Your message dated Thu, 5 Jun 2025 14:39:09 +0200
with message-id <[email protected]>
and subject line Re: Bug#1107298: unblock: openvpn3-client/24.1+dfsg-1
has caused the Debian Bug report #1107298,
regarding unblock: openvpn3-client/24.1+dfsg-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107298
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:openvpn3-client
User: [email protected]
Usertags: unblock
Please unblock package openvpn3-client
The package is marked for autoremoval in testing due to a CVE
(CVE-2025-3908). After the disclose time, upstream released a point
release to tackle the issue, and I have prepared a new upload for the
package in Debian.
See also 1106206 and the upstream release notes:
OpenVPN 3 Linux v24 (Bugfix/security release)
The v24.1 release is a small security and bugfix release.
* Security: CVE-2025-3908 - openvpn3-admin init-config follows symlink
Wolfgang Frisch from the SUSE security team reach out and
notified us of a potential issue with the openvpn3-admin init-config
command following symlinks when creating needed directories. This
has been resolved and this command will no longer follow symlinks
and will insist the user running this command to setup these
directories manually with the correct ownership and privileges.
* Bugfix: openvpn3 session-manage --log-level can crash the Session Manager
When changing the log-level for an on-going VPN session to an invalid
log-level value, the Session Manager process would fail and stop
running due to an uncaught exception. The result would not affect
the currently on-going VPN sessions, but none of those sessions could
be managed via the session manager any more. This has been fixed and
the Session Manager will now reply to the caller with an error message
instead. This issue was reported by Wolfgang Frisch from the SUSE
security team.
* Bugfix: Control character injection via command line arguments
All the command line arguments would pass on ASCII control characters
which could be used to inject misleading information into logs. Since
none of the entry points of user data need ASCII control characters
except newline characters a few places, these characters are now
removed. This issue was reported by Wolfgang Frisch from the SUSE
security team.
* Bugfix: openvpn3-service-backendstart crash during shutdown
Occasionally the openvpn3-service-backendstart helper service could
crash during it's shutdown phase. This was due to an uncaught
exception. This has been resolved.
* Bugfix: VPN session failing to start without org.freedesktop.hostname1
The current client code expected the org.freedesktop.hostname1
(systemd-hostnamed) service to be available. On systems without
systemd, this would result in the client using a longer time to wait
for this service to appear before continuing. Meanwhile, the Session
Manager would also not receive a response in time from this client
process, thus considering it unresponsive and stopping the VPN session
instead. This has been resolved by querying the master D-Bus service
if the org.freedesktop.hostname1 service is available or not and just
continue without it, if it is unavailable.
* Build fix: Meson clean-up
Newer Meson versions had several minor complaints about the build
configuration. These issues should now be resolved and Meson should
no longer report any warnings.
* Build fix: GCC-15 related build issues
The GCC-15 compiler now starts to complain about more issues which was
not raised by prior compiler versions with the same compiler flags.
Issues raised by GCC-15 are now fixed.
[ Reason ]
CVE-2025-3908
The configuration initialization tool in OpenVPN 3 Linux v20 through
v24 on Linux allows a local attacker to use symlinks pointing at an
arbitrary directory which will change the ownership and permissions of
that destination directory.
[ Impact ]
CVE-2025-3908
[ Tests ]
[ Risks ]
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock openvpn3-client/24.1+dfsg-1
openvpn3-client_24.1+dfsg-1.debdiff.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
On 2025-06-03 16:29:11 +0200, Marc Leeman wrote:
> Package: release.debian.org
> Severity: normal
> X-Debbugs-Cc: [email protected]
> Control: affects -1 + src:openvpn3-client
> User: [email protected]
> Usertags: unblock
>
> Please unblock package openvpn3-client
This package is already unblocked.
Cheers
--
Sebastian Ramacher
--- End Message ---
