Date: Fri, 19 Aug 2005 04:29:24 +0200 From: Matthias Andree <matthias.andree@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/85109: [MAINTAINER] security/openvpn: security update, rcNGify Message-ID: <E1E5wdI-000Csy-Uc@libertas.emma.line.org> Resent-Message-ID: <200508190230.j7J2UIqP012025@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 85109
>Category: ports
>Synopsis: [MAINTAINER] security/openvpn: security update, rcNGify
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 19 02:30:18 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Matthias Andree
>Release: FreeBSD 4.11-RELEASE-p11 i386
>Organization:
>Environment:
System: FreeBSD libertas.emma.line.org 4.11-RELEASE-p11 FreeBSD 4.11-RELEASE-p11 #1: Sat Jul 2 12:53:26 CEST
>Description:
Dependency *Warning*: This PR depends on ports/85108 (resolves conflict between
lzo and lzo2 ports) - you MUST commit ports/85108 before you can commit this
PR, else you'll force the user to deinstall all lzo-1 dependent ports!
Note: a vuxml update has already been sent to the security officer, it will
list openvpn < 2.0.1 as vulnerable.
- Security update to version 2.0.1, fixing four denial of service bugs,
CAN-2005-2531, CAN-2005-2532, CAN-2005-2533, CAN-2005-2534
- Drop old init script and add a modern rcNG script in its place,
requested by Matthias Grimm and Dirk Gouders (although the script below is
one I, Matthias Andree, wrote). It can automatically load tun/tap drivers.
- move pkg-message to files/pkg-message.in, revise it, list it in SUB_FILES
to expand ${PREFIX}.
- print pkg-message after installation from port
- switch to official "make check" as smoke-test, rather than wiring our own.
- prefer LZO2 in most situations, as OpenVPN will pick up LZO2 rather than
LZO1 if both are installed.
Added file(s):
- files/openvpn.sh.in
- files/pkg-message.in
Removed file(s):
- files/openvpn.sh.sample
- pkg-message
Generated with FreeBSD Port Tools 0.63
>How-To-Repeat:
>Fix:
--- openvpn-2.0.1.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/security/openvpn/Makefile /usr/home/emma/ports/security/openvpn/Makefile
--- /usr/ports/security/openvpn/Makefile Wed Jul 20 19:26:33 2005
+++ /usr/home/emma/ports/security/openvpn/Makefile Fri Aug 19 03:57:38 2005
@@ -1,21 +1,18 @@
# New ports collection makefile for: openvpn
# Date created: 2002-06-23
-# Whom: Matthias Andree <matthias.andree@web.de>
+# Whom: Matthias Andree <matthias.andree@gmx.de>
#
# $FreeBSD: ports/security/openvpn/Makefile,v 1.14 2005/07/14 13:15:47 garga Exp $
#
PORTNAME= openvpn
-DISTVERSION= 2.0
-PORTREVISION= 3
+DISTVERSION= 2.0.1
CATEGORIES= security
MASTER_SITES= http://openvpn.net/release/
MAINTAINER= matthias.andree@gmx.de
COMMENT= Secure IP/Ethernet tunnel daemon
-LIB_DEPENDS= lzo.1:${PORTSDIR}/archivers/lzo
-
GNU_CONFIGURE= yes
USE_OPENSSL= yes
CONFIGURE_TARGET= --build=${ARCH}-portbld-freebsd${OSREL}
@@ -26,25 +23,31 @@
OPTIONS= PW_SAVE "Interactive passwords may be read from a file" off
+USE_RC_SUBR= openvpn.sh
+
+SUB_FILES= pkg-message
+
.include <bsd.port.pre.mk>
+# NOTE: there is no way to explicitly specify the LZO version to OpenVPN,
+# if LZO2 and LZO1 are installed, OpenVPN will pick LZO2.
+# So depend on LZO1 only if it's already there and LZO2 isn't.
+# PACKAGE_BUILDING will also force LZO2.
