OpenVPN upstream released version 2.3.6 on December 1st. It appears this version is already in the portage tree, yet there hasn't been an appropriate GLSA raised for CVE-2014-8104 which this release fixes. The vulnerable code has been in all openvpn 2.x since 2005 and potentially before that. I feel that a GLSA should be raised for <net-misc/openvpn-2.3.6 to encourage all installations to update to the fixed version. Ref: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
*** This bug has been marked as a duplicate of bug 531308 ***