From owner-freebsd-ports@freebsd.org Thu May 18 07:27:27 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9562BD7201A; Thu, 18 May 2017 07:27:27 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0DD541876; Thu, 18 May 2017 07:27:26 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: from mandree.no-ip.org ([78.48.180.115]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LejNC-1dmHQG2pKg-00qQnn; Thu, 18 May 2017 09:27:10 +0200 Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by apollo.emma.line.org (Postfix) with ESMTP id 8584F23CEDF; Thu, 18 May 2017 09:27:09 +0200 (CEST) Subject: Re: security/openvpn23 tarball size mismatch To: Renato Botelho Cc: freebsd-ports@FreeBSD.org, ports-secteam@freebsd.org, openvpn-devel@lists.sourceforge.net References: <9a257a3b-e899-42a8-d67d-7a5b1a559535@FreeBSD.org> From: Matthias Andree Message-ID: <85cba9aa-2ddd-d11b-b06a-d575f667ca44@gmx.de> Date: Thu, 18 May 2017 09:27:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rTMQ20Xl1ul0umDLfLgSCtb6Ms6Ox4OJx" X-Provags-ID: V03:K0:rmeLfTKqwoMiMaqeIikIracePRu6c0YxHdiJjF++cpBRPufurn3 XTkGPuvMrr5kgczrPkUpbFcvTwcoUsoJWAaDx8d5X8c6oPe4wVMAaz/UBv8p4iY15h1F6zI 6hf7Vi1hWXX/VditNbBDF7G09GxmwU9D/lv2XQgDnG0MfDpPWsITAwgD4+N6cQhzbPwDum+ P5/csrLAVCY5UOcqULGgg== X-UI-Out-Filterresults: notjunk:1;V01:K0:5DF9JhC1u04=:LmhGS2U9hM3aYbdgvdoCCB 6OEP17atwUJfHTSRAnHTBqsj44T+Fy2+pIL9RI7NMI6JnyCqIfTKyWz5amQvWhaRvqpHTJ2FH h+WlThSJMrRbzy3jV7lsQRM0sezbIf8WSVh/AOzGBL1RM0nlORZ6XNEOCidSAtNFHyEErcRpK yiFu4Y5UKRrH/SBBOv08tXjQdmBH4BNNGKETEfAillQapGuhdnzySOpB6Y7FcCmZn4jJoe5Nr rkkYHvizDVjG/0Bet/FEQeB9K45pl0e+EzRmvpRi4QMlykzIwPe0gKmAJbClbaiS6XvR4RgE6 DMHNzIGqHV0lMtV2go+OAgcV30Bir4UHijyErlFyfJAttTqYEwQy6GtjxQSqieLCBLBaYZm9M 53F/VqdZZfZpz9uhOKEDtr5k+EuiGNjgka48vmtdO2dxT+WLSpPdUebh0WWiPGSRgmJQpmmxA aFib8LQS2j4ykIfbBQU9ktsAjebpEzLaVZbyMhSVFKCVt6L2BNR7DDusiU5JTuqLcDZ3YAZIQ FxC1n+pLEJbLs4qL55WKXB7mFTk/GXuUTtSTc0ywPEE0opEhh+vHd/43BBs6J7gXPj3kCM5sg jBJovHbw6Q2JbS3bf2AzMYkdAYxOC00Sd3C4q5RVqzKR388RKMNxcKFDR3N0AEAd9WnJq480w RmKx47Asd2D0Ice8mdIHUyRrBNGgDR+pDHEPJ3S65wS14aZII2V+FEjcJYoOJtbFWbOcxZ6X0 0K4VUmj0JrhZlUBGuEzNSxvo+7JLhvlCOwxta36zf1GeBnEAp/th3mpKOu0= X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 May 2017 07:27:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rTMQ20Xl1ul0umDLfLgSCtb6Ms6Ox4OJx Content-Type: multipart/mixed; boundary="ED7oudH8vw0xFN6rfcVGpe3wSHpEHjU2I"; protected-headers="v1" From: Matthias Andree To: Renato Botelho Cc: freebsd-ports@FreeBSD.org, ports-secteam@freebsd.org, openvpn-devel@lists.sourceforge.net Message-ID: <85cba9aa-2ddd-d11b-b06a-d575f667ca44@gmx.de> Subject: Re: security/openvpn23 tarball size mismatch References: <9a257a3b-e899-42a8-d67d-7a5b1a559535@FreeBSD.org> In-Reply-To: --ED7oudH8vw0xFN6rfcVGpe3wSHpEHjU2I Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Am 16.05.2017 um 14:00 schrieb Renato Botelho: > On 16/05/17 08:54, Renato Botelho wrote: >> Hello Mathias, >> >> I was trying to get openvpn23 installed from quarterly branch and got >> the following error: >> >> root@buildbot1:/usr/local/poudriere/ports/pfSense_v2_3/security/openvp= n23 >> # make checksum >> =3D=3D=3D> License GPLv2 accepted by the user >> =3D=3D=3D> openvpn23-2.3.15 depends on file: /usr/local/sbin/pkg - f= ound >> =3D> openvpn-2.3.15.tar.xz doesn't seem to exist in >> /usr/local/poudriere/ports/pfSense_v2_3/distfiles/. >> =3D> Attempting to fetch >> http://swupdate.openvpn.net/community/releases/openvpn-2.3.15.tar.xz >> fetch: >> http://swupdate.openvpn.net/community/releases/openvpn-2.3.15.tar.xz: >> size mismatch: expected 863384, actual 829240 >> =3D> Attempting to fetch >> http://build.openvpn.net/downloads/releases/openvpn-2.3.15.tar.xz >> fetch: >> http://build.openvpn.net/downloads/releases/openvpn-2.3.15.tar.xz: siz= e >> mismatch: expected 863384, actual 829240 >> =3D> Attempting to fetch >> http://distcache.FreeBSD.org/ports-distfiles/openvpn-2.3.15.tar.xz >> fetch: >> http://distcache.FreeBSD.org/ports-distfiles/openvpn-2.3.15.tar.xz: No= t >> Found >> =3D> Couldn't fetch it - please try to retrieve this >> =3D> port manually into /usr/local/poudriere/ports/pfSense_v2_3/distfi= les/ >> and try again. >> *** Error code 1 >> >> Stop. >> make: stopped in /usr/local/poudriere/ports/pfSense_v2_3/security/open= vpn23 >> >=20 > Just FYI, I've downloaded current tarball from OpenVPN website and > checked it using GPG and it's OK. I'm not sure why they rerolled tarbal= l > tough. >=20 Hi Renato, there is a size difference on the tarballs between swupdate and build. Working together with Gert D=C3=B6ring via IRC, and diffing the tarballs = from the two download sites, we figured out that the smaller tarball on build.openvpn.net carries a pre-release tarball that did NOT fix CVE-2017-7478, only -7479, but should never have been made public. The bigger tarball on swupdate.openvpn.net carries garbage files that do not end up in our build, but also carries the fix for BOTH CVE-2017-7478 and -7479. For details, see the commit log of r441129 at So I've chosen to remove build.openvpn.net from the DISTSITES for now, under ports-secteam@'s blanket approval. Upstream maintainers will need to talk about this and may need to release 2.3.16 to resolve any uncertainties. I have uploaded the intact 2.3.15 tarball to my local public_distfiles, so we can add LOCAL/mandree/ to the DISTSITES later on should that prove necessary. Renato, thanks for bringing this up! Best regards, Matthias --ED7oudH8vw0xFN6rfcVGpe3wSHpEHjU2I-- --rTMQ20Xl1ul0umDLfLgSCtb6Ms6Ox4OJx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZHUzNAAoJEOQSsVbv84VayGoP/A6oIm9n40Wv38aZg4sr+CbQ 8nngrxhJRjsFiuf3vkhl5aEc6QMwN/fX0CZmpI0alVXfj828RV5rQtSTAvj1aKJ0 kWjf3bu2Dj59uyHVqRwIUEfdXNARoTsMnGzm4Z7QmgSQYsjYoecHAt2FzvQRG/PZ 2w3/VHoNwiOGcV9YMdbEE3hNa1LrCmyj8grpdo5v5YSdPL6zOmybN7ImunTJotaw mc4nQpwaJY/iA7WrhhS2tGPU6qDTYvOuxx/8jixuN+BREQvjr1zsYLVPN70U9/CL bdrEthl+jquw7A1uRcFJGSJTnr3nbd9lwLX7MeCgSCcZKltCS/M8pSF5JEWWBuAt xaly4USDkL80Bog3x9H3LMEDArt1aAMDNqzADCCDq9FkRIq0TJlPRVURkCD5z0z/ oT1sMSHKv2SJ17J+Oko9AgqqmDiA6zqJvTVhYosai7LdC8mtClKSDEwSLlaDDI/2 Iv327Bh/9Iw5+9jvspxcA94yiGsGQHVWawwf2SLhfzYVWUmWP+GPIDJPiTnnmjdF Ulk2Cyuw0MBhcYmrHmKAjU8PWrTBpJWo0L2nDJOnPyFSPtmfvniyr+aYN5LjE8hs PWmSbGzy/VKDNprSuH6WGfrr3vMcsICJQIff8n+cknWO00z1A9wq18tLCbxChQXL 3JeB3ZrDFr2m81gyMook =5D/7 -----END PGP SIGNATURE----- --rTMQ20Xl1ul0umDLfLgSCtb6Ms6Ox4OJx--