OpenVPN update
-
pfsense 2.7.2-RELEASE
OpenVPN 2.6.8There was a critical update for OpenVPN which was fixed in 2.6.10 but I can't find a way to update OpenVPN.
Can someone please explain how I can update OpenVPN to the latest version which is now 2.6.12?
-
@AwesomeRob said in OpenVPN update:
There was a critical update for OpenVPN which was fixed in 2.6.1
Can you give the details on this?
The only one CVE issue, I saw recently, only applied to Windows versions.
-
This is what I was referring to and listed the wrong version of .10
https://www.tenable.com/plugins/nessus/200822
-
@AwesomeRob said in OpenVPN update:
This is what I was referring to and listed the wrong version of .10
https://www.tenable.com/plugins/nessus/200822
I am wondering the same - did you end up manually patching your pfsense install, or perhaps use the "patches" option to install a patch?
-
I haven't done anything because no one is admitting there is a problem.
In my experience this is just typical of Netgate not caring. You don't get this with Opnsense as their builds are up to date.
-
@AwesomeRob yeah pfsense can be frustrating at times.
Do you know if Opnsense has patched it on their side?
Alternatively do you know if there is a manual mitigation config change we can apply on existing versions of OpenVPN server side to mitigate the risk?
-
Attached is a screenshot from my own opnsense box. It's not the latest version but it does have the build with the critical patches applied.
I have no idea if there is a manual mitigation config because I think OpenVPN is built into Pfsense whereas Opnsense has it as a package that can be modified.
-
@AwesomeRob Thank you for that :)
I just tested with pfSense+ 24.03 and it still uses 2.6.8_1
However if you then select the "development snapshot" branch under system update
and ssh into pfSense and run
pkg install openvpn
then it does update to 2.6.11
Not the cleanest option, but is a way to get it upgraded.
After doing that upgrade then can always change the system update back to stable.
Not sure if this may complicate when pfsense 24.08 is released (roadmap goal is August 2024) - however this may be our best option for now.
For anyone wondering, here is output from my pfsense+ 24.03 after manually doing above described steps (including changing system upgrade option back to stable version) and then running openvpn --version
OpenVPN 2.6.11 amd64-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 3.0.13 24 Oct 2023, LZO 2.10 DCO version: FreeBSD 15.0-CURRENT #0 plus-RELENG_24_03-n256311-e71f834dd81: Fri Apr 19 00:28:14 UTC 2024 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/obj/amd64/Y4MAEJ2R/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/sources/FreeBS Originally developed by James Yonan Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no