OpenVPN AS 2.9.6 release note is vague

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

OpenVPN AS 2.9.6 release note is vague

Post by chilinux » Tue Nov 16, 2021 3:16 pm

OpenVPN Access Server 2.9.6 has only one line in the release notes:
"Fixed a TLS session token validity period security issue."

There is no information on what versions are impacted. There is also very little to go on about how serious this issue is.

With the previous 2.9.5 release, it was clear in the CVE that OpenVPN AS 2.8.8 was not impacted by the security issue. Also, it was clear from the CVE description that anyone on 2.9.0 through 2.9.4 really needed to upgrade.

Also, is there any progress on being about to manage updates through the OpenVPN AS admin web panel? Currently there is no indication in the Status Overview when the product is out of date. There is nothing to establish emails sent from the product when it is out of date. There is no option in the panel to initiate an upgrade via the web interface manually. And there is no option to establish a schedule for automated updates.

Thanks

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN AS 2.9.6 release note is vague

Post by openvpn_inc » Tue Nov 16, 2021 3:52 pm

Hello,

This one affects 2.9.5. Most important part was getting the fix out. More details will become available once CVE is published.

I have nothing new to report on your other questions.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: OpenVPN AS 2.9.6 release note is vague

Post by chilinux » Tue Nov 16, 2021 6:27 pm

The release note for 2.9.6 now references CVE-2020-15074 which was previously fixed by 2.8.4.

Was this CVE not fully fixed by 2.8.4? Or was the same issue re-introduced and in what version was the issue added back?

Thanks

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN AS 2.9.6 release note is vague

Post by openvpn_inc » Fri Nov 19, 2021 3:36 pm

Unfortunately the CVE takes some time to update. It's a recurrence of the same problem, with almost the same cause. The CVE contains the information that it had recurred in 2.9.5 only.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply