CVE-2024-5594/openvpn: record regression and fixes on v2.6 and v2.5
While working on openvpn for ELTS, I've discovered a regression [1] introduced and fixed by upstream for CVE-2024-5594. Although I wasn't able to setup an environment to check if bookworm's version has it, there are very strong indications it is. The regression was reported against Arch's version (2.6.11) and Ubuntu's version (2.6.11), which are just patch releases on top of 2.6.3 that we have in bookworm. Furthermore, the patch releases from 2.6.4 to 2.6.11 do not touch in the in the control channel handling code, so effectively 2.6.11 before the CVE fix is equal to 2.6.3 in that aspect. And after the fix for CVE-2024-5594 the only change altering the control channel handling code is the fix for the regression.
All in all, I just wanted the ok from sec team before pushing the regression note to the official security tracker.