Package: network-manager-vpnc Version: 1.4.0-3 Severity: important User: [email protected] Usertags: CVE-2025-9615
Hi, the network-manager package was subject to a security issue related to insecure access to user certificates. See [0] for more details. This was fixed in [1] and now all VPN plugins need to declare that they support the new, safe interface. See [2] for further details and [3] for a similar change that was done for network-manager-openvpn. The network-manager 1.54.x package in unstable/testing has been updated to provide safe APIs for user certificate file access. For now the usage of those safe APIs is optional but will become mandatory in network-manager 1.56. At which point this bug report will become RC as network-manager will refuse to load VPN plugins without "supports-safe-private-file-access=true". Regards, Michael [0] https://security-tracker.debian.org/tracker/CVE-2025-9615 [1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324 [2] https://lists.freedesktop.org/archives/networkmanager/2025-December/000468.html [3] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/commit/ca18fa91e1446543b48a463fb72a4de6a8716aa9
