Updated ChangeLog and version number.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3147 e7ae566f-a301-0410-adde-c780ea21d3b5

2 files changed, 22 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 6de8092..cc7f865 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,27 @@ Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
 
 $Id$
 
+2008.07.31 -- Version 2.1_rc9
+
+* Security Vulnerability -- affects non-Windows OpenVPN clients running
+  OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
+  vulnerable nor are any versions of the OpenVPN server vulnerable).
+  An OpenVPN client connecting to a malicious or compromised
+  server could potentially receive an "lladdr" or "iproute" configuration
+  directive from the server which could cause arbitrary code execution on
+  the client. A successful attack requires that (a) the client has agreed
+  to allow the server to push configuration directives to it by including
+  "pull" or the macro "client" in its configuration file, (b) the client
+  succesfully authenticates the server, (c) the server is malicious or has
+  been compromised and is under the control of the attacker, and (d) the
+  client is running a non-Windows OS.  Credit: David Wagner.
+
+* Miscellaneous defensive programming changes to multiple
+  areas of the code.  In particular, use of the system() call
+  for calling executables such as ifconfig, route, and
+  user-defined scripts has been completely revamped in favor
+  of execve() on unix and CreateProcess() on Windows.
+
 2008.06.11 -- Version 2.1_rc8
 
 * Added client authentication and packet filtering capability
diff --git a/version.m4 b/version.m4
index 7c0b987..2122551 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1_rc8a])
+define(PRODUCT_VERSION,[2.1_rc9])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])