** Description changed: This bug tracks an update for the OpenVPN package, moving to versions: * Questing (25.10): OpenVPN 2.6.19 * Noble (24.04): OpenVPN 2.6.19 * Jammy (22.04) is already at the latest version of 2.5.x This update includes bugfixes following the SRU policy exception defined at https://documentation.ubuntu.com/project/SRU/reference/exception- OpenVPN-Updates/. Note that OpenVPN does not have an accepted exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu- release/2023-July/005688.html [Upstream Changes] 2.6.15-2.6.19 Updates: Disable DCO if --bind-dev option is given Bug Fixes: Fix incorrect file descriptor handling in p2mp server on inotify FD during a SIGUSR1 restart. Fix bug where --management-forget-disconnect and --management-signal could be executed even if password authentication to managment interface was still pending. Repair client-side interaction on reconnect between DCO event handling and --persist-tun. Prevent crash on invalid server-ipv6 argument. Fix invalid pointer creation in tls_pre_decrypt(). Properly check for errors in creation on $auth_failed_reason_file. Apply close-on-exec option to correct socket for incoming TCP connections. Fix missing perf_pop() call in ssl_mbedtls. Apply more checks to incoming TLS handshake packets before creating new state. Fix broadcast address configuration for broadcast-based applications using ifconfig to get address. CVE Fix - already available as patch: CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake. The upstream changelog is available at https://community.openvpn.net/ReleaseHistory [Test Plan] DEP-8 Tests: server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication See https://documentation.ubuntu.com/project/SRU/reference/exception- OpenVPN-Updates/#qa for additional testing information. [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu- specific integrations. Backwards-incompatible changes: + Going through the commits of all releases after 2.6.14 in 2.6.x, I do + not see any backwards-incompatible changes that will cause issues for + existing users. They may experience a slowdown when using --bind-dev as + upstream has disabled DCO when it is active in + 30041d6c40c9c0b6aa5581d4570110cde61cad0e though. + [Other Info] Previous backports: (LP: #2040467) (LP: #2004676) (LP: #2073318)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127658 Title: Backport of openvpn for noble and questing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2127658/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
