Recent OpenSSL vulnerability

fatsailor · Apr 19, 2012, 3:05 PM

Does anyone know if CVE-2012-2110 is a problem for us?

http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html

It involves Integer overflows in certificate parsing so I presume it does…...

jimp · Apr 19, 2012, 6:03 PM

From what I've heard, OpenVPN is vulnerable to that. If that turns out to be true, we'll probably roll out a 2.0.2 in the very near future.

jimp · May 3, 2012, 4:38 PM

FreeBSD finally issued their own SA for OpenSSL… which is a bit scarier than the ones I'd read before:

http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc

wm408 · Jun 4, 2012, 5:39 PM

Jimp,

Can you make a howto on patching this?

jimp · Jun 4, 2012, 6:23 PM

Step 1. Update to 2.0.2.
Step 2. There is no step 2.

:-)

wm408 · Jun 5, 2012, 10:33 PM

Jimp…

I don't see 2.0.2 in the mirrors, or the firmware updater in the GUI.

What do you think? Is it a development snap?

Thanks.

Step 1. Update to 2.0.2.
Step 2. There is no step 2.

:-)

cmb · Jun 6, 2012, 6:30 AM

It's not available yet. That issue doesn't pose an imminent threat, we're working on testing the update.

wm408 · Jun 6, 2012, 9:19 PM

Thanks!

It's not available yet. That issue doesn't pose an imminent threat, we're working on testing the update.