+.if exists(${LOCALBASE}/lib/liblzo2.so.2) || !exists(${LOCALBASE}/lib/liblzo.so.1) || defined(PACKAGE_BUILDING)
+LIB_DEPENDS= lzo2.2:${PORTSDIR}/archivers/lzo2
+.else
+LIB_DEPENDS= lzo.1:${PORTSDIR}/archivers/lzo
+.endif
+
.if defined(WITH_PW_SAVE)
CONFIGURE_ARGS+= --enable-password-save
.endif
# self-tests here
post-build:
- ( set -e ; cd ${WRKSRC} && \
- ./openvpn --genkey --secret key && \
- ./openvpn --test-crypto --secret key && ${RM} key )
- ( set -e ; cd ${WRKSRC} && { \
- ./openvpn --config sample-config-files/loopback-server & \
- ./openvpn --config sample-config-files/loopback-client ; \
- wait ; })
+ cd ${WRKSRC} && ${MAKE} check
post-install:
- ${INSTALL_SCRIPT} ${FILESDIR}/openvpn.sh.sample \
- ${PREFIX}/etc/rc.d/openvpn.sh.sample
.if !defined(NOPORTDOCS)
${MKDIR} ${DOCSDIR}
.for docs in AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS \
@@ -56,5 +59,6 @@
| ${GREP} -v easy-rsa/Windows \
| ${CPIO} -pdmu ${DOCSDIR} )
.endif
+ @${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>
diff -ruN --exclude=CVS /usr/ports/security/openvpn/distinfo /usr/home/emma/ports/security/openvpn/distinfo
--- /usr/ports/security/openvpn/distinfo Mon May 30 13:27:16 2005
+++ /usr/home/emma/ports/security/openvpn/distinfo Fri Aug 19 02:01:49 2005
@@ -1,2 +1,2 @@
-MD5 (openvpn-2.0.tar.gz) = 7401faebc6baee9add32608709c54eec
-SIZE (openvpn-2.0.tar.gz) = 639201
+MD5 (openvpn-2.0.1.tar.gz) = fad7a08c0d68371c2c0e6428bcb98fa5
+SIZE (openvpn-2.0.1.tar.gz) = 662428
diff -ruN --exclude=CVS /usr/ports/security/openvpn/files/openvpn.sh.in /usr/home/emma/ports/security/openvpn/files/openvpn.sh.in
--- /usr/ports/security/openvpn/files/openvpn.sh.in Thu Jan 1 01:00:00 1970
+++ /usr/home/emma/ports/security/openvpn/files/openvpn.sh.in Fri Aug 19 04:06:25 2005
@@ -0,0 +1,99 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+#
+# Made in Northrhine-Westphalia, Germany
+#
+# $FreeBSD$
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# BEFORE:
+# KEYWORD: FreeBSD shutdown
+
+# -----------------------------------------------------------------------------
+#
+# Add the following lines to /etc/rc.conf to enable openvpn at boot-up time:
+#
+# openvpn_enable="YES" # YES or NO
+# openvpn_if="tun" # driver(s) to load, set to "tun", "tap" or "tun tap"
+#
+# # optional:
+# openvpn_flags="" # openvpn command line flags
+# openvpn_config="%%PREFIX%%/etc/openvpn/openvpn.conf" # --config file
+# openvpn_dir="%%PREFIX%%/etc/openvpn" # --cd directory
+#
+# You also need to set openvpn_configfile and openvpn_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. %%RC_SUBR%%
+
+name=openvpn
+rcvar=`set_rcvar`
+
+prefix="%%PREFIX%%"
+
+openvpn_precmd()
+{
+ for i in $openvpn_if ; do
+ if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 ; then
+ if ! kldload if_${i} ; then
+ warn "Could not load $i module."
+ return 1
+ fi
+ fi
+ done
+ return 0
+}
+
+stop_postcmd()
+{
+ rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+# support SIGHUP to reparse configuration file
+extra_commands="reload"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/${name}"
+
+# run this first
+start_precmd="openvpn_precmd"
+# and this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+: ${openvpn_enable="NO"}
+: ${openvpn_flags=""}
+: ${openvpn_if=""}
+: ${openvpn_configfile="${prefix}/etc/openvpn/openvpn.conf"}
+: ${openvpn_dir="${prefix}/etc/openvpn"}
+required_files="${openvpn_configfile}"
+command_args="--cd ${openvpn_dir} --daemon --config ${openvpn_configfile} --writepid ${pidfile}"
+run_rc_command "$1"
diff -ruN --exclude=CVS /usr/ports/security/openvpn/files/openvpn.sh.sample /usr/home/emma/ports/security/openvpn/files/openvpn.sh.sample
--- /usr/ports/security/openvpn/files/openvpn.sh.sample Fri Oct 25 22:55:29 2002
+++ /usr/home/emma/ports/security/openvpn/files/openvpn.sh.sample Thu Jan 1 01:00:00 1970
@@ -1,19 +0,0 @@
-#! /bin/sh
-# (C) 2002 by Matthias Andree
-
-# This file may be redistributed according to the terms of the GNU General
-# Public License, version 2 (two).
