OpenVPN Support Forum

OpenVPN Access Server 2.9.6 has only one line in the release notes:
"Fixed a TLS session token validity period security issue."

There is no information on what versions are impacted. There is also very little to go on about how serious this issue is.

With the previous 2.9.5 release, it was clear in the CVE that OpenVPN AS 2.8.8 was not impacted by the security issue. Also, it was clear from the CVE description that anyone on 2.9.0 through 2.9.4 really needed to upgrade.

Also, is there any progress on being about to manage updates through the OpenVPN AS admin web panel? Currently there is no indication in the Status Overview when the product is out of date. There is nothing to establish emails sent from the product when it is out of date. There is no option in the panel to initiate an upgrade via the web interface manually. And there is no option to establish a schedule for automated updates.

Thanks

Hello,

This one affects 2.9.5. Most important part was getting the fix out. More details will become available once CVE is published.

I have nothing new to report on your other questions.

Kind regards,
Johan

The release note for 2.9.6 now references CVE-2020-15074 which was previously fixed by 2.8.4.

Was this CVE not fully fixed by 2.8.4? Or was the same issue re-introduced and in what version was the issue added back?

Thanks

Unfortunately the CVE takes some time to update. It's a recurrence of the same problem, with almost the same cause. The CVE contains the information that it had recurred in 2.9.5 only.

Kind regards,
Johan