuntu.com/focal/openvpn . So it's reall 2.4.7+backported security patches .

              That said, I will look into updating it to 2.5, if it's easy. Currently, I am moving things to use easy-rsa 3 .

              ? 1 Reply Last reply Reply Quote 0
              • ?
                A Former User @girish last edited by

                @girish
                Superb stuff, that really does solve the situation --- and automatic updates too!

                1 Reply Last reply Reply Quote 1
                • girish
                  girish Staff last edited by

                  I have also updated the app to use easyrsa3 now. This will roll out slowly since there is a lot of migration code .

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Powered by NodeBB