OpenVPN 3 Linux v24.1 was released 2025-05-19 which includes a fix for CVE-2025-3908.
The OpenVPN 3 Linux v20 introduced a new command, openvpn3-admin init-config, to help getting an initial base configuration adopted to the currently running host. This command must be run as root. It was discovered that this tool will follow symlinks when changing ownership and permissions on two of the directories the OpenVPN 3 Linux D-Bus services depends on. All versions from v20 through v24 are affected. This has been resolved in OpenVPN 3 Linux v24.1. <https://community.openvpn.net/Security%20Announcements/CVE-2025-3908> <https://www.cve.org/CVERecord?id=CVE-2025-3908> We want to thank Wolfgang Frisch from the SUSE Security team for reporting this issue. -- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature.asc
Description: OpenPGP digital signature