OpenVPN 2.1_rc9 released -- note security fix

Download:

http://openvpn.net/download.html

2008.07.31 -- Version 2.1_rc9

* Security Fix -- affects non-Windows OpenVPN clients running
   OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
   vulnerable nor are any versions of the OpenVPN server vulnerable).
   An OpenVPN client connecting to a malicious or compromised
   server could potentially receive an "lladdr" or "iproute"
   configuration directive from the server which could cause arbitrary
   code execution on the client. A successful attack requires that (a)
   the client has agreed to allow the server to push configuration
   directives to it by including "pull" or the macro "client" in its
   configuration file, (b) the client successfully authenticates the
   server, (c) the server is malicious or has been compromised and is
   under the control of the attacker, and (d) the client is running a
   non-Windows OS.  Credit: David Wagner.

* Miscellaneous defensive programming changes to multiple
   areas of the code.  In particular, use of the system() call
   for calling executables such as ifconfig, route, and
   user-defined scripts has been completely revamped in favor
   of execve() on unix and CreateProcess() on Windows.

* In Windows build, package a statically linked openssl.exe to work
   around observed instabilities in the dynamic build since the
   migration to OpenSSL 0.9.8h.

James

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/