OpenVPN 3 Linux v24.1 was released 2025-05-19 which includes a fix for
CVE-2025-3908.

The OpenVPN 3 Linux v20 introduced a new command, openvpn3-admin
init-config, to help getting an initial base configuration adopted to
the currently running host. This command must be run as root.

It was discovered that this tool will follow symlinks when changing
ownership and permissions on two of the directories the OpenVPN 3 Linux
D-Bus services depends on.

All versions from v20 through v24 are affected. This has been resolved
in OpenVPN 3 Linux v24.1.

<https://community.openvpn.net/Security%20Announcements/CVE-2025-3908>
<https://www.cve.org/CVERecord?id=CVE-2025-3908>

We want to thank Wolfgang Frisch from the SUSE Security team for
reporting this issue.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to