FreeBSD Mail Archives

Date:      Fri,  8 Aug 2008 00:39:05 +0200 (CEST)
From:      Matthias Andree <matthias.andree@gmx.de>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/126356: [MAINTAINER] security/openvpn-devel: security update to 2.1_rc9 (CVE-2008-3459)
Message-ID:  <20080807223905.B4934C7E1@merlin.emma.line.org>
Resent-Message-ID: <200808072240.m77Me1aM049041@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         126356
>Category:       ports
>Synopsis:       [MAINTAINER] security/openvpn-devel: security update to 2.1_rc9 (CVE-2008-3459)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 07 22:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Matthias Andree
>Release:        FreeBSD 6.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD merlin.emma.line.org 6.3-STABLE FreeBSD 6.3-STABLE #36: Tue Jul 29 11:16:09 CEST 2008
>Description:
Changes:
- Security update to version 2.1_rc9 to fix CVE-2008-3459 (arbitrary code execution).
- VulnDB update was submitted in a previous PR.
- Add PKCS#11 option which explicitly disables PKCS11 at build time if not desired
  to avoid invisible pkcs11-helper dependency, else openvpn would silently pick up
  security/pkcs11-helper.

Added file:
- files/patch-update-t_cltsrv (to be forwarded to upstream maintainer, works around recent
  security tightening for scripts)

Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:
>Fix:

--- openvpn-devel-2.1.r9.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/Makefile /usr/home/emma/ports/security/openvpn-devel/Makefile
--- /usr/ports/security/openvpn-devel/Makefile	2008-07-18 14:16:20.000000000 +0200
+++ /usr/home/emma/ports/security/openvpn-devel/Makefile	2008-08-08 00:18:20.000000000 +0200
@@ -6,10 +6,9 @@
 #
 
 PORTNAME=	openvpn
-DISTVERSION=	2.1_rc8
-PORTREVISION=	1
+DISTVERSION=	2.1_rc9
 CATEGORIES=	security net
-MASTER_SITES=	https://secure.openvpn.net/beta/
+MASTER_SITES=	http://openvpn.net/release/
 PKGNAMESUFFIX=	-devel
 
 MAINTAINER=	matthias.andree@gmx.de
@@ -26,7 +25,8 @@
 
 MAN8=		openvpn.8
 
-OPTIONS=	PW_SAVE "Interactive passwords may be read from a file" off
+OPTIONS=	PW_SAVE "Interactive passwords may be read from a file" off \
+		PKCS11  "Use security/pkcs11-helper" off
 
 USE_RC_SUBR=	openvpn.sh
 USE_LDCONFIG=	${PREFIX}/lib
@@ -52,6 +52,12 @@
 CONFIGURE_ARGS+=	--enable-password-save
 .endif
 
+.if defined(WITH_PKCS11)
+LIB_DEPENDS+=	pkcs11-helper.1:${PORTSDIR}/security/pkcs11-helper
+.else
+CONFIGURE_ARGS+=	--disable-pkcs11
+.endif
+
 post-patch:
 	@${FIND} ${WRKSRC} -name \*.orig -delete
 
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/distinfo /usr/home/emma/ports/security/openvpn-devel/distinfo
--- /usr/ports/security/openvpn-devel/distinfo	2008-07-18 14:16:20.000000000 +0200
+++ /usr/home/emma/ports/security/openvpn-devel/distinfo	2008-08-07 22:57:14.000000000 +0200
@@ -1,3 +1,3 @@
-MD5 (openvpn-2.1_rc8.tar.gz) = 059dfb6e21b503687c6b4a8a1b0034ac
-SHA256 (openvpn-2.1_rc8.tar.gz) = 0c80db02ff783b23f91f230bc769aaec96bab405106829283a3b9c4702822ed0
-SIZE (openvpn-2.1_rc8.tar.gz) = 809545
+MD5 (openvpn-2.1_rc9.tar.gz) = f435e4ad43cf4323e942da570bae4951
+SHA256 (openvpn-2.1_rc9.tar.gz) = f73ec227a5fb7f4c73190e7ae52a59a4db149e8d628f22e8a0a762a58fbb424d
+SIZE (openvpn-2.1_rc9.tar.gz) = 818716
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/files/patch-update-t_cltsrv /usr/home/emma/ports/security/openvpn-devel/files/patch-update-t_cltsrv
--- /usr/ports/security/openvpn-devel/files/patch-update-t_cltsrv	1970-01-01 01:00:00.000000000 +0100
+++ /usr/home/emma/ports/security/openvpn-devel/files/patch-update-t_cltsrv	2008-08-07 23:55:36.000000000 +0200
@@ -0,0 +1,23 @@
+--- ./t_cltsrv.sh.orig	2008-08-07 23:14:55.000000000 +0200
++++ ./t_cltsrv.sh	2008-08-07 23:53:27.000000000 +0200
+@@ -38,11 +38,13 @@
+     fi
+     ;;
+ esac
++downscript="${srcdir}/t_cltsrv-down.sh"
++test -x $downscript || chmod +x $downscript || { echo >&2 "$downscript is not executable, failing." ; exit 1 ; }
+ echo "the following test will take about two minutes..." >&2
+ set +e
+ (
+-./openvpn --cd "${srcdir}" ${addopts} --down 'echo "srv:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-server &
+-./openvpn --cd "${srcdir}" ${addopts} --down 'echo "clt:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-client
++./openvpn --script-security 2 --cd "${srcdir}" ${addopts} --setenv role srv --down "$downscript" --tls-exit --ping-exit 180 --config sample-config-files/loopback-server &
++./openvpn --script-security 2 --cd "${srcdir}" ${addopts} --setenv role clt --down "$downscript" --tls-exit --ping-exit 180 --config sample-config-files/loopback-client
+ ) 3>log.$$.signal >log.$$ 2>&1
+ e1=$?
+ wait $!
+--- ./t_cltsrv-down.sh.orig	2008-08-07 23:24:40.000000000 +0200
++++ ./t_cltsrv-down.sh	2008-08-07 23:28:40.000000000 +0200
+@@ -0,0 +1,2 @@
++#! /bin/sh
++echo "${role}:${signal}" >&3
--- openvpn-devel-2.1.r9.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080807223905.B4934C7E1>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation