A security vulnerability in the cryptographic library OpenSSL was just disclosed. OpenVPN clients that use vulnerable versions can be tricked into accepting a man-in-the-middle attacker as a valid VPN server.
The Mullvad client in Windows and OSX is not affected. Stable releases of most Linux distributions like Ubuntu, Fedora and Debian are not affected. Users of unstable or rolling-release distributions should upgrade.
The latest version (2.3.7) of the official OpenVPN client is vulnerable, as is Tunnelblick for OSX. No fix has been published yet. The OpenVPN clients for Android and iOS are not affected.