Version 24+dfsg-2 of openvpn3-client is marked for autoremoval from testing on Thu 19 Jun 2025. It is affected by #1106206. You should try to prevent the removal by fixing these RC bugs.
CVE-2025-3908:
The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.
Among the 4 debian patches
available in version 24.1+dfsg-1 of the package,
we noticed the following issues:
2 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
testing migrations
This package will soon be part of the auto-protobuf transition. You might want to ensure that your package is ready for it.
You can probably find supplementary information in the
debian-release
archives or in the corresponding
release.debian.org
bug.
Migration status for openvpn3-client (24+dfsg-2 to 24.1+dfsg-1): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
Issues preventing migration:
∙ ∙ blocked by freeze: does not have autopkgtest (Follow the freeze policy when applying for an unblock)
∙ ∙ Too young, only 4 of 20 days old
Additional info:
∙ ∙ Updating openvpn3-client will fix bugs in testing: #1106206
![[bug history graph]](https://qa.debian.org/data/bts/graphs/o/openvpn3-client.png){kind=link}