aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authormandree <mandree@FreeBSD.org>2013-04-01 00:00:02 +0800
committermandree <mandree@FreeBSD.org>2013-04-01 00:00:02 +0800
commitcd43147c7574a27d6e993b413bc35ab9a765de42 (patch)
tree4b52f22d1163f4ef51e436e1d8ea9a2f7a49db9d /security
parent752612f3eed46e985a0bba5eca484122608265e5 (diff)
downloadfreebsd-ports-gnome-cd43147c7574a27d6e993b413bc35ab9a765de42.tar.gz
freebsd-ports-gnome-cd43147c7574a27d6e993b413bc35ab9a765de42.tar.zst
freebsd-ports-gnome-cd43147c7574a27d6e993b413bc35ab9a765de42.zip
security upgrade to OpenVPN 2.3.1; upstream release notes are
"This release adds supports for PolarSSL 1.2. It also adds a fix to prevent potential side-channel attacks by switching to a constant-time memcmp when comparing HMACs in the openvpn_decrypt function. In addition, it contains several bugfixes and documentation updates, as well as some minor enhancements." Full ChangeLog: <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23> The port upgrade also offers an option to use the GPLv2+-licensed PolarSSL instead of OpenSSL (which brings in a license mix). PR: ports/177517 Reviewed by: miwi Approved by: portmgr (miwi) Security: 92f30415-9935-11e2-ad4c-080027ef73ec
Diffstat (limited to 'security')
-rw-r--r--security/openvpn/Makefile21
-rw-r--r--security/openvpn/distinfo4
-rw-r--r--security/vuxml/vuln.xml27
3 files changed, 43 insertions, 9 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index a3cdd6640b2e..0b54dd2affc5 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= openvpn
-DISTVERSION= 2.3.0
-PORTREVISION= 3
+DISTVERSION= 2.3.1
CATEGORIES= security net
MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \
http://build.openvpn.net/downloads/releases/
@@ -16,18 +15,19 @@ LICENSE= GPLv2
CONFLICTS_INSTALL= openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
GNU_CONFIGURE= yes
-USE_OPENSSL= yes
USE_XZ= yes
# let OpenVPN's configure script pick up the requisite libraries:
CPPFLAGS+= -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib
-# PolarSSL is not provided; OpenVPN does not currently compile with PolarSSL 1.2.0+
OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA
-OPTIONS_DEFAULT= EASYRSA
+OPTIONS_DEFAULT= EASYRSA OPENSSL
+OPTIONS_SINGLE= SSL
+OPTIONS_SINGLE_SSL= OPENSSL POLARSSL
PW_SAVE_DESC= Interactive passwords may be read from a file
PKCS11_DESC= Use security/pkcs11-helper
EASYRSA_DESC= Install security/easy-rsa RSA helper package
+POLARSSL_DESC= SSL/TLS support via PolarSSL
.include <bsd.port.options.mk>
@@ -40,7 +40,15 @@ INSTALL_TARGET= install DESTDIR=${_stagedir}
RUN_DEPENDS+= easy-rsa>=0:${PORTSDIR}/security/easy-rsa
.endif
-INSTALL_TARGET+= mandir=${MANPREFIX}/man
+.if ${PORT_OPTIONS:MPOLARSSL}
+LIB_DEPENDS+= polarssl:${PORTSDIR}/security/polarssl
+CONFIGURE_ARGS+= --with-crypto-library=polarssl
+.else
+USE_OPENSSL= yes
+CONFIGURE_ARGS+= --with-crypto-library=openssl
+.endif
+
+.INSTALL_TARGET+= mandir=${MANPREFIX}/man
MAN8= openvpn.8
USE_RC_SUBR= openvpn
@@ -98,7 +106,6 @@ post-install:
${INSTALL_DATA} ${_stagedir}${PREFIX}/include/* ${PREFIX}/include/
${INSTALL_MAN} ${_stagedir}${PREFIX}/man/man8/* ${MAN8PREFIX}/man/man8/
.if ${PORT_OPTIONS:MDOCS}
- -${RMDIR} ${_stagedir}${DOCSDIR}/sample
(cd ${_stagedir}${DOCSDIR} && ${COPYTREE_SHARE} \* ${DOCSDIR}/)
.for i in AUTHORS ChangeLog PORTS
${INSTALL_MAN} ${WRKSRC}/${i} ${DOCSDIR}/
diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo
index 0a0ff0d9b6fe..b585f0193426 100644
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.3.0.tar.xz) = a9fcf7bc1c1cd88cd8867ff567e8f8df5e695f0e983bd0aed3a3e1f6ae14d107
-SIZE (openvpn-2.3.0.tar.xz) = 762052
+SHA256 (openvpn-2.3.1.tar.xz) = 9d7723ea83cdc0c78b32005f4b9c1f7ca1cc9e53e90b77bd643a203e6189884b
+SIZE (openvpn-2.3.1.tar.xz) = 776076
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 3a0bd202d06d..cd630b35a7e0 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,33 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="92f30415-9935-11e2-ad4c-080027ef73ec">
+ <topic>OpenVPN -- potential side-channel/timing attack when comparing HMACs</topic>
+ <affects>
+ <package>
+ <name>openvpn</name>
+ <range><lt>2.3.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The OpenVPN project reports:</p>
+ <blockquote cite="https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.1<">
+ <p>[OpenVPN 2.3.1 adds a fix to prevent potential side-channel
+ attacks by switching to a] constant time memcmp when comparing HMACs in [the] openvpn_decrypt [function].</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.1</url>
+ <url>http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commit;h=11d21349a4e7e38a025849479b36ace7c2eec2ee</url>
+ </references>
+ <dates>
+ <discovery>2013-03-19</discovery>
+ <entry>2013-03-31</entry>
+ </dates>
+ </vuln>
+
<vuln vid="843a4641-9816-11e2-9c51-080027019be0">
<topic>libxml2 -- cpu consumption Dos</topic>
<affects>