Date: Sat, 14 May 2016 13:33:13 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r415187 - in branches/2016Q2/security/openvpn: . files Message-ID: <201605141333.u4EDXD0r004027@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Sat May 14 13:33:13 2016 New Revision: 415187 URL: https://svnweb.freebsd.org/changeset/ports/415187 Log: MFH: r412540 r412541 r415093 r415116 Work around 10.3-RELEASE's service(8) shortcomings (r412540) and to fix /usr/sbin/service -R (r412541). PR: 208534 Reported by: allan@saddi.com r415093 (2.3.11 upgrade) and r415116 (the polarssl fix-up) together: Security upgrade to OpenVPN 2.3.11. Quoting upstream maintainers' release notes: "This release fixes two vulnerabilities: a port-share bug with DoS potential and a buffer overflow by user supplied data when using pam authentication. In addition a number of small fixes and improvements are included." Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 he upstream backported a change from the master branch that fixes the PolarSSL-based builds to go with the PolarSSL 1.3.X built-in defaults. Approved by: ports-secteam (junovich) PR: 209498 Security: 0dc8be9e-19af-11e6-8de0-080027ef73ec Added: branches/2016Q2/security/openvpn/files/patch-629baad8 - copied unchanged from r415116, head/security/openvpn/files/patch-629baad8 Modified: branches/2016Q2/security/openvpn/Makefile branches/2016Q2/security/openvpn/distinfo branches/2016Q2/security/openvpn/files/openvpn.in Directory Properties: branches/2016Q2/ (props changed) Modified: branches/2016Q2/security/openvpn/Makefile ============================================================================== --- branches/2016Q2/security/openvpn/Makefile Sat May 14 13:09:45 2016 (r415186) +++ branches/2016Q2/security/openvpn/Makefile Sat May 14 13:33:13 2016 (r415187) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= openvpn -DISTVERSION= 2.3.10 +DISTVERSION= 2.3.11 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ Modified: branches/2016Q2/security/openvpn/distinfo ============================================================================== --- branches/2016Q2/security/openvpn/distinfo Sat May 14 13:09:45 2016 (r415186) +++ branches/2016Q2/security/openvpn/distinfo Sat May 14 13:33:13 2016 (r415187) @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.3.10.tar.xz) = c54dbf91d47b9533fac3b94d2b5719bdbe0d081fe8245184f91ef8a871d22003 -SIZE (openvpn-2.3.10.tar.xz) = 818152 +SHA256 (openvpn-2.3.11.tar.xz) = 0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7 +SIZE (openvpn-2.3.11.tar.xz) = 833496 Modified: branches/2016Q2/security/openvpn/files/openvpn.in ============================================================================== --- branches/2016Q2/security/openvpn/files/openvpn.in Sat May 14 13:09:45 2016 (r415186) +++ branches/2016Q2/security/openvpn/files/openvpn.in Sat May 14 13:33:13 2016 (r415187) @@ -64,17 +64,29 @@ . /etc/rc.subr +# service(8) does not create an authentic environment, try to guess, +# and as of 10.3-RELEASE-p0, it will not find the indented name= +# assignments below. So give it a default. +# Trailing semicolon also for service(8)'s benefit: +name="$file" ; + case "$0" in /etc/rc*) # during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown), # so get the name of the script from $_file name="$_file" ;; +*/service) + # do not use this as $0 + ;; *) name="$0" ;; esac +# default name to "openvpn" if guessing failed +# Trailing semicolon also for service(8)'s benefit: +name="${name:-openvpn}" ; name="${name##*/}" rcvar=${name}_enable Copied: branches/2016Q2/security/openvpn/files/patch-629baad8 (from r415116, head/security/openvpn/files/patch-629baad8) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q2/security/openvpn/files/patch-629baad8 Sat May 14 13:33:13 2016 (r415187, copy of r415116, head/security/openvpn/files/patch-629baad8) @@ -0,0 +1,37 @@ +commit 629baad8f89af261445a2ace03694601f8e476f9 +Author: Steffan Karger <steffan@karger.me> +Date: Fri May 13 08:54:52 2016 +0200 + + Fix polarssl / mbedtls builds + + Commit 8a399cd3 hardened the OpenSSL default cipher list, + but also introduced a change in shared code that causes + polarssl / mbedtls builds to break when no --tls-cipher is + specified. + + This fix is backported code from the master branch. + + Signed-off-by: Steffan Karger <steffan@karger.me> + Acked-by: Gert Doering <gert@greenie.muc.de> + Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me> + URL: http://article.gmane.org/gmane.network.openvpn.devel/11647 + Signed-off-by: Gert Doering <gert@greenie.muc.de> + +diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c +index 1f58369..9263698 100644 +--- ./src/openvpn/ssl_polarssl.c ++++ ./src/openvpn/ssl_polarssl.c +@@ -176,7 +176,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) + { + char *tmp_ciphers, *tmp_ciphers_orig, *token; + int i, cipher_count; +- int ciphers_len = strlen (ciphers); ++ int ciphers_len; ++ ++ if (NULL == ciphers) ++ return; /* Nothing to do */ ++ ++ ciphers_len = strlen (ciphers); + + ASSERT (NULL != ctx); + ASSERT (0 != ciphers_len);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605141333.u4EDXD0r004027>