Your message dated Wed, 28 May 2025 12:20:39 +0000
with message-id <e1ukflv-000yfn...@fasolo.debian.org>
and subject line Bug#1106206: fixed in openvpn3-client 24.1+dfsg-1
has caused the Debian Bug report #1106206,
regarding openvpn3-client: CVE-2025-3908
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openvpn3-client
Version: 24+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for openvpn3-client.
Marc, I'm marking this RC as openvpn3-client is fresh to be included
in trixie and it would be ideal we do not start with an open CVE. It
is really borderline to mark it RC and you feel absolutely strong feel
free to downgrate. Though I'm still convicend it should be made into
trixie before release.
CVE-2025-3908[0]:
| The configuration initialization tool in OpenVPN 3 Linux v20 through
| v24 on Linux allows a local attacker to use symlinks pointing at an
| arbitrary directory which will change the ownership and permissions
| of that destination directory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-3908
https://www.cve.org/CVERecord?id=CVE-2025-3908
[1] https://community.openvpn.net/Security%20Announcements/CVE-2025-3908
Regards,
Salvtore
--- End Message ---
--- Begin Message ---
Source: openvpn3-client
Source-Version: 24.1+dfsg-1
Done: Marc Leeman <marc.lee...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
openvpn3-client, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Leeman <marc.lee...@gmail.com> (supplier of updated openvpn3-client
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 20 May 2025 10:36:39 +0200
Source: openvpn3-client
Architecture: source
Version: 24.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Leeman <marc.lee...@gmail.com>
Changed-By: Marc Leeman <marc.lee...@gmail.com>
Closes: 1106206
Changes:
openvpn3-client (24.1+dfsg-1) unstable; urgency=medium
.
[ Marc Leeman ]
* d/gbp.conf: rename to [import-orig]
* d/patches: remove access to git with meson
* d/control: bump Standards-Version to 4.7.2
* d/copyright: remove unused BSL-1.0
* d/watch: allow for point releases
* New upstream version 24.1+dfsg
* d/patches: refresh
* Addresses CVE-2025-3908 (Closes: #1106206)
.
[ Fabio Pedretti ]
* d/rules: don't force -Dopenvpn3_core_version=3
Checksums-Sha1:
dee9092146276ba430bf7cd01fe5f47ea5b67655 2402 openvpn3-client_24.1+dfsg-1.dsc
0f17916b53f50d536fb2ab66d9b7cdbbb2dbcfe0 2573228
openvpn3-client_24.1+dfsg.orig.tar.xz
bdfbaed62c2b9ffed97fd813ff8128fef6ef6455 23760
openvpn3-client_24.1+dfsg-1.debian.tar.xz
7149322471b05f0fde9b926660415eb0e843e401 8876
openvpn3-client_24.1+dfsg-1_source.buildinfo
Checksums-Sha256:
1f435e5c9f13361085ffc372bf9a893892987b83c89cab12d636b7fc340e7357 2402
openvpn3-client_24.1+dfsg-1.dsc
88be2cad8a1b2810933e5730463c2f9d59ac1adfd9b8e781c5db675471155ece 2573228
openvpn3-client_24.1+dfsg.orig.tar.xz
19775434484fcd0da90ce0f9c492e288dd9364d9e1036280358ace372abd034c 23760
openvpn3-client_24.1+dfsg-1.debian.tar.xz
13e91ab6bd000c9f6bc7e42a5f74ca535a14ed8eb82e075dfc37283548a55fe3 8876
openvpn3-client_24.1+dfsg-1_source.buildinfo
Files:
b541396391243e7d85a4d59ca142df95 2402 net optional
openvpn3-client_24.1+dfsg-1.dsc
a77e783926c36b31c1d72b5695e3faa0 2573228 net optional
openvpn3-client_24.1+dfsg.orig.tar.xz
341ac3e43ffcc3b493cfd810442c8145 23760 net optional
openvpn3-client_24.1+dfsg-1.debian.tar.xz
6f501e95c298d937c571dde75488e9fe 8876 net optional
openvpn3-client_24.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEgnz9dLpGgVKgQfOgempPF1mVplsFAmg2/EUWHG1hcmMubGVl
bWFuQGdtYWlsLmNvbQAKCRB6ak8XWZWmW7gQD/9EYXhHCZ+V57rnWniE6cRTGqnv
I9ycHzimYSWSMTmBVqaCl3fxIwnTm9fWb3/H8jWj39psjGdbsMeCis1spRU0iovx
uPhC6vSUxbcKlU11icd2prh+EQaoaOaqLfse3CeI6A3CPfcGQmZrKISBNaBstuH5
/Ve1XqeHTIVvLxwsJ6k48zSIyAmI+JDyODYN6y7eHYd6c3MoY4Di+DuBPw6RfS6e
X4JVKgZmIvACBFDwOFhhDEk6exk2O2+QlTPCxwyOGdY6+gfhYzYNEXVJjcnOiMDg
j/4rN2sUVrWJgNLqQPpiTAnR3bK599n4SdzqgTBgT4ZwkE6VwMsZ6eaVcUMq0VQD
13bK/baIju6RtAIc5mgk2qiDGg1CRAP/c7m8koexcPhbgXJFaiZilkjxN9l9Sb2Z
PUPfXEjsxHlQGvhSkjMSjXV5/3lUz533XWVtWjD30ZQXoFnpxwMINpiw5SAn945v
29bHz4VplAHE2GocTG6sjcOLXR6ko7W/IM8Fc0AF2KiOwnOoCm6WGBL32zkKt2SU
aGa+Cj2XAUqSqsa2zkvkktGLLouF8n2Y4zbt8/y260NMnK93EhtggncDk4cAOj4b
7NhoUd5+SoSoGeSwCUaFFC17JGdYUNHhWBkC0a/pb1WsMSaD9QYRNZ8fdGsYuQ9p
7Ak3cQAnIrOuHhQFGg==
=4VX3
-----END PGP SIGNATURE-----
pgp0a6K9fjbUk.pgp
Description: PGP signature
--- End Message ---
