To fix this in hardy (rc7-based, probably affected) : Difficult to extract a minimal patch from the RC8 to RC9 diff. I removed what was obviously windowsish and the version number updates. The problem is that the exact nature of the vulnerability doesn't seem to have been disclosed, that the upstream fix is introducing behavioral changes and that the real fix is drowned in a sea of security hardening efforts. What we are looking for must be in route.c, lladdr.c, maybe in multi.c...
I'll try to get more info from upstream. ** Attachment added: "rc8_to_rc9.diff.gz" http://launchpadlibrarian.net/17199440/rc8_to_rc9.diff.gz -- [CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via crafted configuration https://bugs.launchpad.net/bugs/256621 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvpn in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
