-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Jul 2026 22:20:55 +0200 Source: openvpn Architecture: source Version: 2.6.14-1+deb13u3 Distribution: trixie-security Urgency: high Maintainer: Bernhard Schmidt Changed-By: Bernhard Schmidt Changes: openvpn (2.6.14-1+deb13u3) trixie-security; urgency=high . * Cherry-pick upstream security patches from the 2.6.21 release - CVE-2026-12996: Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets - CVE-2026-13117: Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence of dynamic tls-crypt control-channel packets - CVE-2026-13122: Fix server crash on reception of suitably malformed auth-token, if --auth-gen-token external-auth is active - CVE-2026-12932: Fix memory-leak in tls-crypt-v2 client key handling that could lead to out-of-memory situations and subsequent server crashes - CVE-2026-11771: Fix possible 1-byte buffer overrun on NTLMv2 proxy responses. - CVE-2026-13698: Fix another memory leak on reception of suitable tls-crypt-v2 packets that could lead to an out of memory situation and server crash Checksums-Sha1: 096f3a33108fdebd05def06d18c97d50a8c50a97 2275 openvpn_2.6.14-1+deb13u3.dsc 47bb325d2c7307aa45fea3d644ccd06b98104fda 75792 openvpn_2.6.14-1+deb13u3.debian.tar.xz d7ca374be64a1d67646df8298c9004d212607a84 7482 openvpn_2.6.14-1+deb13u3_amd64.buildinfo Checksums-Sha256: f444abce116aebaedf421f74f4948680669b1f20624783d02499f1d0b8d55712 2275 openvpn_2.6.14-1+deb13u3.dsc 7ecf77655c6e21033ac21110146d6fc1797dfc55ce428d0f054cde9ea04fc0cd 75792 openvpn_2.6.14-1+deb13u3.debian.tar.xz 9056fca45143f677e5be85521d575577df7839b8a08ad705fae2a6365bb353f5 7482 openvpn_2.6.14-1+deb13u3_amd64.buildinfo Files: adee06b30563b7698e3b1badc77905e0 2275 net optional openvpn_2.6.14-1+deb13u3.dsc d83502b4d078ec81c0cb18e7a8b52e9f 75792 net optional openvpn_2.6.14-1+deb13u3.debian.tar.xz e9413f7172b47342585193b5f8a4280b 7482 net optional openvpn_2.6.14-1+deb13u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmpGiI0RHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJNEpBAAkfMhn2y3ABy7MMYJw6D+fCT7XdoUAjFZ ovWxT9tCud9Y5NpKO+MlFEbTBvtMvsluJxX2XssDkoc5VYMiL1r/pjtGYbKrhT4I j5kek9+/9ePNy4blBtNn4IuWU2ZwN96Q6wemxN+cYLJVQKCEXmg8SPqz0pLZsxry FVET+wBIL4f5fl3racHabELH2977IaX94G0/+sJwU4omt60PqrvjvdaeegVO20+Z KwDEjY9e67LVViYSuhpPLhSLzEKaHi0x5/ysLdvDR+9iw04w5JrRe+Bt3bxaGknH Jac1itXuPXe/9SfGD7xpH3z2akt7p14e1ZW54DMuf3kpPnDPUn09ICrowlW5wFye 5LN41HL5M970Uw5Y2TmGkSbQbTwHjUMD8VOT6Ghah02zklnNmd+IinZlqn9m97Sh 3oG6bi1nmw1vhGNiRSsqdD8FMuly1hgi+1UkhHXmkh0/KChIHxWQCAVQJDJa/p5R wzfL1qGRH5iLbCHmgjEaHqBSURw4vanzmdqMp2w9msGWZe4QNSiL0fYGpkWd2Ou/ a2omDiFoNE79ROyyiz2HaDfRSZt+f6VwXx8GTd/IV3EMq/TZx8pq/I9/MhA4gcA9 HTfhB2wSL/3vrCVgjESAIoz5g4LHGSyBqTgAJJWqU6DOs0xFVv4GJO56Wb4LfGRY q+ZkqcQC7Y0= =/cOb -----END PGP SIGNATURE-----