Version in base suite: 2.6.14-1+deb13u1

Base version: openvpn_2.6.14-1+deb13u1
Target version: openvpn_2.6.14-1+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openvpn/openvpn_2.6.14-1+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openvpn/openvpn_2.6.14-1+deb13u2.dsc

 changelog                    |   11 +++++
 patches/CVE-2026-35058.patch |   91 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-40215.patch |   54 +++++++++++++++++++++++++
 patches/series               |    2 
 4 files changed, 158 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp6dnjp8j_/openvpn_2.6.14-1+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp6dnjp8j_/openvpn_2.6.14-1+deb13u2.dsc: no acceptable signature found
diff -Nru openvpn-2.6.14/debian/changelog openvpn-2.6.14/debian/changelog
--- openvpn-2.6.14/debian/changelog	2025-11-20 23:45:17.000000000 +0000
+++ openvpn-2.6.14/debian/changelog	2026-04-27 07:22:24.000000000 +0000
@@ -1,3 +1,14 @@
+openvpn (2.6.14-1+deb13u2) trixie-security; urgency=medium
+
+  * Cherry-pick upstream security patches
+    - CVE-2026-40215: fix race condition in TLS handshake that could lead to
+      leaking of packet data from a previous handshake under specific
+      circumstances
+    - CVE-2026-35058: fix server ASSERT() on receiving a suitably malformed
+      packet with a valid tls-crypt-v2 key
+
+ -- Bernhard Schmidt <berni@debian.org>  Mon, 27 Apr 2026 09:22:24 +0200
+
 openvpn (2.6.14-1+deb13u1) trixie-security; urgency=medium
 
   * Cherry-pick patches for CVE-2025-13086
diff -Nru openvpn-2.6.14/debian/patches/CVE-2026-35058.patch openvpn-2.6.14/debian/patches/CVE-2026-35058.patch
--- openvpn-2.6.14/debian/patches/CVE-2026-35058.patch	1970-01-01 00:00:00.000000000 +0000
+++ openvpn-2.6.14/debian/patches/CVE-2026-35058.patch	2026-04-27 07:22:24.000000000 +0000
@@ -0,0 +1,91 @@
+From 0dc820fe1d0de369d101702151fa06fff0eb360c Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 12 Apr 2026 13:37:56 +0200
+Subject: [PATCH] tls-crypt-v2: Avoid interpreting opcode as part of WKc
+
+The buffer we pass to tls_crypt_v2_extract_client_key contains the
+entire received control channel packet. We should skip the opcode before
+trying to read WKC.
+
+This logic error is a second bug behind the XlabAI finding, next too the
+too-strict ASSERT in tls_crypt_unwrap.
+
+Also remove a too strict ASSERT in tls_crypt_unwrap.  We already check
+a few lines later for a too short packet and return a proper error
+("packet too short").
+
+XlabAI found a way of triggering this ASSERT that requires a tls-crypt-v2
+client key that has a specific property (a specific byte need to have a
+specific value, about 1/256 probability). If an attacker can get hold of
+such a tls-crypt-v2 client key or observe a handshake using such a key,
+the attacker can trigger the ASSERT, crashing the server. Setups that do
+not use tls-crypt-v2 are not affected.
+
+Independently, Cisco Talos reported a way to trigger this ASSERT with any
+tls-crypt-v2 key but this requires the attacker to be also in possession
+of the private key part of the tls-crypt-v2 client key or to inject packet
+into a live session of a client session.
+
+CVE: 2026-35058
+Reported-By: XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com)
+Reported-By: Guannan Wang (wgnbuaa@gmail.com
+Reported-By: Zhanpeng Liu (pkugenuine@gmail.com)
+Reported-By: Guancheng Li (lgcpku@gmail.com)
+Reported-By: Emma Reuter of Cisco ASIG (TALOS-2026-2381)
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Signed-off-by: Arne Schwabe <arne@rfc2549.org>
+
+Change-Id: I623733c0476c98f436d19009ee8990693c1579b5
+Private-URL: https://github.com/OpenVPN/openvpn-private-issues/issues/111
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit 18270324a5fd43122ca1b8c29b224c5dd5905429)
+---
+ src/openvpn/tls_crypt.c                   |  4 ++--
+ tests/unit_tests/openvpn/test_tls_crypt.c | 11 ++++++++++-
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
+index 50228e786e0..386aaf12fe2 100644
+--- a/src/openvpn/tls_crypt.c
++++ b/src/openvpn/tls_crypt.c
+@@ -229,7 +229,6 @@ tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
+     gc_init(&gc);
+ 
+     ASSERT(opt);
+-    ASSERT(src->len > 0);
+     ASSERT(ctx->cipher);
+     ASSERT(packet_id_initialized(&opt->packet_id)
+            || (opt->flags & CO_IGNORE_PACKET_ID));
+@@ -627,7 +626,8 @@ tls_crypt_v2_extract_client_key(struct buffer *buf,
+     struct buffer wrapped_client_key = *buf;
+     uint16_t net_len = 0;
+ 
+-    if (BLEN(&wrapped_client_key) < sizeof(net_len))
++    if (!buf_advance(&wrapped_client_key, 1)
++        || BLEN(&wrapped_client_key) < 1 + sizeof(net_len))
+     {
+         msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length");
+         return false;
+diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c b/tests/unit_tests/openvpn/test_tls_crypt.c
+index bf5a8cef0c0..fcf6f9a00eb 100644
+--- a/tests/unit_tests/openvpn/test_tls_crypt.c
++++ b/tests/unit_tests/openvpn/test_tls_crypt.c
+@@ -534,7 +534,16 @@ tls_crypt_v2_wrap_unwrap_max_metadata(void **state)
+         .mode = TLS_WRAP_CRYPT,
+         .tls_crypt_v2_server_key = ctx->server_keys.encrypt,
+     };
+-    assert_true(tls_crypt_v2_extract_client_key(&ctx->wkc, &wrap_ctx, NULL, true));
++
++    /* a buffer that only contains the wrapped key should fail */
++    assert_false(tls_crypt_v2_extract_client_key(&ctx->wkc, &wrap_ctx, NULL, true));
++
++    /* add a opcode in front of the key to make it valid to extract */
++    struct buffer wkcop = alloc_buf_gc(buf_len(&ctx->wkc) + 1, &ctx->gc);
++    buf_write_u8(&wkcop, 0x50);
++    buf_copy(&wkcop, &ctx->wkc);
++    assert_true(tls_crypt_v2_extract_client_key(&wkcop, &wrap_ctx, NULL, true));
++
+     tls_wrap_free(&wrap_ctx);
+ }
+ 
diff -Nru openvpn-2.6.14/debian/patches/CVE-2026-40215.patch openvpn-2.6.14/debian/patches/CVE-2026-40215.patch
--- openvpn-2.6.14/debian/patches/CVE-2026-40215.patch	1970-01-01 00:00:00.000000000 +0000
+++ openvpn-2.6.14/debian/patches/CVE-2026-40215.patch	2026-04-27 07:22:24.000000000 +0000
@@ -0,0 +1,54 @@
+From 4472265ea2d18b88bb5f59fb30d4067a0323aff5 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Fri, 10 Apr 2026 16:59:53 +0200
+Subject: [PATCH] Ensure that buffer of freed session are not used
+
+In a race condition an old TLS session could still try to send a packet but
+also get replaced by a new session. In this case, the buffer of the new
+session is still referenced. Add the check_session_buf_not_used function
+to mitigate this problem.
+
+Also make the check if the to_link pointer is in one of the memory
+regions a bit better even though this not make a difference with the
+way we use these structs. But better safe than sorry.
+
+A better solution to remove the TM_INITIAL state and handle reconnecting
+session in their own complete tls_multi is a more involved fix that requires
+a lot more refactoring.
+
+CVE: 2026-40215
+Reported-By: XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com)
+Reported-By: Guannan Wang (wgnbuaa@gmail.com
+Reported-By: Zhanpeng Liu (pkugenuine@gmail.com)
+Reported-By: Guancheng Li (lgcpku@gmail.com)
+Signed-off-by: Arne Schwabe <arne@rfc2549.org>
+
+Change-Id: I7c5fa2a7a2563b7a8955d386411f3ceffe5b092f
+Private-URL: https://github.com/OpenVPN/openvpn-private-issues/issues/112
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit b2a15fb84d85790eeae4a2e12b431cbfd0b0302f)
+---
+ src/openvpn/ssl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index 9814bb39494..aaf40319fa5 100644
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -3373,6 +3373,7 @@ tls_multi_process(struct tls_multi *multi,
+                     && ks_lame->state >= S_GENERATED_KEYS
+                     && !multi->opt.single_session)
+                 {
++                    check_session_buf_not_used(to_link, session);
+                     move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
+                 }
+                 else
+@@ -3445,6 +3446,7 @@ tls_multi_process(struct tls_multi *multi,
+      */
+     if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
+     {
++        check_session_buf_not_used(to_link, &multi->session[TM_ACTIVE]);
+         move_session(multi, TM_ACTIVE, TM_INITIAL, true);
+         tas = tls_authentication_status(multi);
+         msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: initial untrusted "
diff -Nru openvpn-2.6.14/debian/patches/series openvpn-2.6.14/debian/patches/series
--- openvpn-2.6.14/debian/patches/series	2025-11-20 23:45:17.000000000 +0000
+++ openvpn-2.6.14/debian/patches/series	2026-04-27 07:22:24.000000000 +0000
@@ -5,3 +5,5 @@
 fix-ftbfs-kernel-6.16.patch
 check-message-id.patch
 CVE-2025-13086.patch
+CVE-2026-35058.patch
+CVE-2026-40215.patch