diff options
author | Matthias Andree <mandree@FreeBSD.org> | 2016-05-14 13:33:13 +0000 |
---|---|---|
committer | Matthias Andree <mandree@FreeBSD.org> | 2016-05-14 13:33:13 +0000 |
commit | 2263fd2b03a2b747b07a4fb8bcec854c1cc379b8 (patch) | |
tree | 5a997e3fbc38546b8bb6b73733f804bfde400ab3 | |
parent | 31934f7867b195ca875b49009c36090eedc96f89 (diff) | |
download | ports-2263fd2b03a2b747b07a4fb8bcec854c1cc379b8.tar.gz ports-2263fd2b03a2b747b07a4fb8bcec854c1cc379b8.zip |
MFH: r412540 r412541 r415093 r415116
Work around 10.3-RELEASE's service(8) shortcomings (r412540)
and to fix /usr/sbin/service -R (r412541).
PR: 208534
Reported by: allan@saddi.com
r415093 (2.3.11 upgrade) and r415116 (the polarssl fix-up) together:
Security upgrade to OpenVPN 2.3.11.
Quoting upstream maintainers' release notes:
"This release fixes two vulnerabilities: a port-share bug with DoS
potential and a buffer overflow by user supplied data when using pam
authentication. In addition a number of small fixes and improvements are
included."
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
he upstream backported a change from the master branch that fixes the
PolarSSL-based builds to go with the PolarSSL 1.3.X built-in defaults.
Approved by: ports-secteam (junovich)
PR: 209498
Security: 0dc8be9e-19af-11e6-8de0-080027ef73ec
Notes
Notes:
svn path=/branches/2016Q2/; revision=415187
-rw-r--r-- | security/openvpn/Makefile | 2 | ||||
-rw-r--r-- | security/openvpn/distinfo | 4 | ||||
-rw-r--r-- | security/openvpn/files/openvpn.in | 12 | ||||
-rw-r--r-- | security/openvpn/files/patch-629baad8 | 37 |
4 files changed, 52 insertions, 3 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 2ff626823032..3fa4c0dd8ecb 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= openvpn -DISTVERSION= 2.3.10 +DISTVERSION= 2.3.11 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo index 5a1164583fad..9c89160bf730 100644 --- a/security/openvpn/distinfo +++ b/security/openvpn/distinfo @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.3.10.tar.xz) = c54dbf91d47b9533fac3b94d2b5719bdbe0d081fe8245184f91ef8a871d22003 -SIZE (openvpn-2.3.10.tar.xz) = 818152 +SHA256 (openvpn-2.3.11.tar.xz) = 0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7 +SIZE (openvpn-2.3.11.tar.xz) = 833496 diff --git a/security/openvpn/files/openvpn.in b/security/openvpn/files/openvpn.in index f4f1dbdbb7ad..ff21fad80898 100644 --- a/security/openvpn/files/openvpn.in +++ b/security/openvpn/files/openvpn.in @@ -64,17 +64,29 @@ . /etc/rc.subr +# service(8) does not create an authentic environment, try to guess, +# and as of 10.3-RELEASE-p0, it will not find the indented name= +# assignments below. So give it a default. +# Trailing semicolon also for service(8)'s benefit: +name="$file" ; + case "$0" in /etc/rc*) # during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown), # so get the name of the script from $_file name="$_file" ;; +*/service) + # do not use this as $0 + ;; *) name="$0" ;; esac +# default name to "openvpn" if guessing failed +# Trailing semicolon also for service(8)'s benefit: +name="${name:-openvpn}" ; name="${name##*/}" rcvar=${name}_enable diff --git a/security/openvpn/files/patch-629baad8 b/security/openvpn/files/patch-629baad8 new file mode 100644 index 000000000000..13b574b44cfe --- /dev/null +++ b/security/openvpn/files/patch-629baad8 @@ -0,0 +1,37 @@ +commit 629baad8f89af261445a2ace03694601f8e476f9 +Author: Steffan Karger <steffan@karger.me> +Date: Fri May 13 08:54:52 2016 +0200 + + Fix polarssl / mbedtls builds + + Commit 8a399cd3 hardened the OpenSSL default cipher list, + but also introduced a change in shared code that causes + polarssl / mbedtls builds to break when no --tls-cipher is + specified. + + This fix is backported code from the master branch. + + Signed-off-by: Steffan Karger <steffan@karger.me> + Acked-by: Gert Doering <gert@greenie.muc.de> + Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me> + URL: http://article.gmane.org/gmane.network.openvpn.devel/11647 + Signed-off-by: Gert Doering <gert@greenie.muc.de> + +diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c +index 1f58369..9263698 100644 +--- ./src/openvpn/ssl_polarssl.c ++++ ./src/openvpn/ssl_polarssl.c +@@ -176,7 +176,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) + { + char *tmp_ciphers, *tmp_ciphers_orig, *token; + int i, cipher_count; +- int ciphers_len = strlen (ciphers); ++ int ciphers_len; ++ ++ if (NULL == ciphers) ++ return; /* Nothing to do */ ++ ++ ciphers_len = strlen (ciphers); + + ASSERT (NULL != ctx); + ASSERT (0 != ciphers_len); |