-
-# To use this script, rename it to openvpn.sh and make sure it is
-# executable for the owner.
-
-# This file rouses a security warning at port install time. However, this
-# file itself does not start network services, but it loads a kernel driver.
-# The security of this file therefore depends on the security of kldload and
-# the if_tap driver.
-
-case x$1 in
- xstart) echo -n ' if_tap' ; exec kldload if_tap ;;
- xstop) echo -n ' if_tap' ; exec kldunload if_tap ;;
- *) echo >&2 "Usage: $0 {start|stop}"
-esac
diff -ruN --exclude=CVS /usr/ports/security/openvpn/files/pkg-message.in /usr/home/emma/ports/security/openvpn/files/pkg-message.in
--- /usr/ports/security/openvpn/files/pkg-message.in Thu Jan 1 01:00:00 1970
+++ /usr/home/emma/ports/security/openvpn/files/pkg-message.in Fri Aug 19 04:04:47 2005
@@ -0,0 +1,18 @@
+### ------------------------------------------------------------------------
+### The OpenVPN port, since v2.0.1, uses rcNG to start OpenVPN.
+### Edit /etc/rc.conf to start OpenVPN automatically at system startup.
+### See %%PREFIX%%/etc/rc.d/openvpn.sh for details.
+### ------------------------------------------------------------------------
+### To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to
+### edit the 1.X configuration file by adding these lines:
+### tun-mtu 1500
+### tun-mtu-extra 32
+### mssfix 1450
+### key-method 2 <- this key-method line only for TLS setups
+### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+### WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!
+### OpenVPN 1.6 and older used 5000 rather than 1194 as their default
+### port, so add the proper port options to your configuration file!
+### ------------------------------------------------------------------------
+### For further compatibility, see <http://openvpn.net/relnotes.html>;
+### ------------------------------------------------------------------------
diff -ruN --exclude=CVS /usr/ports/security/openvpn/pkg-message /usr/home/emma/ports/security/openvpn/pkg-message
--- /usr/ports/security/openvpn/pkg-message Mon May 30 13:27:16 2005
+++ /usr/home/emma/ports/security/openvpn/pkg-message Thu Jan 1 01:00:00 1970
@@ -1,20 +0,0 @@
-### ---------------------------------------------------------------------- ###
-### To use the tap driver, you may need to do: kldload if_tap ###
-### See ${PREFIX}/etc/rc.d/openvpn.sh.sample for how to do this ###
-### automatically at system boot-up time. ###
-### ---------------------------------------------------------------------- ###
-### To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to ###
-### edit the 1.X configuration file by adding these lines: ###
-### ###
-### tun-mtu 1500 ###
-### tun-mtu-extra 32 ###
-### mssfix 1450 ###
-### ###
-### key-method 2 <- this key-method line only for TLS setups ###
-### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ###
-### WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194! ###
-### OpenVPN 1.6 and older used 5000 rather than 1194 as their default ###
-### port, so add the proper port options to your configuration file! ###
-### ---------------------------------------------------------------------- ###
-### For further compatibility, see <http://openvpn.net/relnotes.html>; ###
-### ---------------------------------------------------------------------- ###
diff -ruN --exclude=CVS /usr/ports/security/openvpn/pkg-plist /usr/home/emma/ports/security/openvpn/pkg-plist
--- /usr/ports/security/openvpn/pkg-plist Mon May 30 13:27:16 2005
+++ /usr/home/emma/ports/security/openvpn/pkg-plist Fri Aug 19 03:55:03 2005
@@ -1,5 +1,4 @@
sbin/openvpn
-etc/rc.d/openvpn.sh.sample
%%PORTDOCS%%%%DOCSDIR%%/AUTHORS
%%PORTDOCS%%%%DOCSDIR%%/COPYING
%%PORTDOCS%%%%DOCSDIR%%/COPYRIGHT.GPL
@@ -26,6 +25,25 @@
%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/revoke-full
%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/sign-req
%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/vars
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/README
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-ca
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-dh
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pkcs12
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-server
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/clean-all
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/inherit-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/list-crl
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/pkitool
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/revoke-full
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/scripts
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/sign-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/vars
%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/README
%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/client.conf
%%PORTDOCS%%%%DOCSDIR%%/sample-config-files/firewall.sh
@@ -49,5 +67,6 @@
%%PORTDOCS%%%%DOCSDIR%%/sample-scripts/verify-cn
%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-scripts
%%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-config-files
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/2.0
%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa
%%PORTDOCS%%@dirrm %%DOCSDIR%%
--- openvpn-2.0.1.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1E5wdI-000Csy-Uc>