[INFO] Critical denial of service vulnerability in OpenVPN servers
-
No, not a "public" VPN server as in one open to the world. A "public" VPN server like PIA, VyprVPN, and so on that accepts public clients where anyone can get a certificate and authenticate.
If it's a private VPN for just you or a company or so on and you don't hand out certs like candy, then you're fine.
-
Hmmmm. Seems like upgrading will be smart for me. Thanks.
Any other changes getting into 2.3.6? -
Not sure what all changed in OpenVPN 2.3.6, the OpenVPN site should have a changelog.
Since this is a DoS ONLY and NOT one that could lead to information disclosure, if someone is worried about their VPN server dying the Service Watchdog package could help. It would restart the VPN server if it is down.
-
hi guys a questiions,
is this update requested from the Pfsense side or the client side ?
thank you -
The server side is the one that really needs updated to fix the potential DoS.
Though the client export package has the new 2.3.6 installers already, you can update those as needed as well.
-
The server side is the one that really needs updated to fix the potential DoS.
Though the client export package has the new 2.3.6 installers already, you can update those as needed as well.
i've checked the latest Openvpn client export on the Pfsense it shows version of 1.2.15 as attached picture.
is this the latest version of Pfsense ?external users are updated to 2.3.6 version
thanks
 -
That is the version of the export package. That version of the export package does include the OpenVPN 2.3.6 installers.
-
Its too bad that the current stable version of pfsense won't get a minor maintenance release for this…
I'm not sure how far out the stable release of 2.2 is. -
2.2 RC should be out by the end of the day tomorrow. Release won't be that far behind given the current bug list and what's left to do.
To put out a 2.1.x release we would have to bring 2.2 development to a complete halt and focus on backporting and testing things in 2.1.x again. It's not worth the effort for this with 2.2 so close.
-
Cool. I wasn't expecting a release in the next 6 months. I'm used to beta staying beta for a good long while.
-
I'm with jimp - the 2.2-BETA really has got out all the bugs I can think of in the parts I use. I also think that 2.2-RC will not need to live for long before an official release.
