-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 26 Nov 2025 22:54:51 +0100
Source: openvpn
Binary: openvpn openvpn-dbgsym
Architecture: amd64
Version: 2.6.3-1+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
 openvpn    - virtual private network daemon
Closes: 1112516 1121086
Changes:
 openvpn (2.6.3-1+deb12u4) bookworm-security; urgency=medium
 .
   [ Bernhard Schmidt ]
   * Cherry-pick patches for CVE-2025-13086
     - check-message-id.patch: Check message id/acked ids too when doing
       sessionid cookie checks - bugfix for floating client problem, code
       prequesite for the CVE patch to apply
     - CVE-2025-13086.patch: Fix memcmp check for the hmac verification in the
       3way handshake being inverted (Closes: #1121086)
 .
   [ Aquila Macedo ]
   * Add new autopkgtest for unit tests.
 .
   [ Carlos Henrique Lima Melara ]
   * debian/patches/CVE-2024-5594-regression-fix.patch: cherry-pick from
     upstream to fix a regression introduced with CVE-2024-5594's fix. Namely,
     "Allow trailing \r and \n in control channel message". (Closes: #1112516)
   * debian/salsa-ci:
       - Allow lintian job to fail. Sid's version dislikes things from bookworm.
       - Disable gbp setup-gitattributes.
       - Disable reprotest on bookworm. It can't run on bookworm, so the build
         fails because of build dependencies problems.
   * debian/tests/unit-tests: enable unit-tests in configure and be verbose.
Checksums-Sha1:
 88e0a20fecf5c982b76ba6178a7e685d61b57197 1259204 openvpn-dbgsym_2.6.3-1+deb12u4_amd64.deb
 cd3ec5b318f663abba6692402568b4ad9aab62fd 7835 openvpn_2.6.3-1+deb12u4_amd64-buildd.buildinfo
 7c955483dcf0e5068c814aa12f201ef1e8affd34 651944 openvpn_2.6.3-1+deb12u4_amd64.deb
Checksums-Sha256:
 d0f7e06c02c105f923a44402c5e5ae5c54a551565291139449dbc3d854414ae4 1259204 openvpn-dbgsym_2.6.3-1+deb12u4_amd64.deb
 65aba79c8f63938c510c21ea92e12087db67780d6a14ee997ee66dbdb0df74a6 7835 openvpn_2.6.3-1+deb12u4_amd64-buildd.buildinfo
 32ff96be0604a348b309d728de79e41896318367722e489efa36dbc3e63d127f 651944 openvpn_2.6.3-1+deb12u4_amd64.deb
Files:
 8b78570d1742ee8f88848424a7b08931 1259204 debug optional openvpn-dbgsym_2.6.3-1+deb12u4_amd64.deb
 682ddde3d9a0d42dca9afd3b86d1ebea 7835 net optional openvpn_2.6.3-1+deb12u4_amd64-buildd.buildinfo
 1c88d41fa00d31e543bc3eeced46428c 651944 net optional openvpn_2.6.3-1+deb12u4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHqtYLkdKRyCY94K8fUw6/tXbAmMFAmksyBIACgkQfUw6/tXb
AmNM1w/7B8sCqmCS2ES2WvaRQdR/w3w/uezk3M1pfdjEElQMHMVxonz77bccmvx/
at13al8uQA/rr9PZglM9Z8S6qzxzz1RjPYy1yBarKQVC8cIM84ERYxImyyef5pzd
LAXGFgfzsAi+JbR1sEwvTTHlZkWwFf0QnnWSM0yY9BJlTObPf9+nwXxXLE8qZGjj
FJeVgrj3RxS4M1cUMd8qYyVo+sm2q5nIzo/P3C32zHcR8bx8uM6F2nEJB0T3KvVM
+MJe9Z20tC2pZwQfKSB0PDf0V2UWJMsauXD2FDBo8IsWQPv7Emqp1ZPnC31OJ4xw
CF0djM5JUh3A7CcRbt2b3FQNX+3sCyqZipmBkUA0fWgo0CJX3v4OpkZGyBDnOTV7
0iWMSNpBonQ954LH71R0oUYh0MhqU43CdkGd/k7wF48uxtwrAisRmbwnVJdPJRGu
lzcjK8odQLhJ4idU/gdnO4DMAYO52fnx/a6KenYCiAZ6LYQ35ZazAQBXZe/W19Iw
ri57OOWzS6IxbxAqPTCIg2xZwJU2Nf2wCxlrbc20Tj+KOU3hZXxjGrjtDg9uMeiK
TsCtybbf+Jug5lR1yZJY1m3TH9118ZIzNX2BrvWXn6AVHyv6//k0SXpI+9lodoVy
Cus2EdpyjTLKlrDs0B5Ri3lgVypTMQEk+KwDSPFgZfm4kwsqzD8=
=x98o
-----END PGP SIGNATURE-----