Security Vulnerability affecting OpenVPN 2.0 through 2.0.5. An OpenVPN client connecting to a malicious or compromised server could potentially receive "setenv" configuration directives from the server which could cause arbitrary code execution on the client via a LD_PRELOAD attack. A successful attack appears to require that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client configuration file uses a scripting directive such as "up" or "down", (c) the client succesfully authenticates the server, (d) the server is malicious or has been compromised and is under the control of the attacker, and (e) the attacker has at least some level of pre-existing control over files on the client (this might be accomplished by having the server respond to a client web request with a specially crafted file). The fix is to disallow "setenv" to be pushed to clients from the server. For those who need this capability, OpenVPN 2.1 supports a new "setenv-safe" directive which is free of this vulnerability. 2.0.6 is in the tree and works from a brief test. We don't ship any default configs, so we don't suffer from this by default.
arches please test and mark 2.0.6 stable, thank you.
ppc stable
sparc stable.
stable on amd64
x86 happy!
stable on hppa
Alpha stable.
ppc-macos stable
Thx everyone. Closing with NO GLSA (C4).
