There have been a few versions of OpenVPN released versus the version in the latest release of IPFire. If the version isn’t being updated for the next test release, could it be considered for upgrade in a subsequent version? It appears that some of the updates may be related to security.
Thanks.
You are right, there are newer versions. The problem is that, as mentioned in another post
https://community.ipfire.org/t/wireguard-now-that-ipfire-is-on-kernel-5-10/6571/9
the IPFire core development resources are tight.
Unfortunately the changes occurring in OpenVPN are in many cases not easily backwards compatible and therefore just upgrading the system would break many peoples existing systems with a core update. That would not be acceptable.
Therefore changes need to be made to the menu cgi page that allow both the old options (while deprecated and no longer default but not yet removed) and the new options, many of which are incompatible. Therefore the changes require to be able to check what the existing setup of a system is to be able to define which of the new option names can be used for that setup. Unfortunately some options names have been changed between versions which creates a real problem with upgrading people without breaking their systems, especially all the client setups already created.
I have had a look at some of the changes required and rapidly realised that my meagre programming skills were not up to the task.
So, as in the other post linked above, people with the appropriate skills and the desire and commitment to provide the support are always welcome on the IPFire development mailing list.
Looking through the changes from 2.5.0 to and including 2.5.4 the changes are all improvements in things like cipher negotiation or changes in the options.
Looking through these none of them look like being related to security issues.
The removal of BF-CBC support in default configuration is not an issue for IPFire as the default cipher is selected as AES-GCM (256 bit).
The BF-CBC cipher can still be selected but it has also been marked as weak for some time so people have already had a long time to update to a more secure cipher.
Thanks for the replies. I thought I’d run across a CVE for 2.5.x. Hmmm, perhaps they don’t list them all in the same place on their site as on their site proper, I don’t see the CVE on a quick check (I’m probably looking in the wrong place) but do see CVE-2020-15078 listed in a mailing list as having been fixed.
Thanks for the pointer. I hadn’t seen any CVE’s when I looked.
I will go and look at the CVE you have highlighted and see what issue it is related to.
Thanks for highlighting the CVE.
I looked at CVE-2020-15078, which was fixed in 2.5.2, and I will see if I can either update to 2.5.2 or later without breaking existing systems or by patching the 2.5 version, currently running, using the commits from that fix.
I also found CVE-2021-3606 which was fixed in 2.5.3 but is an issue that only applies if OpenVPN server is running on Windows. This therefore does not apply to IPFire.
OpenVPN showed a changes list for 2.5.4 titled Overview of changes since OpenVPN 2.4
No CVE’s were mentioned in their at all. That was the list that I had looked on.
I now realise that I need to open the individual change list for each version update where they do list any CVE’s.
Great. Thanks for the follow-up.
It appears that another CVE may be out that impacts the 2.5.x version currently in IPFire. Please see:
OpenVPN-2.5.6 is already in Core Update 168 which has been in Testing phase and is due to be released shortly I believe.
Hi,
yes, Core Update 168 was delayed due to a problem with installations running on RAID setups (more on this in the release announcement), but is finally to be released on Monday.
Apologies for the delay, and best regards,
Peter Müller
Great. Thanks!