[ubuntu/noble-security] openvpn 2.6.14-0ubuntu0.24.04.3 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Nov 27 16:30:31 UTC 2025
openvpn (2.6.14-0ubuntu0.24.04.3) noble-security; urgency=medium
* SECURITY UPDATE: incorrect HMAC verification check
- debian/patches/CVE-2025-13086.patch: fix memcmp check for the hmac
verification in the 3way handshake being inverted in
src/openvpn/ssl_pkt.c, tests/unit_tests/openvpn/test_pkt.c.
- CVE-2025-13086
openvpn (2.6.14-0ubuntu0.24.04.2) noble; urgency=medium
* d/p/handle_intentional_route_push_float_ip.patch: Fix floating IP due
to "route VPN_IP net_gateway", which can lead to incorrect blocking of
a source IP switch for 60 seconds immediately after connection setup.
(LP: #2108860)
openvpn (2.6.14-0ubuntu0.24.04.1) noble; urgency=medium
* New upstream version 2.6.14 (LP: #2040467):
- CVE Fixes:
+ CVE-2025-2704
- Updates:
+ Send uname() release from client to server as IV_PLAT_VER.
+ Pass --timeout=0 argument to systemd-ask-password, to avoid default
timeout of 90 seconds.
- Bug Fixes:
+ Repair source IP selection for --multihome.
+ Allow tls-crypt-v2 to be setup only on initial packet of a session.
+ Fix some missing spaces in messages.
+ Fix parsing of usernames or passwords longer than USER_PASS_LEN on the
server side to avoid IV variable misparsing and misleading errors.
+ Purge proxy authentication credentials from memory after use (if
--auth-nocache is in use).
- See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26 for
additional bug fixes and information.
* Remove patches fixed upstream:
- d/p/CVE-2025-2704.patch
[Fixed in 2.6.14]
* d/t/control: Move to isolation-container to enable armhf/LXD coverage (LP 2104146).
Date: 2025-11-24 22:53:11.078820+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/openvpn/2.6.14-0ubuntu0.24.04.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the noble-changes
mailing list