Bug#1112645: bookworm-pu: package openvpn/2.6.3-1+deb12u4
Hi Stable release managers,
On Sun, Aug 31, 2025 at 10:50:30AM -0300, Carlos Henrique Lima Melara wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: openvpn@packages.debian.org, berni@debian.org
> Control: affects -1 + src:openvpn
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hi,
>
> [ Reason ]
> In 2.6.3-1+deb12u3 we did cherry-pick upstream's fix to CVE-2024-5594
> [1], but later a regression was reported in upstream's BTS [2]. The
> initial fix to the vulnerability was to restrict characters in control
> channel messages including \n and \r, but many scripts add them in these
> messages. Suddenly these scripts will fail to connect after the update
> to fix the CVE. Although we didn't receive reports initially, there was
> reports from people using Arch and Ubuntu with services like watchguard
> [2] and Microsoft 2FA [3]. The fix basically allows \n and \r in the
> control channel messages.
>
> [ Impact ]
> Users using scripts to handle connection or third party services may
> be impacted and unable to connect using openvpn.
>
> [ Tests ]
> Unit tests are now enabled as part of autopkgtests and they succeed. The
> upstream commit also comes with unit tests. Additionaly, the other DEP-8
> requiring isolation-machine were run locally in a incus bookworm VM and
> passed.
>
> [ Risks ]
> The code change is not large or intrusive, it basically encapsulates the
> logic handling the buffer read and add a function to remove trailing \r
> and \n from the end of message. It was well tested and applied by
> upstream in the stable releases of openvpn 2.5 and 2.6.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> As explained in "Reason" and "Risks", the upstream commit to fix a
> regression was cherry-picked. Additionally unit tests were added as part
> of autopkgtests and some changes related to salsa-ci were done for the
> pipeline to succed.
>
> [ Other info ]
> This bookworm-pu is targeted to 12.13 so we can have more time in
> -proposed for testing as indicated by openvpn's maintainer [4].
>
> Cheers,
> Charles
>
> [1] https://github.com/OpenVPN/openvpn/commit/90e7a858e5594d9a019ad2b4ac6154124986291a
> [2] https://github.com/OpenVPN/openvpn/issues/568
> [3] https://github.com/OpenVPN/openvpn/issues/645
> [4] https://salsa.debian.org/debian/openvpn/-/merge_requests/16#note_647132
> diff -Nru openvpn-2.6.3/debian/changelog openvpn-2.6.3/debian/changelog
> --- openvpn-2.6.3/debian/changelog 2025-04-02 12:45:15.000000000 -0300
> +++ openvpn-2.6.3/debian/changelog 2025-08-24 22:36:22.000000000 -0300
> @@ -1,3 +1,23 @@
> +openvpn (2.6.3-1+deb12u4) bookworm; urgency=medium
> +
> + * Team upload.
> +
> + [ Aquila Macedo ]
> + * Add new autopkgtest for unit tests.
> +
> + [ Carlos Henrique Lima Melara ]
> + * debian/patches/CVE-2024-5594-regression-fix.patch: cherry-pick from
> + upstream to fix a regression introduced with CVE-2024-5594's fix. Namely,
> + "Allow trailing \r and \n in control channel message". (Closes: #1112516)
> + * debian/salsa-ci:
> + - Allow lintian job to fail. Sid's version dislikes things from bookworm.
> + - Disable gbp setup-gitattributes.
> + - Disable reprotest on bookworm. It can't run on bookworm, so the build
> + fails because of build dependencies problems.
> + * debian/tests/unit-tests: enable unit-tests in configure and be verbose.
> +
> + -- Carlos Henrique Lima Melara <charlesmelara@riseup.net> Sun, 24 Aug 2025 22:36:22 -0300
We plan to release a DSA for new CVEs affecting openvpn.
The regression fix for the CVE-2024-5594 should be included for sure,
are you okay with adding as well the other changes for bookworm?
Regards,
Salvatore
Reply to: