#1140837 trixie-pu: package openvpn-dco-dkms/0.0+git20241121-1+deb13u1

Package:
release.debian.org
Source:
release.debian.org
Submitter:
Bernhard Schmidt
Date:
2026-06-27 13:39:02 UTC
Severity:
normal
Tags:
#1140837#5
Date:
2026-06-27 13:35:19 UTC
From:
To:
[ Reason ]
The OpenVPN DCO kernel offloading module has a race condition that triggers
during a peer deletion storm (i.e. when a highly loaded VPN server suffers from
a connectivity problem). It causes a NULL pointer dereference. It is reported as
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140548

This problem has been fixed in a newer upstream release, this update
cherry-picks two upstream commits.

[ Impact ]
NULL pointer dereference on heavily used OpenVPN 2.6 servers running trixie.

[ Tests ]
Upstream is running extensive peer-review on patches and testsuites.
Additionally the reporter has confirmed the proposed package to fix this
problem.

[ Risks ]
Clean backport of two released upstream commits.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [/] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Heavy disconnect/reconnect storms cause issues on both kernel and userspace
side. This -pu fixes the kernel side not to lock up, which is the more annoying
problem (you cannot rmmod when it happens, you need to reboot).

The userspace side is tracked in #1140745. This is harder to fix in a stable
update, because you either need to backport several other changes before or use
the patch provided by the reporter, which is not based on released upstream
changes. Or we update to a new upstream version in stable. However, problem in
userspace is easier to recover from. I will look at that later.

Note that while technically this bug has been fixed in unstable by uploading a
new upstream version, openvpn-dco-dkms is not really relevant there (OpenVPN
2.7 uses the in-tree ovpn-dco module)