[Openvpn-users] OpenVPN 3 Linux v24.1 released

[David S. <daz...@eu...>]

OpenVPN 3 Linux v24 (Bugfix/security release)

The v24.1 release is a small security and bugfix release.

* Security: CVE-2025-3908 - openvpn3-admin init-config follows symlink
  Wolfgang Frisch from the SUSE security team reach out and
  notified us of a potential issue with the openvpn3-admin init-config
  command following symlinks when creating needed directories.  This
  has been resolved and this command will no longer follow symlinks
  and will insist the user running this command to setup these
  directories manually with the correct ownership and privileges.

* Bugfix: openvpn3 session-manage --log-level can crash the Session Manager
  When changing the log-level for an on-going VPN session to an invalid
  log-level value, the Session Manager process would fail and stop
  running due to an uncaught exception.  The result would not affect
  the currently on-going VPN sessions, but none of those sessions could
  be managed via the session manager any more.  This has been fixed and
  the Session Manager will now reply to the caller with an error message
  instead.  This issue was reported by Wolfgang Frisch from the SUSE
  security team.

* Bugfix: Control character injection via command line arguments
  All the command line arguments would pass on ASCII control characters
  which could be used to inject misleading information into logs.  Since
  none of the entry points of user data need ASCII control characters
  except newline characters a few places, these characters are now
  removed.  This issue was reported by Wolfgang Frisch from the SUSE
  security team.

* Bugfix: openvpn3-service-backendstart crash during shutdown
  Occasionally the openvpn3-service-backendstart helper service could
  crash during it's shutdown phase.  This was due to an uncaught
  exception.  This has been resolved.

* Bugfix: VPN session failing to start without org.freedesktop.hostname1
  The current client code expected the org.freedesktop.hostname1
  (systemd-hostnamed) service to be available.  On systems without
  systemd, this would result in the client using a longer time to wait
  for this service to appear before continuing.  Meanwhile, the Session
  Manager would also not receive a response in time from this client
  process, thus considering it unresponsive and stopping the VPN session
  instead.  This has been resolved by querying the master D-Bus service
  if the org.freedesktop.hostname1 service is available or not and just
  continue without it, if it is unavailable.

* Build fix: Meson clean-up
  Newer Meson versions had several minor complaints about the build
  configuration.  These issues should now be resolved and Meson should
  no longer report any warnings.

* Build fix: GCC-15 related build issues
  The GCC-15 compiler now starts to complain about more issues which was
  not raised by prior compiler versions with the same compiler flags.
  Issues raised by GCC-15 are now fixed.


Known issues:

  - openvpn3-admin journal --since has a time zone related issue
    and may not list all log events within the closest hours.


Credits
-------
Wolfgang Frisch from the SUSE security team for their bug
and security reports.


Supported Linux distributions
-----------------------------

  - Debian: 12
  - Fedora: 40, 41, 42, Rawhide
  - Red Hat Enterprise Linux 8, 9
  - Ubuntu: 22.04, 24.04

Red Hat Enterprise Linux 10 is in tech preview.

Installation and getting started instructions can be found here:

  <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux>


--
kind regards,

David Sommerseth
OpenVPN Inc


---- Source tarballs ---------------------------------------------------
* OpenVPN 3 Linux v24.1

  <https://swupdate.openvpn.net/community/releases/openvpn3-linux-24.1.tar.xz>
  <https://swupdate.openvpn.net/community/releases/openvpn3-linux-24.1.tar.xz.asc>

---- SHA256 Checksums --------------------------------------------------

7a85a6247f481a4eb998b79721a7ae87c27f43fea54d09d7cafc86c59cc94ded  openvpn3-linux-24.1.tar.xz.asc
c0e5db2cea4e9f2118b81425d3833b85821c515b72a53e21479c7a1f24d4bef0  openvpn3-linux-24.1.tar.xz

---- git references ----------------------------------------------------

git repositories:

 - OpenVPN 3 Linux
   <https://codeberg.org/OpenVPN/openvpn3-linux> (PRIMARY)
   <https://gitlab.com/openvpn/openvpn3-linux>   (code-only mirror)
   <https://github.com/OpenVPN/openvpn3-linux>   (code-only mirror)

   git tag: v24.1
   git commit: 8bba2a15088bd0ef9c2f18ff29186e890a010add

---- Changes from v24 to v24.1 --------------------------------------

David Sommerseth (31):
      build: Misc cleanup in Meson build scripts
      build: Fix incorrect default value assignment for create_statedir option
      common: Refactor Configuration::File to use std::filesystem
      ovpn3cli/init-config: Refactor file/directory handling to use std::filesystem
      ovpn3cli/init-config: Don't follow symlinks setting up state/configs dirs
      sessionmgr: Catch incorrect log level requests in Session object
      build: Fix minor meson complaint in addons/aws
      build: Improve OpenVPN 3 Core library version extraction
      events/log: Refactor Events::Log()
      events/log: Simplify Events::Log::str() methods
      events/log: Implement character filter in Events::Log
      log: Extend LogSender with a Debug_wnl() method
      log/core: Enable multi-line logging via the Core D-Bus logger
      log/journal: Don't filter newlines from journald entries
      log: Preserve the newlines in the log when openvpn3-service-log starts
      tests: Add --allow-newline to logservice1 send subcommand
      common/cmdargparser: Minor code cleanup in RegisterParsedArgs::register_option()
      common/cmdargparser: Filter out ASCII control characters from command line
      common: Merge and move string ctrl char sanitizing to a shared function
      log: Filter strings coming via D-Bus calls
      sessionmgr/client: Filter reason string to Pause D-Bus method call
      common: Filter input value to RequiresQueue::UpdateEntry()
      tests/request-queue: Remove unused local function
      configmgr/test: Add tests for control chars in various configuration profiles
      configmgr: Remove control characters from various user input via D-Bus
      netcfg: Remove control characters from the D-Bus method inputs
      log: Add missing cstdint header in logmetadata.hpp
      common: Check if org.freedesktop.hostname1 is available in PlatformInfo
      client: Handle exceptions in ~BackendStarterSrv
      build: Allow version tags to contain dots and minor version digits
      configmgr/proxy: Ignore minor version number in feature check

--------------------------------------------------------------------