Fabre

#1125041 Verify file permissions for private connections (CVE-2025-9615) #1125041

Package:: network-manager-vpnc

Source:: network-manager-vpnc

Description:: network management framework (VPNC plugin core)

Submitter:: Michael Biebl

Date:: 2026-01-08 18:07:18 UTC

Severity:: normal

#1125041#5

Date:: 2026-01-08 16:46:40 UTC

From:

To:

Hi,

the network-manager package was subject to a security issue related to
insecure access to user certificates. See [0] for more details.

This was fixed in [1] and now all VPN plugins need to declare that they
support the new, safe interface.
See [2] for further details and [3] for a similar change that was done
for network-manager-openvpn.

The network-manager 1.54.x package in unstable/testing has been updated
to provide safe APIs for user certificate file access.
For now the usage of those safe APIs is optional but will become
mandatory in network-manager 1.56.
At which point this bug report will become RC as network-manager will
refuse to load VPN plugins without
"supports-safe-private-file-access=true".

Regards,
Michael

[0] https://security-tracker.debian.org/tracker/CVE-2025-9615
[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324
[2] https://lists.freedesktop.org/archives/networkmanager/2025-December/000468.html
[3] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/commit/ca18fa91e1446543b48a463fb72a4de6a8716aa9

#1125041 Verify file permissions for private connections (CVE-2025-9615) #1125041

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)