From: G.W. H. <ip...@ju...> - 2017-06-22 15:19:04
|
Hi there, On Thu, 22 Jun 2017, Administrator wrote: > The version of openvpn in the current install of ipcop seems to be 2.3.6. > > Does that need patching as listed here? https://community.openvpn.net/openvpn/ > wiki/VulnerabilitiesFixedInOpenVPN243 I guess probably not, unless perhaps you're connecting to a Windows NTLM V2 proxy: 8<---------------------------------------------------------------------- CVE-2017-7520 "Clients who do not use the --http-proxy option with ntlm2 authentication are not affected." 8<---------------------------------------------------------------------- CVE-2017-7521 "The problem can only be triggered for configurations that use the --x509-alt-username option with an x509 extension (i.e. the option parameter starts with 'ext:'). Extensive testing by Guido Vranken gives confidence that this function is very unlikely to fail in real-world usage (using subjectAltName or issuerAltName extensions) for other reasons than memory exhaustion." 8<---------------------------------------------------------------------- In any case, as a matter of course I'd always restrict the IPs that can connect to any VPN (and/or SSH) servers, as there are so many bots Out There trying everything in the dictionary and then some. -- 73, Ged. |