Hi again,

I acknowledge there are many improvements in OpenVPN 2.3.x and we are likely to include updated version at some point (probably in the next release). However, there are other things to consider and we have to use stable version (or version proven to be stable). In releases like this one, we include only critical fixes with minimal changes necessary minimizing the chance to break something. The issue with Secunia is that it assigned security vulnerability to whole OpenVPN product (at given versions) even if the vulnerability lies only in those libraries we patches ourselves. I looked into release notes of OpenVPN but didn’t find any change that would require immediate action. Mostly because most of them don’t apply to our specific use of the OpenVPN and we would just risk problems with no real advantage.

If they come out with the advice to update the executable still will you then update?
I hope that Secunia will be able to fix its detection but if they decide otherwise, we'll have to do something about it. Ideally, they should instruct users to upgrade avast!, not OpenVPN as the most users have no idea what OpenVPN even is and why it's on their computer.