Your message dated Fri, 05 Dec 2025 16:03:30 +0000
with message-id <[email protected]>
and subject line Bug#1121086: fixed in openvpn 2.6.3-1+deb12u4
has caused the Debian Bug report #1121086,
regarding openvpn: CVE-2025-13086
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121086: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121086
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openvpn
Version: 2.6.15-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.6.14-1
Control: found -1 2.6.3-1+deb12u2
Control: found -1 2.6.3-1+deb12u3
Control: found -1 2.6.0-1
Hi,
The following vulnerability was published for openvpn.
CVE-2025-13086[0]:
| HMAC verification check: fix incorrect memcmp() call
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13086
https://www.cve.org/CVERecord?id=CVE-2025-13086
[1] https://community.openvpn.net/Security%20Announcements/CVE-2025-13086
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openvpn
Source-Version: 2.6.3-1+deb12u4
Done: Bernhard Schmidt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated openvpn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 26 Nov 2025 22:54:51 +0100
Source: openvpn
Architecture: source
Version: 2.6.3-1+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: Bernhard Schmidt <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 1112516 1121086
Changes:
openvpn (2.6.3-1+deb12u4) bookworm-security; urgency=medium
.
[ Bernhard Schmidt ]
* Cherry-pick patches for CVE-2025-13086
- check-message-id.patch: Check message id/acked ids too when doing
sessionid cookie checks - bugfix for floating client problem, code
prequesite for the CVE patch to apply
- CVE-2025-13086.patch: Fix memcmp check for the hmac verification in the
3way handshake being inverted (Closes: #1121086)
.
[ Aquila Macedo ]
* Add new autopkgtest for unit tests.
.
[ Carlos Henrique Lima Melara ]
* debian/patches/CVE-2024-5594-regression-fix.patch: cherry-pick from
upstream to fix a regression introduced with CVE-2024-5594's fix. Namely,
"Allow trailing \r and \n in control channel message". (Closes: #1112516)
* debian/salsa-ci:
- Allow lintian job to fail. Sid's version dislikes things from bookworm.
- Disable gbp setup-gitattributes.
- Disable reprotest on bookworm. It can't run on bookworm, so the build
fails because of build dependencies problems.
* debian/tests/unit-tests: enable unit-tests in configure and be verbose.
Checksums-Sha1:
9ac714a01c5392b21c4b3362430f274e0838ede2 2267 openvpn_2.6.3-1+deb12u4.dsc
24a1901abad59e3518cde2bcff7c3685f10ef6d0 116188
openvpn_2.6.3-1+deb12u4.debian.tar.xz
b17f9fcabc6c0a5db9eb04af58a714ffe76a86d8 8282
openvpn_2.6.3-1+deb12u4_amd64.buildinfo
Checksums-Sha256:
3c4e4bb84aa99de6360462dcde045e1ae2fe7c029f96b6800c71d9dfa60b5c10 2267
openvpn_2.6.3-1+deb12u4.dsc
e5e9c25d02a7c32d6d67ef9045ffab5d2cd354b65f0192527554a4aad35b1c24 116188
openvpn_2.6.3-1+deb12u4.debian.tar.xz
b2716472a27a3caa40630b431da2f73c9eab36d3b268d1a252424933ac7fffc2 8282
openvpn_2.6.3-1+deb12u4_amd64.buildinfo
Files:
30305c7d46ba0822656c8f2aec0d35cd 2267 net optional openvpn_2.6.3-1+deb12u4.dsc
1700e7fdf15b11887c4d1a4450dbf4c9 116188 net optional
openvpn_2.6.3-1+deb12u4.debian.tar.xz
ef741e8094ebabab0293b6360cd49261 8282 net optional
openvpn_2.6.3-1+deb12u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmkswdwRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOhXhAAg8mmCJxXJsFNWqiuYsPcQDcsnnqRbqCS
kwNpoDK5UClfrwt066/9M0XQ7tlIAmj4JMp15xOJjL8w6Y38HKF9yP5xTpp23PVl
yBJ+AQmNci1f7+Fjw8M7VZ87Q/F5eqc6yMt8zWXlIW6JlbnP9Y1x6zRKW2QgvLwU
j6SkZTxA+ftoC+Vayf9a6BNel4pK84DGpSCdq9zXfowZgq4E/3wJeu/mgZMt6jds
1r4/niiLg52Rg/kZpUnM4/WNIDsCje4Jn3nq71waMtY/VEQ38CO6vXLtt7ZFKQTS
rD8qLIg6PHtFgzhrYIIXSI3gwrGMwJLfrLA79TOx9vxqbtV14orpJM/ezr3XOVJv
L6ZwWCdP5YH9xbtDaasqiL2hsvw2xB58EubKADiG99c30n+xQpGBIKk8RlT3lawL
Mw54mBFthTfY7mWoW8n3UTEhB71SktRUgbi7drqQAaXmpTTTNu1wwL0sLHD/zvUD
Y3Yqc64jCt20NhEmYWMUP0FbicX8TWRIdEbkUa6RuvF9iW5RaHXpq1y7PoeJdEQa
1o9d9ci8OELGUrxx0N1pOPlH35evw6MN4DF30CW71xTxfRLvbDGadjJ9h/YsOK+r
FLEnyQCWvaNiLHKw5NOSKP5UeGPgBXXdjsInd5FD79bx4y9PkvfvPCudgCMp2zw7
cV9+mz0/Cdw=
=SOhp
-----END PGP SIGNATURE-----
pgpYOfKq5bAJT.pgp
Description: PGP signature
--- End Message ---
