** Description changed:
This bug tracks an update for the OpenVPN package, moving to versions:
* Plucky (25.04): OpenVPN 2.6.14
* Oracular (24.10): OpenVPN 2.6.14
* Noble (24.04): OpenVPN 2.6.14
* Jammy (22.04): OpenVPN 2.5.11
- Note that openvpn does not have an accepted micro-release exception.
- However, the SRU team has agreed to consider further releases given a
- full knowledge and possible mitigation of backwards-incompatible
- changes. See https://lists.ubuntu.com/archives/ubuntu-
- release/2023-July/005688.html
+ This update includes bugfixes following the SRU policy exception defined
+ at https://wiki.ubuntu.com/OpenVPNUpdates. Note that OpenVPN does not
+ have an accepted exception. However, the SRU team has agreed to consider
+ further releases given a full knowledge and possible mitigation of
+ backwards-incompatible changes. See
+ https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html
[Upstream Changes]
2.6.13-2.6.14
Updates:
Send uname() release from client to server as IV_PLAT_VER=
Pass --timeout=0 argument to systemd-ask-password, to avoid default timeout
of 90 seconds
Bug Fixes:
Repair source IP selection for --multihome
Allow tls-crypt-v2 to be setup only on initial packet of a session to fix
internal server error
Fix some missing spaces in messages
Fix parsing of usernames or passwords longer than USER_PASS_LEN on the server
side to avoid IV variable misparsing and misleading errors
Purge proxy authentication credentials from memory after use (if
--auth-nocache is in use)
-
CVE Fix - already available as patch:
CVE-2025-2704
+ The upstream changelog is available at
+ https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26
[Test Plan]
DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own
certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup
using a static key for authentication
+
+ See https://wiki.ubuntu.com/OpenVPNUpdates#QA for additional testing
+ information.
[Regression Potential]
Upstream has an extensive build and integration test suite. So
regressions would likely arise from a change in interaction with Ubuntu-
specific integrations.
Backwards-incompatible changes:
Refuse clients if username or password is longer than USER_PASS_LEN -
https://github.com/OpenVPN/openvpn/commit/b98ff0e7c60c6592a2e8d2c80dfd5999e5d2e65b
Overly long usernames and/or passwords are now refused by the server which is
backwards incompatible from previous versions when they were accepted. However,
when they were accepted, the rest of the packet was read improperly and would
not work as intended, likely returning a misleading error.
+
+ [Other Info]
+
+ Previous backports:
+ (LP: #2004676)
+ (LP: #2073318)
** Summary changed:
- MRE updates of openvpn for questing
+ Backport upstream microreleases for questing cycle
** Also affects: openvpn (Ubuntu Questing)
Importance: Undecided
Assignee: Lena Voytek (lvoytek)
Status: In Progress
** Changed in: openvpn (Ubuntu Questing)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2040467
Title:
Backport upstream microreleases for questing cycle
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2040467/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
