[ubuntu/questing-security] openvpn 2.6.19-0ubuntu0.25.10.2 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Wed May 20 13:09:25 UTC 2026 

openvpn (2.6.19-0ubuntu0.25.10.2) questing-security; urgency=medium

  * SECURITY UPDATE: server ASSERT() via malformed packet
    - debian/patches/CVE-2026-35058.patch: avoid interpreting opcode as
      part of WKc in src/openvpn/tls_crypt.c,
      tests/unit_tests/openvpn/test_tls_crypt.c.
    - CVE-2026-35058
  * SECURITY UPDATE: race condition in TLS handshake
    - debian/patches/CVE-2026-40215.patch: ensure that buffer of freed
      session are not used in src/openvpn/ssl.c.
    - CVE-2026-40215

openvpn (2.6.19-0ubuntu0.25.10.1) questing; urgency=medium

  * New upstream version 2.6.19 (LP: #2127658):
    - CVE Fixes:
      + CVE-2025-13086
    - Updates:
      + Disable DCO if --bind-dev option is given
    - Bug Fixes:
      + Fix incorrect file descriptor handling in p2mp server on inotify FD
        during a SIGUSR1 restart.
      + Fix bug where --management-forget-disconnect and --management-signal
        could be executed even if password authentication to managment
        interface was still pending.
      + Repair client-side interaction on reconnect between DCO event handling
        and --persist-tun.
      + Prevent crash on invalid server-ipv6 argument.
      + Fix invalid pointer creation in tls_pre_decrypt().
      + Properly check for errors in creation on $auth_failed_reason_file.
      + Apply close-on-exec option to correct socket for incoming TCP
        connections.
      + Fix missing perf_pop() call in ssl_mbedtls.
      + Apply more checks to incoming TLS handshake packets before creating new
        state.
      + Fix broadcast address configuration for broadcast-based applications
        using ifconfig to get address.
    - See https://community.openvpn.net/ReleaseHistory for additional
      information.
  * Remove patches fixed upstream:
    - d/p/CVE-2025-13086.patch
    [Fixed in 2.6.16]
    - d/p/avoid-redefining-ovpn-enums.patch
    - d/p/handle_intentional_route_push_float_ip.patch
    [Fixed in 2.6.15]
  * d/watch: Update download URL.

Date: 2026-04-23 13:38:11.049554+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/openvpn/2.6.19-0ubuntu0.25.10.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the Questing-changes mailing list