[pkgsrc/pkgsrc-2006Q1]: pkgsrc/net/openvpn Pullup ticket 1327 - requested by ...

[salo <salo%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/133749d8b727
branches:  pkgsrc-2006Q1
changeset: 510184:133749d8b727
user:      salo <salo%pkgsrc.org@localhost>
date:      Wed Apr 05 14:09:36 2006 +0000

description:
Pullup ticket 1327 - requested by jlam
Security update for openvpn

Revisions pulled up:
- pkgsrc/net/openvpn/Makefile           1.16
- pkgsrc/net/openvpn/distinfo           1.7

   Module Name:         pkgsrc
   Committed By:        jlam
   Date:                Wed Apr  5 13:49:26 UTC 2006

   Modified Files:
        pkgsrc/net/openvpn: Makefile distinfo

   Log Message:
   Update net/openvpn to 2.0.6.  Changes from version 2.0.5 include:

   * [security] An OpenVPN client connecting to a malicious or compromised
     server could potentially receive "setenv" configuration directives
     from the server which could cause arbitrary code execution on the
     client via a LD_PRELOAD attack.  A successful attack appears to
     require that (a) the client has agreed to allow the server to push
     configuration directives to it by including "pull" or the macro
     "client" in its configuration file, (b) the client configuration
     file uses a scripting directive such as "up" or "down", (c) the
     client succesfully authenticates the server, (d) the server is
     malicious or has been compromised and is under the control of the
     attacker, and (e) the attacker has at least some level of pre-existing
     control over files on the client (this might be accomplished by
     having the server respond to a client web request with a specially
     crafted file).  The fix is to disallow "setenv" to be pushed to
     clients from the server.  For those who need this capability, OpenVPN
     2.1 supports a new "setenv-safe" directive which is free of this
     vulnerability.

   * When deleting routes under Linux, use the route metric as a
     differentiator to ensure that the route teardown process only deletes
     the identical route which was originally added via the "route"
     directive (Roy Marples).

   * Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk
     Meyer, Vasil Dimov).

   * Extended tun device configure code to support ethernet bridging on
     NetBSD (Emmanuel Kasper).

diffstat:

 net/openvpn/Makefile |  16 +++++++---------
 net/openvpn/distinfo |   8 ++++----
 2 files changed, 11 insertions(+), 13 deletions(-)

diffs (75 lines):

diff -r d862dfe4b647 -r 133749d8b727 net/openvpn/Makefile
--- a/net/openvpn/Makefile      Sun Apr 02 14:16:46 2006 +0000
+++ b/net/openvpn/Makefile      Wed Apr 05 14:09:36 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.15 2006/03/04 21:30:22 jlam Exp $
+# $NetBSD: Makefile,v 1.15.2.1 2006/04/05 14:09:36 salo Exp $
 #
 
-DISTNAME=      openvpn-2.0.5
+DISTNAME=      openvpn-2.0.6
 CATEGORIES=    net
 MASTER_SITES=  http://openvpn.net/release/ \
                http://openvpn.net/release/old/
@@ -27,6 +27,10 @@
 CONFIGURE_ARGS+=       --enable-password-save
 CONFIGURE_ARGS+=       --disable-dependency-tracking
 
+INSTALLATION_DIRS=     ${DATADIR}/easy-rsa     ${EGDIR}/config         \
+                       ${DOCDIR}               ${EGDIR}/keys           \
+                                               ${EGDIR}/scripts
+
 # OpenVPN 2.x has a shared module "plugin" architecture that allows
 # inserting callbacks into the server for various tasks.
 #
@@ -37,6 +41,7 @@
 .include "../../security/openssl/buildlink3.mk"
 .include "../../mk/pthread.buildlink3.mk"
 
+# Fix up the paths to tools in the pkitool script.
 post-build:
        for file in ${WRKSRC}/easy-rsa/2.0/pkitool; do                  \
                ${SED}  -e "s|^\(GREP\)=.*|\1=\""${GREP}"\"|"           \
@@ -47,7 +52,6 @@
        done
 
 post-install:
-       ${INSTALL_DATA_DIR} ${DATADIR}/easy-rsa
        dir=${DATADIR:S/^${PREFIX}\///}/easy-rsa;                       \
        cd ${WRKSRC}/easy-rsa/2.0;                                      \
        ${GREP} "^$$dir/" ${PKGDIR}/PLIST | ${SED} "s|^$$dir/||" |      \
@@ -57,21 +61,15 @@
                *)              ${INSTALL_SCRIPT} $$file ${PREFIX}/$$dir ;; \
                esac;                                                   \
        done
-       ${INSTALL_DATA_DIR} ${DOCDIR}
        ${INSTALL_DATA} ${WRKSRC}/management/management-notes.txt ${DOCDIR}
-       ${INSTALL_DATA_DIR} ${EGDIR}
-       ${INSTALL_DATA_DIR} ${EGDIR}/config
        cd ${WRKSRC}/sample-config-files; for file in *; do             \
                ${INSTALL_DATA} $$file ${EGDIR}/config;                 \
        done
-       ${INSTALL_DATA_DIR} ${EGDIR}/scripts
        cd ${WRKSRC}/sample-scripts; for file in *; do                  \
                ${INSTALL_DATA} $$file ${EGDIR}/scripts;                \
        done
-       ${INSTALL_DATA_DIR} ${EGDIR}/keys
        cd ${WRKSRC}/sample-keys; for file in *; do                     \
                ${INSTALL_DATA} $$file ${EGDIR}/keys;                   \
        done
 
-
 .include "../../mk/bsd.pkg.mk"
diff -r d862dfe4b647 -r 133749d8b727 net/openvpn/distinfo
--- a/net/openvpn/distinfo      Sun Apr 02 14:16:46 2006 +0000
+++ b/net/openvpn/distinfo      Wed Apr 05 14:09:36 2006 +0000
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.6 2005/11/03 14:31:19 salo Exp $
+$NetBSD: distinfo,v 1.6.4.1 2006/04/05 14:09:36 salo Exp $
 
-SHA1 (openvpn-2.0.5.tar.gz) = ba65a29e528e8e5f0978e89ef766c43d1d2a25aa
-RMD160 (openvpn-2.0.5.tar.gz) = add5c84c56b8a95d18e70ffa072bf9c42166074d
-Size (openvpn-2.0.5.tar.gz) = 662647 bytes
+SHA1 (openvpn-2.0.6.tar.gz) = 046f3811831a06e4fbc9c64544faaecf04547ae5
+RMD160 (openvpn-2.0.6.tar.gz) = cf3cd807bb657baf317e896b57900958cf442a63
+Size (openvpn-2.0.6.tar.gz) = 664816 bytes