From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Apr 5 10:30:18 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 936E116A422 for ; Wed, 5 Apr 2006 10:30:18 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31F5043D49 for ; Wed, 5 Apr 2006 10:30:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k35AUHRA010139 for ; Wed, 5 Apr 2006 10:30:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k35AUHcT010138; Wed, 5 Apr 2006 10:30:17 GMT (envelope-from gnats) Resent-Date: Wed, 5 Apr 2006 10:30:17 GMT Resent-Message-Id: <200604051030.k35AUHcT010138@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthias Andree Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95F5D16A400 for ; Wed, 5 Apr 2006 10:29:23 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7028E43D48 for ; Wed, 5 Apr 2006 10:29:22 +0000 (GMT) (envelope-from matthias.andree@gmx.de) Received: (qmail invoked by alias); 05 Apr 2006 10:29:21 -0000 Received: from p5091074C.dip0.t-ipconnect.de (EHLO m2a2.dyndns.org) [80.145.7.76] by mail.gmx.net (mp029) with SMTP; 05 Apr 2006 12:29:21 +0200 Received: from localhost (localhost [127.0.0.1]) by merlin.emma.line.org (Postfix) with ESMTP id 2635D200D19; Wed, 5 Apr 2006 12:29:15 +0200 (CEST) Received: from m2a2.dyndns.org ([127.0.0.1]) by localhost (m2a2.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19111-18; Wed, 5 Apr 2006 12:29:13 +0200 (CEST) Received: from libertas.emma.line.org (libertas.emma.line.org [192.168.1.2]) by merlin.emma.line.org (Postfix) with ESMTP id D6A24200D14; Wed, 5 Apr 2006 12:29:13 +0200 (CEST) Received: from emma by libertas.emma.line.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FR5GD-0003iq-IU; Wed, 05 Apr 2006 12:29:13 +0200 Message-Id: Date: Wed, 05 Apr 2006 12:29:13 +0200 From: Matthias Andree Sender: Matthias Andree To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/95345: [MAINTAINER] security/openvpn: SECURITY UPDATE to 2.0.6 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2006 10:30:18 -0000 >Number: 95345 >Category: ports >Synopsis: [MAINTAINER] security/openvpn: SECURITY UPDATE to 2.0.6 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Apr 05 10:30:16 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: >Environment: System: FreeBSD libertas.emma.line.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #19: Sat Apr 1 13:04:50 CEST >Description: - Update to 2.0.6 - security fix for client LD_PRELOAD code injection vulnerability through compromised upstream servers (FreeBSD VuXML Vuln VID be4ccb7b-c48b-11da-ae12-0002b3b60e4c, filed in separate PR) CVE id not known yet - 2 other changes only relevant for Linux and NetBSD, not detailed here. Removed file(s): - files/patch-tests-for-jail (merged upstream) Generated with FreeBSD Port Tools 0.63 >How-To-Repeat: >Fix: --- openvpn-2.0.6.patch begins here --- diff -ruN --exclude=CVS /usr/ports/security/openvpn/Makefile /usr/home/emma/ports/security/openvpn/Makefile --- /usr/ports/security/openvpn/Makefile Thu Nov 10 16:05:42 2005 +++ /usr/home/emma/ports/security/openvpn/Makefile Wed Apr 5 12:25:56 2006 @@ -6,8 +6,7 @@ # PORTNAME= openvpn -PORTVERSION= 2.0.5 -PORTREVISION= 1 +PORTVERSION= 2.0.6 CATEGORIES= security net # MASTER_SITES points to hosts in distinct data centers, # so just one MASTER_SITES entry should be OK. diff -ruN --exclude=CVS /usr/ports/security/openvpn/distinfo /usr/home/emma/ports/security/openvpn/distinfo --- /usr/ports/security/openvpn/distinfo Thu Nov 10 16:05:42 2005 +++ /usr/home/emma/ports/security/openvpn/distinfo Wed Apr 5 12:04:59 2006 @@ -1,3 +1,3 @@ -MD5 (openvpn-2.0.5.tar.gz) = 4bd7a42991c93db23842a0992debe53b -SHA256 (openvpn-2.0.5.tar.gz) = d72d90ff9e915c3376c834ce33a0349de0a8eacb3f2b80be49696b72a1840a9f -SIZE (openvpn-2.0.5.tar.gz) = 662647 +MD5 (openvpn-2.0.6.tar.gz) = 8d2f95fa825e58363a676b25d4815aa7 +SHA256 (openvpn-2.0.6.tar.gz) = 1074c9fb5a7881e6d4ff0b125cf1e44a9fb650beef187f061785698522453003 +SIZE (openvpn-2.0.6.tar.gz) = 664816 diff -ruN --exclude=CVS /usr/ports/security/openvpn/files/patch-tests-for-jail /usr/home/emma/ports/security/openvpn/files/patch-tests-for-jail --- /usr/ports/security/openvpn/files/patch-tests-for-jail Tue Feb 28 17:25:43 2006 +++ /usr/home/emma/ports/security/openvpn/files/patch-tests-for-jail Thu Jan 1 01:00:00 1970 @@ -1,67 +0,0 @@ ---- t_lpback.sh~ -+++ t_lpback.sh -@@ -19,11 +19,13 @@ - # 02110-1301, USA. - - set -e --trap "rm -f key.$$ log.$$ ; false" 1 2 3 15 -+trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15 -+trap "rm -f key.$$ log.$$ ; exit 1" 0 3 - ./openvpn --genkey --secret key.$$ - set +e - ( ./openvpn --test-crypto --secret key.$$ ) >log.$$ 2>&1 - e=$? - if [ $e != 0 ] ; then cat log.$$ ; fi --rm key.$$ -+rm key.$$ log.$$ -+trap 0 - exit $e ---- t_cltsrv.sh~ -+++ t_cltsrv.sh -@@ -19,20 +19,41 @@ - # 02110-1301, USA. - - set -e -+trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 -+trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 -+addopts= -+case `uname -s` in -+ FreeBSD) -+ # FreeBSD jails map the outgoing IP to the jail IP - we need to -+ # allow the real IP unless we want the test to run forever. -+ if test "`sysctl 2>/dev/null -n security.jail.jailed`" = 1 \ -+ || ps -ostate= -p $$ | grep -q J; then -+ addopts="--float" -+ if test "x`ifconfig | grep inet`" = x ; then -+ echo "###" -+ echo "### To run the test in a FreeBSD jail, you MUST add an IP alias for the jail's IP." -+ echo "###" -+ exit 1 -+ fi -+ fi -+ ;; -+esac - echo "the following test will run about two minutes..." >&2 --trap "rm -f log.$$ ; false" 1 2 3 15 - set +e - ( --./openvpn --cd "${srcdir}" --config sample-config-files/loopback-server & --./openvpn --cd "${srcdir}" --config sample-config-files/loopback-client --) >log.$$ 2>&1 -+./openvpn --cd "${srcdir}" ${addopts} --down 'echo "srv:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-server & -+./openvpn --cd "${srcdir}" ${addopts} --down 'echo "clt:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-client -+) 3>log.$$.signal >log.$$ 2>&1 - e1=$? - wait $! - e2=$? -+grep -v ":inactive$" log.$$.signal >/dev/null && { cat log.$$.signal ; echo ; cat log.$$ ; exit 1 ; } -+ - set -e - - if [ $e1 != 0 ] || [ $e2 != 0 ] ; then - cat log.$$ - exit 1 - fi --rm log.$$ -+rm log.$$ log.$$.signal -+trap 0 --- openvpn-2.0.6.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: