OpenVPN app appears to be based on the 3-4 years old version 2.4.4

A Former User

The App Store entry for OpenVPN says "This app is based on OpenVPN 2.4.4", whereas the upstream latest is 2.5.3
https://openvpn.net/community-downloads/

Looks like there are at least 2 relevant CVEs in the following:-

Openvpn Openvpn : List of security vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

Hope we can have an update soon!

girish

Thanks for reporting. Indeed, we have to actually update the base image of the app to Ubuntu 20. They changed the CLI of openvpn easy tools entirely, so it requires a bit rework. Will look into this.

girish

Updated to 2.4.7 now which is what comes with Ubuntu 20.04

A Former User

@girish said in OpenVPN app appears to be based on the 3-4 years old version 2.4.4:

Updated to 2.4.7 now which is what comes with Ubuntu 20.04

So, we are still vulnerable to the first 2/3 CVEs in:-
https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

2.5.3 is the upstream latest --- but we need at least 2.5.1 to satisfy the CVE list.

girish

@hillside502 My understanding is that ubuntu will backport them as needed. See https://ubuntu.com/security/cve?package=openvpn and https://packages.ubuntu.com/focal/openvpn . So it's reall 2.4.7+backported security patches .

That said, I will look into updating it to 2.5, if it's easy. Currently, I am moving things to use easy-rsa 3 .

A Former User

@girish
Superb stuff, that really does solve the situation --- and automatic updates too!

girish

I have also updated the app to use easyrsa3 now. This will roll out slowly since there is a lot of migration code .