Package: release.debian.org Severity: normal X-Debbugs-Cc: openvpn3-cli...@packages.debian.org Control: affects -1 + src:openvpn3-client User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package openvpn3-client The package is marked for autoremoval in testing due to a CVE (CVE-2025-3908). After the disclose time, upstream released a point release to tackle the issue, and I have prepared a new upload for the package in Debian. See also 1106206 and the upstream release notes: OpenVPN 3 Linux v24 (Bugfix/security release) The v24.1 release is a small security and bugfix release. * Security: CVE-2025-3908 - openvpn3-admin init-config follows symlink Wolfgang Frisch from the SUSE security team reach out and notified us of a potential issue with the openvpn3-admin init-config command following symlinks when creating needed directories. This has been resolved and this command will no longer follow symlinks and will insist the user running this command to setup these directories manually with the correct ownership and privileges. * Bugfix: openvpn3 session-manage --log-level can crash the Session Manager When changing the log-level for an on-going VPN session to an invalid log-level value, the Session Manager process would fail and stop running due to an uncaught exception. The result would not affect the currently on-going VPN sessions, but none of those sessions could be managed via the session manager any more. This has been fixed and the Session Manager will now reply to the caller with an error message instead. This issue was reported by Wolfgang Frisch from the SUSE security team. * Bugfix: Control character injection via command line arguments All the command line arguments would pass on ASCII control characters which could be used to inject misleading information into logs. Since none of the entry points of user data need ASCII control characters except newline characters a few places, these characters are now removed. This issue was reported by Wolfgang Frisch from the SUSE security team. * Bugfix: openvpn3-service-backendstart crash during shutdown Occasionally the openvpn3-service-backendstart helper service could crash during it's shutdown phase. This was due to an uncaught exception. This has been resolved. * Bugfix: VPN session failing to start without org.freedesktop.hostname1 The current client code expected the org.freedesktop.hostname1 (systemd-hostnamed) service to be available. On systems without systemd, this would result in the client using a longer time to wait for this service to appear before continuing. Meanwhile, the Session Manager would also not receive a response in time from this client process, thus considering it unresponsive and stopping the VPN session instead. This has been resolved by querying the master D-Bus service if the org.freedesktop.hostname1 service is available or not and just continue without it, if it is unavailable. * Build fix: Meson clean-up Newer Meson versions had several minor complaints about the build configuration. These issues should now be resolved and Meson should no longer report any warnings. * Build fix: GCC-15 related build issues The GCC-15 compiler now starts to complain about more issues which was not raised by prior compiler versions with the same compiler flags. Issues raised by GCC-15 are now fixed. [ Reason ] CVE-2025-3908 The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory. [ Impact ] CVE-2025-3908 [ Tests ] [ Risks ] [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] unblock openvpn3-client/24.1+dfsg-1
openvpn3-client_24.1+dfsg-1.debdiff.gz
Description: application/gzip
