2006.04.05 -- Version 2.0.6 * Security Vulnerability affecting OpenVPN 2.0 through 2.0.5. An OpenVPN client connecting to a malicious or compromised server could potentially receive "setenv" configuration directives from the server which could cause arbitrary code execution on the client via a LD_PRELOAD attack. A successful attack appears to require that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client configuration file uses a scripting directive such as "up" or "down", (c) the client successfully authenticates the server, (d) the server is malicious or has been compromised and is under the control of the attacker, and (e) the attacker has at least some level of pre-existing control over files on the client (this might be accomplished by having the server respond to a client web request with a specially crafted file). Credit: Hendrik Weimer. The fix is to disallow "setenv" to be pushed to clients from the server. For those who need this capability, OpenVPN 2.1 supports a new "setenv-safe" directive which is free of this vulnerability.
A patch is available to fix the vulnerability for all affected OpenVPN versions (2.0 -> 2.0.5): http://openvpn.net/patch/2.0.6-security-patches/setenv.patch * When deleting routes under Linux, use the route metric as a differentiator to ensure that the route teardown process only deletes the identical route which was originally added via the "route" directive (Roy Marples). * Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk Meyer, Vasil Dimov). * Extended tun device configure code to support ethernet bridging on NetBSD (Emmanuel Kasper). James
