A number of vulnerabilities were discovered in the recent audit (press release) of OpenVPN, fixed in full in version 2.4.3 and 2.3.17 respectively.
With a fully updated Raspbian Jessie I get version 2.3.4 of OpenVPN, which is then vulnerable. Is there a way to retrieve the last 2.3.x version or even follow the 2.4.x branch?
-
virtualprivate
- Posts: 1
- Joined: Mon Jun 26, 2017 6:48 pm
-
ShiftPlusOne
- Raspberry Pi Engineer & Forum Moderator
- Posts: 6229
- Joined: Fri Jul 29, 2011 5:36 pm
- Location: The unfashionable end of the western spiral arm of the Galaxy
Re: Security issues in OpenVPN package
The version is not important. Debian backport security fixes into their packages.
-
boxerclaws88
- Posts: 5
- Joined: Fri Nov 18, 2016 11:09 pm
Re: Security issues in OpenVPN package
How can I tell for my self which security updates have been applied to individual Raspbian packages? Usually individual software maintainers specify "upgrade to version x.y.z to fix vulnerability W" but it seems the fixes are kinda patched into older versions. I don't really care if its easy or not, I just want to know the exact procedure to follow to verify which fixes have been applied and which packages are still vulnerable.
Re: Security issues in OpenVPN package
Check the Debian changelog file. Probably /usr/share/doc/openvpn/changelog.Debian.gz It is a gzipped file, so you can read it with zless /usr/share/doc/openvpn/changelog.Debian.gz You will also notice that the version number has some "+deb8u1" type bits on the end and those relate to the Debian security fixes.
-
boxerclaws88
- Posts: 5
- Joined: Fri Nov 18, 2016 11:09 pm
Re: Security issues in OpenVPN package
So I guess it is still vulnerable, great, any idea when its going to get fixed?
-
Learntofly
- Posts: 15
- Joined: Sun Dec 02, 2012 12:29 am
Re: Security issues in OpenVPN package
Compile it yourself it's quite easy:
Get the tarball from the openvpn website, untar and enter its directory
Install the usual build packages, including cmake, also install the latest openssl (manually get them from one of the mirror repositories ), install liblzo2-dev, liblz4, liblz4-dev
either
or install checkinstall and
then use dpkg to install the .deb
LTF
Get the tarball from the openvpn website, untar and enter its directory
Install the usual build packages, including cmake, also install the latest openssl (manually get them from one of the mirror repositories ), install liblzo2-dev, liblz4, liblz4-dev
Code: Select all
./configure --prefix=/usrCode: Select all
makeCode: Select all
sudo make installCode: Select all
sudo checkinstallLTF
-
boxerclaws88
- Posts: 5
- Joined: Fri Nov 18, 2016 11:09 pm
Re: Security issues in OpenVPN package
Yeah I could do just that. But. It begs the question, if they are this slow on this one security update, how many other security problems with other packages that I haven't looked into or that I'm not aware of?
Re: Security issues in OpenVPN package
That's quite a recent (and apparently minor) issue. No doubt the Debian developers are working on backporting the fixes right now. As to timescale... ask them. Once it is in Debian Jessie it will be quickly added to the Raspbian repository.boxerclaws88 wrote:So I guess it is still vulnerable, great, any idea when its going to get fixed?
Serious issues get patched quickly (then tested to make sure they work before release into the wild).