Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. VPN
  3. OpenVPN app appears to be based on the 3-4 years old version 2.4.4

OpenVPN app appears to be based on the 3-4 years old version 2.4.4

Scheduled Pinned Locked Moved Solved VPN
7 Posts 2 Posters 2.5k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ? Offline
    ? Offline
    A Former User
    wrote on last edited by
    #1

    The App Store entry for OpenVPN says "This app is based on OpenVPN 2.4.4", whereas the upstream latest is 2.5.3
    https://openvpn.net/community-downloads/

    Looks like there are at least 2 relevant CVEs in the following:-

    Openvpn Openvpn : List of security vulnerabilities
    https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

    Hope we can have an update soon!

    1 Reply Last reply
    1
    • girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #2

      Thanks for reporting. Indeed, we have to actually update the base image of the app to Ubuntu 20. They changed the CLI of openvpn easy tools entirely, so it requires a bit rework. Will look into this.

      1 Reply Last reply
      2
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        Updated to 2.4.7 now which is what comes with Ubuntu 20.04

        ? 1 Reply Last reply
        3
        • girishG girish

          Updated to 2.4.7 now which is what comes with Ubuntu 20.04

          ? Offline
          ? Offline
          A Former User
          wrote on last edited by
          #4

          @girish said in OpenVPN app appears to be based on the 3-4 years old version 2.4.4:

          Updated to 2.4.7 now which is what comes with Ubuntu 20.04

          So, we are still vulnerable to the first 2/3 CVEs in:-
          https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

          2.5.3 is the upstream latest --- but we need at least 2.5.1 to satisfy the CVE list.

          girishG 1 Reply Last reply
          0
          • ? A Former User

            @girish said in OpenVPN app appears to be based on the 3-4 years old version 2.4.4:

            Updated to 2.4.7 now which is what comes with Ubuntu 20.04

            So, we are still vulnerable to the first 2/3 CVEs in:-
            https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/Openvpn-Openvpn.html

            2.5.3 is the upstream latest --- but we need at least 2.5.1 to satisfy the CVE list.

            girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #5

            @hillside502 My understanding is that ubuntu will backport them as needed. See https://ubuntu.com/security/cve?package=openvpn and https://packages.ubuntu.com/focal/openvpn . So it's reall 2.4.7+backported security patches .

            That said, I will look into updating it to 2.5, if it's easy. Currently, I am moving things to use easy-rsa 3 .

            ? 1 Reply Last reply
            0
            • girishG girish

              @hillside502 My understanding is that ubuntu will backport them as needed. See https://ubuntu.com/security/cve?package=openvpn and https://packages.ubuntu.com/focal/openvpn . So it's reall 2.4.7+backported security patches .

              That said, I will look into updating it to 2.5, if it's easy. Currently, I am moving things to use easy-rsa 3 .

              ? Offline
              ? Offline
              A Former User
              wrote on last edited by
              #6

              @girish
              Superb stuff, that really does solve the situation --- and automatic updates too!

              1 Reply Last reply
              1
              • girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #7

                I have also updated the app to use easyrsa3 now. This will roll out slowly since there is a lot of migration code .

                1 Reply Last reply
                0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better 💗

                Register Login
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes

                • Login
                • Don't have an account? Register
                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Bookmarks
                • Search