Package: network-manager-iodine Version: 1.2.0-3.3 Severity: important User: [email protected] Usertags: CVE-2025-9615
Hi, the network-manager package was subject to a security issue related to insecure access to user certificates. See [0] for more details. This was fixed in [1] and now all VPN plugins need to declare that they support the new, safe interface. In some cases, like network-manager-iodine, it should be sufficient to add the supports-safe-private-file-access flag. See [2] for further details and [3] for a similar change that was done for network-manager-pptp. The network-manager 1.54.x package in unstable/testing has been updated to provide safe APIs for user certificate file access. For now the usage of those safe APIs is optional but will become mandatory in network-manager 1.56. At which point this bug report will become RC. Regards, Michael [0] https://security-tracker.debian.org/tracker/CVE-2025-9615 [1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324 [2] https://lists.freedesktop.org/archives/networkmanager/2025-December/000468.html [3] https://gitlab.gnome.org/GNOME/NetworkManager-pptp/-/commit/f56449c1d03517ce342876773d08db0a87a8e702
