Package: openvpn Version: 2.1~rc8-1 Tags: security Severity: grave | * Security Fix -- affects non-Windows OpenVPN clients running | OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT | vulnerable nor are any versions of the OpenVPN server vulnerable). | An OpenVPN client connecting to a malicious or compromised | server could potentially receive an "lladdr" or "iproute" | configuration directive from the server which could cause arbitrary | code execution on the client. A successful attack requires that (a) | the client has agreed to allow the server to push configuration | directives to it by including "pull" or the macro "client" in its | configuration file, (b) the client successfully authenticates the | server, (c) the server is malicious or has been compromised and is | under the control of the attacker, and (d) the client is running a | non-Windows OS. Credit: David Wagner. | | * Miscellaneous defensive programming changes to multiple | areas of the code. In particular, use of the system() call | for calling executables such as ifconfig, route, and | user-defined scripts has been completely revamped in favor | of execve() on unix and CreateProcess() on Windows.
<http://openvpn.net/index.php/documentation/change-log/changelog-21.html> CVE not yet known. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]