OpenVPN Access Server 2.9.6 has only one line in the release notes:
"Fixed a TLS session token validity period security issue."
There is no information on what versions are impacted. There is also very little to go on about how serious this issue is.
With the previous 2.9.5 release, it was clear in the CVE that OpenVPN AS 2.8.8 was not impacted by the security issue. Also, it was clear from the CVE description that anyone on 2.9.0 through 2.9.4 really needed to upgrade.
Also, is there any progress on being about to manage updates through the OpenVPN AS admin web panel? Currently there is no indication in the Status Overview when the product is out of date. There is nothing to establish emails sent from the product when it is out of date. There is no option in the panel to initiate an upgrade via the web interface manually. And there is no option to establish a schedule for automated updates.
Thanks
OpenVPN AS 2.9.6 release note is vague
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN AS 2.9.6 release note is vague
Hello,
This one affects 2.9.5. Most important part was getting the fix out. More details will become available once CVE is published.
I have nothing new to report on your other questions.
Kind regards,
Johan
This one affects 2.9.5. Most important part was getting the fix out. More details will become available once CVE is published.
I have nothing new to report on your other questions.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: OpenVPN AS 2.9.6 release note is vague
The release note for 2.9.6 now references CVE-2020-15074 which was previously fixed by 2.8.4.
Was this CVE not fully fixed by 2.8.4? Or was the same issue re-introduced and in what version was the issue added back?
Thanks
Was this CVE not fully fixed by 2.8.4? Or was the same issue re-introduced and in what version was the issue added back?
Thanks
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN AS 2.9.6 release note is vague
Unfortunately the CVE takes some time to update. It's a recurrence of the same problem, with almost the same cause. The CVE contains the information that it had recurred in 2.9.5 only.
Kind regards,
Johan
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support