The OpenVPN dev team announced a critical security vulnerability which will be fixed in the upcoming version 2.3.6 (see link from URL field). Please update the packages when released.
assigning bug to maintainer and CC'ing security team (hope you don't mind ;))
The security announcement has been published earlier today at https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b .
All that needs to happen for the ebuild is a bump to 2.3.6. Upstream source tarballs are already available at the expected locations, which the ebuild will pick up on with the new name.
An updated ebuild is of particular importance for server installations that do not require client-certificates and either do not use the tls-auth feature or provide publicly available tls-auth keys. This is especially common in many openvpn-as-a-service installations.
Version bumped 2.3.6, okay to stabilize.
Think I got all the arches, cc'd arches btw
Arch teams, please test and mark stable:
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
*** Bug 531526 has been marked as a duplicate of this bug. ***
per my duplicate bug #531526, I suggest issuing a GLSA for <net-misc/openvpn-2.3.6 to ensure that server installations get updated post-haste.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).
Added to existing GLSA Request
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6
allows remote authenticated users to cause a denial of service (server
crash) via a small control channel packet.
This issue was resolved and addressed in
GLSA 201412-41 at http://security.gentoo.org/glsa/glsa-201412-41.xml
by GLSA coordinator Mikle Kolyada (Zlogene).