** Description changed: - [Impact] - This bug tracks an update for the OpenVPN package, moving to versions: - * <list of Ubuntu series and stable versions being introduced> + * Questing (25.10): OpenVPN 2.6.19 + * Noble (24.04): OpenVPN 2.6.19 - See https://wiki.ubuntu.com/OpenVPNUpdates + This update includes bugfixes following the SRU policy exception defined + at https://documentation.ubuntu.com/project/SRU/reference/exception- + OpenVPN-Updates/. Note that OpenVPN does not have an accepted exception. + However, the SRU team has agreed to consider further releases given a + full knowledge and possible mitigation of backwards-incompatible + changes. See https://lists.ubuntu.com/archives/ubuntu- + release/2023-July/005688.html - These updates are a best effort to only include bug fixes, following the - SRU policy exception defined at https://wiki.ubuntu.com/OpenVPNUpdates. + [Upstream Changes] - Note that openvpn does not have an accepted micro-release - exception. However, the SRU team has agreed to consider further releases - given a full knowledge and possible mitigation of backwards-incompatible - changes. See - https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html + 2.6.15-2.6.19 + Updates: - [Major Changes] + Disable DCO if --bind-dev option is given - * <list of series with link to release notes> - - <Important bug fixes> - - <CVEs fixes added, and note whether or not already applied in ubuntu> + Bug Fixes: + Fix incorrect file descriptor handling in p2mp server on inotify FD during a SIGUSR1 restart. + Fix bug where --management-forget-disconnect and --management-signal could be executed even if password authentication to managment interface was still pending. + Repair client-side interaction on reconnect between DCO event handling and --persist-tun. + Prevent crash on invalid server-ipv6 argument. + Fix invalid pointer creation in tls_pre_decrypt(). + Properly check for errors in creation on $auth_failed_reason_file. + Apply close-on-exec option to correct socket for incoming TCP connections. + Fix missing perf_pop() call in ssl_mbedtls. + Apply more checks to incoming TLS handshake packets before creating new state. + Fix broadcast address configuration for broadcast-based applications using ifconfig to get address. + + CVE Fix - already available as patch: + + CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way + handshake. + + The upstream changelog is available at + https://community.openvpn.net/ReleaseHistory [Test Plan] - - See https://wiki.ubuntu.com/OpenVPNUpdates#QA DEP-8 Tests: server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication - <links to autopkgtest results for this backport> - <discussion of test results> - + See https://documentation.ubuntu.com/project/SRU/reference/exception- + OpenVPN-Updates/#qa for additional testing information. [Regression Potential] Upstream has an extensive build and integration test suite. So - regressions would likely arise from a change in interaction with - Ubuntu-specific integrations. + regressions would likely arise from a change in interaction with Ubuntu- + specific integrations. - <additional details about areas to watch for regressions> + Backwards-incompatible changes: + [Other Info] - This is a recurring effort. For reference, here are previous OpenVPN - SRU backports: - - * <List LP: #bug links to former cases of SRU backports for this - package> + Previous backports: + (LP: #2040467) + (LP: #2004676) + (LP: #2073318)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127658 Title: Backport of openvpn for jammy, noble and questing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2127658/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
