I have already prepared the 24.1 on salsa, but my usual sponsor is recovering and my other sponsor has GPG key problems :-/
I'm trying to get hold of someone that upload the package. On Wed, 21 May 2025 at 07:09, Salvatore Bonaccorso <car...@debian.org> wrote: > > Source: openvpn3-client > Version: 24+dfsg-2 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for openvpn3-client. > > Marc, I'm marking this RC as openvpn3-client is fresh to be included > in trixie and it would be ideal we do not start with an open CVE. It > is really borderline to mark it RC and you feel absolutely strong feel > free to downgrate. Though I'm still convicend it should be made into > trixie before release. > > CVE-2025-3908[0]: > | The configuration initialization tool in OpenVPN 3 Linux v20 through > | v24 on Linux allows a local attacker to use symlinks pointing at an > | arbitrary directory which will change the ownership and permissions > | of that destination directory. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-3908 > https://www.cve.org/CVERecord?id=CVE-2025-3908 > [1] https://community.openvpn.net/Security%20Announcements/CVE-2025-3908 > > Regards, > Salvtore -- g. Marc GPG: 827C FD74 BA46 8152 A041 F3A0 7A6A 4F17 5995 A65B
