Source: openvpn3-client Version: 24+dfsg-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for openvpn3-client. Marc, I'm marking this RC as openvpn3-client is fresh to be included in trixie and it would be ideal we do not start with an open CVE. It is really borderline to mark it RC and you feel absolutely strong feel free to downgrate. Though I'm still convicend it should be made into trixie before release. CVE-2025-3908[0]: | The configuration initialization tool in OpenVPN 3 Linux v20 through | v24 on Linux allows a local attacker to use symlinks pointing at an | arbitrary directory which will change the ownership and permissions | of that destination directory. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-3908 https://www.cve.org/CVERecord?id=CVE-2025-3908 [1] https://community.openvpn.net/Security%20Announcements/CVE-2025-3908 Regards, Salvtore
