Hi Bernhard, On Wed, Nov 26, 2025 at 11:26:05PM +0100, Bernhard Schmidt wrote: > Hi, > > as discussed on IRC here are the proposed updates for the CVE-2025-13086 > fix in both Trixie and Bookworm. > > For both versions it's a simple cherry-pick of two upstream commits > (order reversed here for explaination) > > CVE-2025-13086.patch > https://github.com/OpenVPN/openvpn/commit/fa6a1824b0f37bff137204156a74ca28cf5b6f83 > > This is the actual CVE patch released with 2.6.16. It does NOT apply > cleanly to both versions in Bookworm and Trixie. I'm absolutely not > feeling confident to massage crypto related code into submission, but > fortunately all rejects are caused by another codefix that can be > cherry-picked before > > > check-message-id.patch > https://github.com/OpenVPN/openvpn/commit/68c01720eecc1772b3f648b9e043e396d943f632 > > This one fixes an annoying regression in all of 2.6 where a floating > client was not properly handled. It happens only in special > configurations and has been unreported a long time, but it happens. > This fix has only been released in 2.6.15, but it's worth noting that > the reporter made Ubuntu to release that patch into both Ubuntu 24.04 > LTS and 25.04 two months ago > > https://launchpad.net/ubuntu/+source/openvpn/2.6.14-0ubuntu0.24.04.2 > https://launchpad.net/ubuntu/+source/openvpn/2.6.14-0ubuntu0.25.04.2 > https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2108860 > > > The trixie diff also imports another fix for a FTBFS on newer upstream > kernels. I had queued that up before for a trixie-pu so it happens to be > included. I can revert it if you like, but it's easy enough (header > changes in 6.16+ caused by the import of the official ovpn module) > > https://github.com/OpenVPN/openvpn/commit/1fbbe91d292fb925f5af73b512d7d1c83abfe714 > > > As discussed, the bookworm update also includes changes filed for a > bookworm-pu update in > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112645 . It includes > a regression fix for the earlier CVE-2024-5594 security update, > cherry-picked from upstream in > https://github.com/OpenVPN/openvpn/commit/343573990135023d855d151fcd9248e5c26d9f8b > and released in 2.6.12 in July 2024 and would close Bug#1112516 . > The regression did not cause vicious complaints so I asked for it to be > handled in a bookworm-pu and be kept there for a bit, however the pu was > not handled yet by the SRM. > > The rest of the changes only affect autopkgtest and salsa-ci, they just > increase test coverage which is always a good thing to have. > > The resulting binary builds fine, the testsuite runs and it has been > slightly tested. However I would like to test it on a few more > production systems before I finally upload.
Thanks a lot for your detailed outline and preparing the debdiffs. Once you were able to test the updates on few more productions systems, feel free to go ahead with the uplaods. FTR, the SRM acked the changes pending for bookworm-pu so we can include all those as you did. Btw, just a very minor nitpick, can you add a '[ Bernhard Schmidt ]' for the changes on the bookworm-security changes done by you or did you left it out on purpose? if it was intentional then leave it as it is. The upload for trixie-security will need to built with -sa to include the orig tarballs. Regards, Salvatore
