diff options
| author | Gert Doering <gert@greenie.muc.de> | 2025-08-01 15:07:38 +0200 |
|---|---|---|
| committer | Matthias Andree <mandree@FreeBSD.org> | 2025-09-26 01:52:06 +0200 |
| commit | 0a38d940c92eb658857f225ceca9a8aa66f2918f (patch) | |
| tree | 3deab176f9d69f2291c442fce07aa65cabc304c3 | |
| parent | b882b11e7920485de2e42f6c948734c5a1fb0a7b (diff) | |
security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)
This is a MFH combined (squashed) from four commits from main to 2025Q3
to fix CVE-2025-10680.
Two patches were skipped because they are a change that got reverted in a
later commit. I'll leave Gert as the author of most patches;
my contribution was only the "fix mbedTLS3 bootstrapping" -- Matthias Andree, mandree@
----------------
security/openvpn-devel: upgrade port to git commit 7b1b283478 (2.7_alpha3, 2025-07-31)
This commit brings the port to "openvpn 2.7_alpha3".
For FreeBSD, the most significant change is that "floating clients with
DCO" are supported, if the kernel has support for it (-current).
Platform-independent the "big new feature" is client side support
for PUSH_UPDATE (send new configuration data while a client-server
connection is established).
(cherry picked from commit cd97894175202e9ca2358cb9be360f286f472bdd)
----------------
security/openvpn-devel: upgrade port to git commit 1e7b9a0fb0 (2.7_beta1, 2025-09-03)
This commit brings the port to "openvpn 2.7_beta1".
New features alpha3 -> beta1 are
- a large number of signed/unsigned related warnings have been fixed
- bugfixes in --dns-updown script for linux systems using resolvconf
- rewrite of the management interface "bytecount" infastructure to better
interact with DCO
- PUSH_UPDATE server support (via management interface)
- introduction of route_redirect_gateway_ipv4 and _ipv6 env variables
- speeding up t_client tests by reducing per-test startup delay 3s -> 1s
The biggest noticeable difference in beta1 is the reformatting using
clang-format, leaving uncrustify as that wasn't stable across versions.
PR: 289315
(cherry picked from commit c31236c680ee48f640b86a94d41838c80153568a)
----------------
security/openvpn-devel: fix mbedTLS3 bootstrapping
and switch to depend on the net/mbedtls3 port,
as we no longer carry mbedtls2 in ports.
Also, mbedTLS 3 supports TLSv1.3, so drop our local MBEDTLS_DESC
and go with the official description instead.
Approved by: Gert Doering (maintainer, via IRC)
Related to:
PR: 289315
(cherry picked from commit 97ca816e6d79034bf936814d19e0a1d27d038bf5)
----------------
security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)
This commit brings the port to "openvpn 2.7_beta2".
Notable changes beta1 -> beta2 (relevant for FreeBSD) are:
- even more of signed/unsigned related warnings have been fixed
- #pragmas have been added to all to-be-fixed source files, so we can
now always enable -Wconversion to see if new code brings new warnings
(and the CI infra builds with -Werror)
- add proper input sanitation to DNS strings to prevent an attack
coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680,
affects unixoid systems with --dns-updown scripts and windows using
the built-in powershell call)
- Switch test_ssl certificate from RSA 2048 to secp384r1
(so "make check" runs with OpenSSL set to @SECLEVEL=3)
- clean up MI prefix handling
- replace all assert() calls with OpenVPN ASSERT()
PR: 289838
Security: e5cf9f44-9a64-11f0-8241-93c889bb8de1
Security: CVE-2025-10680
MFH: 2025Q3
(cherry picked from commit 5f2c6fc6b90582ad187be6c0387b059f2f0dfefb)
| -rw-r--r-- | security/openvpn-devel/Makefile | 7 | ||||
| -rw-r--r-- | security/openvpn-devel/distinfo | 6 |
2 files changed, 6 insertions, 7 deletions
diff --git a/security/openvpn-devel/Makefile b/security/openvpn-devel/Makefile index d41e0dba4a73..b97bf2df6c61 100644 --- a/security/openvpn-devel/Makefile +++ b/security/openvpn-devel/Makefile @@ -1,5 +1,5 @@ PORTNAME= openvpn -DISTVERSION= g20250629 +DISTVERSION= g20250925 PORTREVISION= 0 # leave in even if 0 to avoid accidental PORTEPOCH bumps PORTEPOCH= 1 CATEGORIES= security net net-vpn @@ -21,7 +21,7 @@ LIB_DEPENDS+= liblzo2.so:archivers/lzo2 USES= autoreconf cpe libtool pkgconfig python:build shebangfix tar:xz IGNORE_SSL= libressl libressl-devel USE_GITLAB= yes -GL_TAGNAME= df4863aa0e43544ea82ab9d98966a03a95c62334 +GL_TAGNAME= 0fb5a00549be6b065f9a4d61940ee06786d9fa61 USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \ @@ -63,7 +63,6 @@ OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only DCO_DESC= Build with Data Channel Offload (ovpn(4)) support EASYRSA_DESC= Install security/easy-rsa RSA helper package -MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) PKCS11_DESC= Use security/pkcs11-helper SMALL_DESC= Build a smaller executable with fewer features X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) @@ -77,7 +76,7 @@ EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 LZ4_CONFIGURE_OFF= --disable-lz4 -MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls2 +MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls3 MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls OPENSSL_USES= ssl diff --git a/security/openvpn-devel/distinfo b/security/openvpn-devel/distinfo index 415d52c355ea..496559990a5d 100644 --- a/security/openvpn-devel/distinfo +++ b/security/openvpn-devel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1751182633 -SHA256 (openvpn-openvpn-df4863aa0e43544ea82ab9d98966a03a95c62334_GL0.tar.gz) = a1f756efc7aba2fdb79231a9eede327ce4242a777c88e7eaad3cb11d9197157c -SIZE (openvpn-openvpn-df4863aa0e43544ea82ab9d98966a03a95c62334_GL0.tar.gz) = 1319214 +TIMESTAMP = 1758791563 +SHA256 (openvpn-openvpn-0fb5a00549be6b065f9a4d61940ee06786d9fa61_GL0.tar.gz) = c9502407a96db677c9ea2665821a1f16042ed9853ce46c51db3e5064800a9a47 +SIZE (openvpn-openvpn-0fb5a00549be6b065f9a4d61940ee06786d9fa61_GL0.tar.gz) = 1338386 |