Hi Stable release managers, On Sun, Aug 31, 2025 at 10:50:30AM -0300, Carlos Henrique Lima Melara wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:openvpn > User: [email protected] > Usertags: pu > > Hi, > > [ Reason ] > In 2.6.3-1+deb12u3 we did cherry-pick upstream's fix to CVE-2024-5594 > [1], but later a regression was reported in upstream's BTS [2]. The > initial fix to the vulnerability was to restrict characters in control > channel messages including \n and \r, but many scripts add them in these > messages. Suddenly these scripts will fail to connect after the update > to fix the CVE. Although we didn't receive reports initially, there was > reports from people using Arch and Ubuntu with services like watchguard > [2] and Microsoft 2FA [3]. The fix basically allows \n and \r in the > control channel messages. > > [ Impact ] > Users using scripts to handle connection or third party services may > be impacted and unable to connect using openvpn. > > [ Tests ] > Unit tests are now enabled as part of autopkgtests and they succeed. The > upstream commit also comes with unit tests. Additionaly, the other DEP-8 > requiring isolation-machine were run locally in a incus bookworm VM and > passed. > > [ Risks ] > The code change is not large or intrusive, it basically encapsulates the > logic handling the buffer read and add a function to remove trailing \r > and \n from the end of message. It was well tested and applied by > upstream in the stable releases of openvpn 2.5 and 2.6. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > As explained in "Reason" and "Risks", the upstream commit to fix a > regression was cherry-picked. Additionally unit tests were added as part > of autopkgtests and some changes related to salsa-ci were done for the > pipeline to succed. > > [ Other info ] > This bookworm-pu is targeted to 12.13 so we can have more time in > -proposed for testing as indicated by openvpn's maintainer [4]. > > Cheers, > Charles > > [1] > https://github.com/OpenVPN/openvpn/commit/90e7a858e5594d9a019ad2b4ac6154124986291a > [2] https://github.com/OpenVPN/openvpn/issues/568 > [3] https://github.com/OpenVPN/openvpn/issues/645 > [4] https://salsa.debian.org/debian/openvpn/-/merge_requests/16#note_647132
> diff -Nru openvpn-2.6.3/debian/changelog openvpn-2.6.3/debian/changelog > --- openvpn-2.6.3/debian/changelog 2025-04-02 12:45:15.000000000 -0300 > +++ openvpn-2.6.3/debian/changelog 2025-08-24 22:36:22.000000000 -0300 > @@ -1,3 +1,23 @@ > +openvpn (2.6.3-1+deb12u4) bookworm; urgency=medium > + > + * Team upload. > + > + [ Aquila Macedo ] > + * Add new autopkgtest for unit tests. > + > + [ Carlos Henrique Lima Melara ] > + * debian/patches/CVE-2024-5594-regression-fix.patch: cherry-pick from > + upstream to fix a regression introduced with CVE-2024-5594's fix. Namely, > + "Allow trailing \r and \n in control channel message". (Closes: #1112516) > + * debian/salsa-ci: > + - Allow lintian job to fail. Sid's version dislikes things from > bookworm. > + - Disable gbp setup-gitattributes. > + - Disable reprotest on bookworm. It can't run on bookworm, so the build > + fails because of build dependencies problems. > + * debian/tests/unit-tests: enable unit-tests in configure and be verbose. > + > + -- Carlos Henrique Lima Melara <[email protected]> Sun, 24 Aug 2025 > 22:36:22 -0300 We plan to release a DSA for new CVEs affecting openvpn. The regression fix for the CVE-2024-5594 should be included for sure, are you okay with adding as well the other changes for bookworm? Regards, Salvatore
