2008.07.31 -- Version 2.1_rc9

* Security Fix -- affects non-Windows OpenVPN clients running
  OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
  vulnerable nor are any versions of the OpenVPN server vulnerable).
  An OpenVPN client connecting to a malicious or compromised
  server could potentially receive an "lladdr" or "iproute"
  configuration directive from the server which could cause arbitrary
  code execution on the client. A successful attack requires that (a)
  the client has agreed to allow the server to push configuration
  directives to it by including "pull" or the macro "client" in its
  configuration file, (b) the client successfully authenticates the
  server, (c) the server is malicious or has been compromised and is
  under the control of the attacker, and (d) the client is running a
  non-Windows OS.  Credit: David Wagner.

* Miscellaneous defensive programming changes to multiple
  areas of the code.  In particular, use of the system() call
  for calling executables such as ifconfig, route, and
  user-defined scripts has been completely revamped in favor
  of execve() on unix and CreateProcess() on Windows.

* In Windows build, package a statically linked openssl.exe to work
  around observed instabilities in the dynamic build since the
  migration to OpenSSL 0.9.8h.


Reply via email to