-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 26 Nov 2025 22:54:51 +0100
Source: openvpn
Architecture: source
Version: 2.6.3-1+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: Bernhard Schmidt <berni@debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 1112516 1121086
Changes:
 openvpn (2.6.3-1+deb12u4) bookworm-security; urgency=medium
 .
   [ Bernhard Schmidt ]
   * Cherry-pick patches for CVE-2025-13086
     - check-message-id.patch: Check message id/acked ids too when doing
       sessionid cookie checks - bugfix for floating client problem, code
       prequesite for the CVE patch to apply
     - CVE-2025-13086.patch: Fix memcmp check for the hmac verification in the
       3way handshake being inverted (Closes: #1121086)
 .
   [ Aquila Macedo ]
   * Add new autopkgtest for unit tests.
 .
   [ Carlos Henrique Lima Melara ]
   * debian/patches/CVE-2024-5594-regression-fix.patch: cherry-pick from
     upstream to fix a regression introduced with CVE-2024-5594's fix. Namely,
     "Allow trailing \r and \n in control channel message". (Closes: #1112516)
   * debian/salsa-ci:
       - Allow lintian job to fail. Sid's version dislikes things from bookworm.
       - Disable gbp setup-gitattributes.
       - Disable reprotest on bookworm. It can't run on bookworm, so the build
         fails because of build dependencies problems.
   * debian/tests/unit-tests: enable unit-tests in configure and be verbose.
Checksums-Sha1:
 9ac714a01c5392b21c4b3362430f274e0838ede2 2267 openvpn_2.6.3-1+deb12u4.dsc
 24a1901abad59e3518cde2bcff7c3685f10ef6d0 116188 openvpn_2.6.3-1+deb12u4.debian.tar.xz
 b17f9fcabc6c0a5db9eb04af58a714ffe76a86d8 8282 openvpn_2.6.3-1+deb12u4_amd64.buildinfo
Checksums-Sha256:
 3c4e4bb84aa99de6360462dcde045e1ae2fe7c029f96b6800c71d9dfa60b5c10 2267 openvpn_2.6.3-1+deb12u4.dsc
 e5e9c25d02a7c32d6d67ef9045ffab5d2cd354b65f0192527554a4aad35b1c24 116188 openvpn_2.6.3-1+deb12u4.debian.tar.xz
 b2716472a27a3caa40630b431da2f73c9eab36d3b268d1a252424933ac7fffc2 8282 openvpn_2.6.3-1+deb12u4_amd64.buildinfo
Files:
 30305c7d46ba0822656c8f2aec0d35cd 2267 net optional openvpn_2.6.3-1+deb12u4.dsc
 1700e7fdf15b11887c4d1a4450dbf4c9 116188 net optional openvpn_2.6.3-1+deb12u4.debian.tar.xz
 ef741e8094ebabab0293b6360cd49261 8282 net optional openvpn_2.6.3-1+deb12u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmkswdwRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOhXhAAg8mmCJxXJsFNWqiuYsPcQDcsnnqRbqCS
kwNpoDK5UClfrwt066/9M0XQ7tlIAmj4JMp15xOJjL8w6Y38HKF9yP5xTpp23PVl
yBJ+AQmNci1f7+Fjw8M7VZ87Q/F5eqc6yMt8zWXlIW6JlbnP9Y1x6zRKW2QgvLwU
j6SkZTxA+ftoC+Vayf9a6BNel4pK84DGpSCdq9zXfowZgq4E/3wJeu/mgZMt6jds
1r4/niiLg52Rg/kZpUnM4/WNIDsCje4Jn3nq71waMtY/VEQ38CO6vXLtt7ZFKQTS
rD8qLIg6PHtFgzhrYIIXSI3gwrGMwJLfrLA79TOx9vxqbtV14orpJM/ezr3XOVJv
L6ZwWCdP5YH9xbtDaasqiL2hsvw2xB58EubKADiG99c30n+xQpGBIKk8RlT3lawL
Mw54mBFthTfY7mWoW8n3UTEhB71SktRUgbi7drqQAaXmpTTTNu1wwL0sLHD/zvUD
Y3Yqc64jCt20NhEmYWMUP0FbicX8TWRIdEbkUa6RuvF9iW5RaHXpq1y7PoeJdEQa
1o9d9ci8OELGUrxx0N1pOPlH35evw6MN4DF30CW71xTxfRLvbDGadjJ9h/YsOK+r
FLEnyQCWvaNiLHKw5NOSKP5UeGPgBXXdjsInd5FD79bx4y9PkvfvPCudgCMp2zw7
cV9+mz0/Cdw=
=SOhp
-----END PGP SIGNATURE-----