Your message dated Fri, 05 Dec 2025 15:32:16 +0000
with message-id <[email protected]>
and subject line Bug#1121086: fixed in openvpn 2.6.14-1+deb13u1
has caused the Debian Bug report #1121086,
regarding openvpn: CVE-2025-13086
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121086: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121086
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openvpn
Version: 2.6.15-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.6.14-1
Control: found -1 2.6.3-1+deb12u2
Control: found -1 2.6.3-1+deb12u3
Control: found -1 2.6.0-1
Hi,
The following vulnerability was published for openvpn.
CVE-2025-13086[0]:
| HMAC verification check: fix incorrect memcmp() call
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13086
https://www.cve.org/CVERecord?id=CVE-2025-13086
[1] https://community.openvpn.net/Security%20Announcements/CVE-2025-13086
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openvpn
Source-Version: 2.6.14-1+deb13u1
Done: Bernhard Schmidt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated openvpn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Nov 2025 00:45:17 +0100
Source: openvpn
Architecture: source
Version: 2.6.14-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Bernhard Schmidt <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 1114249 1121086
Changes:
openvpn (2.6.14-1+deb13u1) trixie-security; urgency=medium
.
* Cherry-pick patches for CVE-2025-13086
- check-message-id.patch: Check message id/acked ids too when doing
sessionid cookie checks - bugfix for floating client problem, code
prequesite for the CVE patch to apply
- CVE-2025-13086.patch: Fix memcmp check for the hmac verification in the
3way handshake being inverted (Closes: #1121086)
* fix-ftbfs-kernel-6.16.patch: Fix compilation against 6.16+ kernel
headers (Closes: #1114249)
* d/gbp.conf: set debian-branch for trixie
Checksums-Sha1:
e1e6a099664753eb6fbf5b6eea06e9b5ba62d57d 2275 openvpn_2.6.14-1+deb13u1.dsc
cfca54fd0f3e3a06565cf4fec982d724b5e5c188 1926343 openvpn_2.6.14.orig.tar.gz
db3fd993fd001167d31df92288b4d0f635fbf59f 65032
openvpn_2.6.14-1+deb13u1.debian.tar.xz
05033d2c176c1c6e3232dd37f196985f587cf181 7382
openvpn_2.6.14-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
39fcc7547391e82f5199ce118f9cf64efaae2414cf99818abc1823ed7a0ac4b8 2275
openvpn_2.6.14-1+deb13u1.dsc
9eb6a6618352f9e7b771a9d38ae1631b5edfeed6d40233e243e602ddf2195e7a 1926343
openvpn_2.6.14.orig.tar.gz
8adbfdc417ec9646326cace5ba39db50cbf95e110d7b6f699b58888e4a77a198 65032
openvpn_2.6.14-1+deb13u1.debian.tar.xz
39accde6a6af37c78b4f0cecfc70c7e56285cc0bdf06130f0ed6bad42eb8840f 7382
openvpn_2.6.14-1+deb13u1_amd64.buildinfo
Files:
2c980089fcc3fe820b3b04fce9c84aff 2275 net optional openvpn_2.6.14-1+deb13u1.dsc
20f7324bd5fdf7121d0f7b40a2c2b975 1926343 net optional
openvpn_2.6.14.orig.tar.gz
69bd34496719550bade52bc21ce98c38 65032 net optional
openvpn_2.6.14-1+deb13u1.debian.tar.xz
bc1836d6f0334fcb17be1ead9fdf6dc0 7382 net optional
openvpn_2.6.14-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmkswW8RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJMOuA//crVDI6ij7LnMOlXyjIDyYClD/BFQ3ic8
hAE5SLAJCjE8mXi4mGq4HzbY2k34CJ0ttYPqe5FqNNsDe/AhhCv2gtxEK5c9caL8
57+ATf9UELyAZOzC734oOFb0RM6ftPT9uBHUpA3azFMY3+moOd4gElB2xkX3+1Ar
WiUrEoGUtKH/rtgTcq63eGgnZdFQZQDmNxUjR3gsAThevwRGu1NfJalDeIEGM8LI
Uaq8nfDZYSUK4ivPliSZLerNakt1N0sN5PyJ4tVy+WyIHRsOZJMCu3o3AExcrmnq
LkwYAfosmXl7b2+DNvTrerLHZLtSEnyE5fZ7/rs2ybyLiNB7M7D96n/i68Ivs2oH
9A2G5q4bs2k35RAo9WgSaqdeKt9WeFyzhUTedJ0pBQ94Z5Cqf9OzhuApiLHUYzKi
GeoDIau+3m9r52U+g+d0LBzmsz67zuzsVBTOWesjjtyExtQRuXArOKpmIu5ohdIK
y0EPuN/pCPwGEGpkxzmw5JWg7E3qGKv1wARXYif0MdMCQASORLXgv/U75F+LHZtO
gX7qJASU7bVM4SsL1CCIgzcc/yNWsRwgFDeHXzwrI7B0wUr31rlUG9Jgf3O8by6l
gR1f9d+QO8zaKmY7j/57Ns7NNyMvaiB2raO90NBm6jMt6BYIDKKyNAvYxkFIZP9P
I6XEcgqrGSM=
=FoRs
-----END PGP SIGNATURE-----
pgpRtNYwF7H6O.pgp
Description: PGP signature
--- End Message ---
