[Pkg-utopia-maintainers] Bug#1125041: Verify file permissions for private connections (CVE-2025-9615)
Michael Biebl
biebl at debian.org
Thu Jan 8 16:46:40 GMT 2026
Package: network-manager-vpnc
Version: 1.4.0-3
Severity: important
User: biebl at debian.org
Usertags: CVE-2025-9615
Hi,
the network-manager package was subject to a security issue related to
insecure access to user certificates. See [0] for more details.
This was fixed in [1] and now all VPN plugins need to declare that they
support the new, safe interface.
See [2] for further details and [3] for a similar change that was done
for network-manager-openvpn.
The network-manager 1.54.x package in unstable/testing has been updated
to provide safe APIs for user certificate file access.
For now the usage of those safe APIs is optional but will become
mandatory in network-manager 1.56.
At which point this bug report will become RC as network-manager will
refuse to load VPN plugins without
"supports-safe-private-file-access=true".
Regards,
Michael
[0] https://security-tracker.debian.org/tracker/CVE-2025-9615
[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324
[2] https://lists.freedesktop.org/archives/networkmanager/2025-December/000468.html
[3] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/commit/ca18fa91e1446543b48a463fb72a4de6a8716aa9
More information about the Pkg-utopia-maintainers
mailing list