Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-140608

Backport NM-libreswan 1.2.30 to declare supports-safe-private-file-access

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • NetworkManager-libreswan-1.2.30-1.el10
    • Moderate
    • rhel-net-mgmt
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given the upstream merge request "Declare supports-safe-private-file-access" is merged in NM-libreswan 1.2.30,

      When the NetworkManager-libreswan package is built for RHEL-10.2 and RHEL-9.8,

      Then the resulting RPM includes supports-safe-private-file-access=true.

      ( ) Integration test case is available upstream.

      ( ) Code is reviewed and merged upstream.

      ( ) Preliminary testing is done.

      ( ) Upstream documentation is written in the upstream MR.

      ( ) Release notes text is written in the RHEL issue.

      ( ) A demo is recorded

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given the upstream merge request "Declare supports-safe-private-file-access" is merged in NM-libreswan 1.2.30, When the NetworkManager-libreswan package is built for RHEL-10.2 and RHEL-9.8, Then the resulting RPM includes supports-safe-private-file-access=true. ( ) Integration test case is available upstream. ( ) Code is reviewed and merged upstream. ( ) Preliminary testing is done. ( ) Upstream documentation is written in the upstream MR. ( ) Release notes text is written in the RHEL issue. ( ) A demo is recorded
    • Pass
    • None
    • CVE - Common Vulnerabilities and Exposures
    • Hide
      NetworkManager now requires VPN plugins to explicitly declare support for
      safe private file access. Third-party or custom VPN plugins not updated
      for this change may fail to connect. NetworkManager-libreswan has been
      updated for compatibility.
      Show
      NetworkManager now requires VPN plugins to explicitly declare support for safe private file access. Third-party or custom VPN plugins not updated for this change may fail to connect. NetworkManager-libreswan has been updated for compatibility.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Upstream NetworkManager-libreswan 1.2.30 added the supports-safe-private-file-access=true declaration to the service name file: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/merge_requests/72.
      This change is required for compatibility with NetworkManager's CVE-2025-9615 security mitigation.

      CVE-2025-9615 is a vulnerability in VPN plugins that could allow a non-admin user to use other users' certificates when activating a private VPN connection. NetworkManager now requires VPN plugins to explicitly declare whether they safely handle private file access (certificates, keys) by:

      • Properly checking user permissions when reading private files, OR
      • Not accessing private files at all

      NM-libreswan does not allow any arbitrary path to private files in its configuration. Therefore, it is not vulnerable to CVE-2025-9615 and can safely declare supports-safe-private-file-access=true.

              nm-team Network Management Team
              rh-ee-sfaye Stanislas Faye
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: