Package "openvpn"

  openvpn (2.6.19-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream version 2.6.19 (LP: #2127658):
    - CVE Fixes:
      + CVE-2025-13086
    - Updates:
      + Disable DCO if --bind-dev option is given
    - Bug Fixes:
      + Fix incorrect file descriptor handling in p2mp server on inotify FD
        during a SIGUSR1 restart.
      + Fix bug where --management-forget-disconnect and --management-signal
        could be executed even if password authentication to managment
        interface was still pending.
      + Repair client-side interaction on reconnect between DCO event handling
        and --persist-tun.
      + Prevent crash on invalid server-ipv6 argument.
      + Fix invalid pointer creation in tls_pre_decrypt().
      + Properly check for errors in creation on $auth_failed_reason_file.
      + Apply close-on-exec option to correct socket for incoming TCP
        connections.
      + Fix missing perf_pop() call in ssl_mbedtls.
      + Apply more checks to incoming TLS handshake packets before creating new
        state.
      + Fix broadcast address configuration for broadcast-based applications
        using ifconfig to get address.
    - See https://community.openvpn.net/ReleaseHistory for additional
      information.
  * Remove patches fixed upstream:
    - d/p/CVE-2025-13086.patch
    [Fixed in 2.6.16]
    - d/p/handle_intentional_route_push_float_ip.patch
    [Fixed in 2.6.15]
  * d/watch: Update download URL.

 -- Lena Voytek <email address hidden> Fri, 20 Feb 2026 18:13:25 -0500

  openvpn (2.6.14-0ubuntu0.24.04.3) noble-security; urgency=medium

  * SECURITY UPDATE: incorrect HMAC verification check
    - debian/patches/CVE-2025-13086.patch: fix memcmp check for the hmac
      verification in the 3way handshake being inverted in
      src/openvpn/ssl_pkt.c, tests/unit_tests/openvpn/test_pkt.c.
    - CVE-2025-13086

 -- Marc Deslauriers <email address hidden> Mon, 24 Nov 2025 17:32:32 -0500

  openvpn (2.6.14-0ubuntu0.24.04.2) noble; urgency=medium

  * d/p/handle_intentional_route_push_float_ip.patch: Fix floating IP due
    to "route VPN_IP net_gateway", which can lead to incorrect blocking of
    a source IP switch for 60 seconds immediately after connection setup.
    (LP: #2108860)

 -- Jonas Jelten <email address hidden> Tue, 09 Sep 2025 16:36:28 +0200

  openvpn (2.6.14-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream version 2.6.14 (LP: #2040467):
    - CVE Fixes:
      + CVE-2025-2704
    - Updates:
      + Send uname() release from client to server as IV_PLAT_VER.
      + Pass --timeout=0 argument to systemd-ask-password, to avoid default
        timeout of 90 seconds.
    - Bug Fixes:
      + Repair source IP selection for --multihome.
      + Allow tls-crypt-v2 to be setup only on initial packet of a session.
      + Fix some missing spaces in messages.
      + Fix parsing of usernames or passwords longer than USER_PASS_LEN on the
        server side to avoid IV variable misparsing and misleading errors.
      + Purge proxy authentication credentials from memory after use (if
        --auth-nocache is in use).
    - See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26 for
      additional bug fixes and information.
  * Remove patches fixed upstream:
    - d/p/CVE-2025-2704.patch
    [Fixed in 2.6.14]
  * d/t/control: Move to isolation-container to enable armhf/LXD coverage (LP 2104146).

 -- Lena Voytek <email address hidden> Fri, 30 May 2025 11:24:52 -0400

  openvpn (2.6.12-0ubuntu0.24.04.3) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service issue
    - debian/patches/CVE-2025-2704.patch: allow tls-crypt-v2 to be setup
      only on initial packet of a session in src/openvpn/ssl.c,
      src/openvpn/ssl_common.h, src/openvpn/ssl_pkt.c,
      src/openvpn/ssl_pkt.h, src/openvpn/tls_crypt.c,
      src/openvpn/tls_crypt.h, tests/unit_tests/openvpn/test_tls_crypt.c.
    - CVE-2025-2704

 -- Marc Deslauriers <email address hidden> Tue, 01 Apr 2025 12:06:17 -0400