aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-07-31 17:44:52 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-07-31 17:44:52 +0000
commit3e80c64417bd6d70d8580e5c1b8b1d9e8ac27d88 (patch)
tree319103a7f2c38ae4e9874963f970de0ca616ef58 /ChangeLog
parentAdded additional warnings for: (diff)
downloadopenvpn-3e80c64417bd6d70d8580e5c1b8b1d9e8ac27d88.tar.xz
Updated ChangeLog and version number.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3147 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog21
1 files changed, 21 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 6de8092..cc7f865 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,27 @@ Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
$Id$
+2008.07.31 -- Version 2.1_rc9
+
+* Security Vulnerability -- affects non-Windows OpenVPN clients running
+ OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
+ vulnerable nor are any versions of the OpenVPN server vulnerable).
+ An OpenVPN client connecting to a malicious or compromised
+ server could potentially receive an "lladdr" or "iproute" configuration
+ directive from the server which could cause arbitrary code execution on
+ the client. A successful attack requires that (a) the client has agreed
+ to allow the server to push configuration directives to it by including
+ "pull" or the macro "client" in its configuration file, (b) the client
+ succesfully authenticates the server, (c) the server is malicious or has
+ been compromised and is under the control of the attacker, and (d) the
+ client is running a non-Windows OS. Credit: David Wagner.
+
+* Miscellaneous defensive programming changes to multiple
+ areas of the code. In particular, use of the system() call
+ for calling executables such as ifconfig, route, and
+ user-defined scripts has been completely revamped in favor
+ of execve() on unix and CreateProcess() on Windows.
+
2008.06.11 -- Version 2.1_rc8
* Added client authentication and packet filtering capability