Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

OpenVPN app appears to be based on the 3-4 years old version 2.4.4

Scheduled Pinned Locked Moved Solved OpenVPN
7 Posts 2 Posters 432 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ? Offline
    ? Offline
    A Former User
    wrote on last edited by
    #1

    The App Store entry for OpenVPN says "This app is based on OpenVPN 2.4.4", whereas the upstream latest is 2.5.3
    https://openvpn.net/community-downloads/

    Looks like there are at least 2 relevant CVEs in the following:-

    Openvpn Openvpn : List of security vulnerabilities
    https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

    Hope we can have an update soon!

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #2

    Thanks for reporting. Indeed, we have to actually update the base image of the app to Ubuntu 20. They changed the CLI of openvpn easy tools entirely, so it requires a bit rework. Will look into this.

    1 Reply Last reply
    2
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #3

    Updated to 2.4.7 now which is what comes with Ubuntu 20.04

    ? 1 Reply Last reply
    3
  • ? Offline
    ? Offline
    A Former User
    replied to girish on last edited by
    #4

    @girish said in OpenVPN app appears to be based on the 3-4 years old version 2.4.4:

    Updated to 2.4.7 now which is what comes with Ubuntu 20.04

    So, we are still vulnerable to the first 2/3 CVEs in:-
    https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

    2.5.3 is the upstream latest --- but we need at least 2.5.1 to satisfy the CVE list.

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to A Former User on last edited by
    #5

    @hillside502 My understanding is that ubuntu will backport them as needed. See https://ubuntu.com/security/cve?package=openvpn and https://packages.ubuntu.com/focal/openvpn . So it's reall 2.4.7+backported security patches .

    That said, I will look into updating it to 2.5, if it's easy. Currently, I am moving things to use easy-rsa 3 .

    ? 1 Reply Last reply
    0
  • ? Offline
    ? Offline
    A Former User
    replied to girish on last edited by
    #6

    @girish
    Superb stuff, that really does solve the situation --- and automatic updates too!

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #7

    I have also updated the app to use easyrsa3 now. This will roll out slowly since there is a lot of migration code .

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.