pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/net update openvpn to 2.3.15
details: https://anonhg.NetBSD.org/pkgsrc/rev/1d667db74042
branches: trunk
changeset: 362616:1d667db74042
user: spz <spz%pkgsrc.org@localhost>
date: Fri May 19 18:11:04 2017 +0000
description:
update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044
relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales%openvpn.net@localhost>
2017.05.11 -- Version 2.3.15
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
2016.12.06 -- Version 2.3.14
Christian Hesse (1):
update year in copyright message
David Sommerseth (1):
Document the --auth-token option
Gert Doering (2):
Repair topology subnet on FreeBSD 11
Repair topology subnet on OpenBSD
Lev Stipakov (1):
Drop recursively routed packets
Selva Nair (4):
Support --block-outside-dns on multiple tunnels
When parsing '--setenv opt xx ..' make sure a third parameter is present
Map restart signals from event loop to SIGTERM during exit-notification wait
Correctly state the default dhcp server address in man page
Steffan Karger (1):
Clean up format_hex_ex()
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
t_client.sh: Add support for Kerberos/ksu
t_client.sh: Improve detection if the OpenVPN process did start during tests
t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
Do not abort t_client run if OpenVPN instance does not start.
Fix t_client runs on OpenSolaris
make t_client robust against sudoers misconfiguration
add POSTINIT_CMD_suf to t_client.sh and sample config
Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
Exclude peer-id from pulled options digest
Fix compilation in pedantic mode
Samuli Sepp?nen (1):
Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
Fix unittests for out-of-source builds
Make gnu89 support explicit
cleanup: remove code duplication in msg_test()
Update cipher-related man page text
Limit --reneg-bytes to 64MB when using small block ciphers
Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
Only build and run cmocka unit tests if its submodule is initialized
Another fix related to unit test framework
Remove NOP function and callers
Dorian Harmans (1):
Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
Add unit testing support via cmocka
Add a test for auth-pam searchandreplace
Josh Cepek (1):
Push an IPv6 CIDR mask used by the server, not the pool's size
Leon Klingele (1):
Add link to bug tracker
Samuli Sepp?nen (2):
Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
Make error non-fatal while deleting address using netsh
Make block-outside-dns work with persist-tun
Ignore SIGUSR1/SIGHUP during exit notification
Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
Fix polarssl / mbedtls builds
Don't limit max incoming message size based on c2->frame
Fix '--cipher none --cipher' crash
Discourage using 64-bit block ciphers
diffstat:
net/openvpn-acct-wtmpx/Makefile | 3 +-
net/openvpn-acct-wtmpx/distinfo | 10 +++---
net/openvpn-nagios/Makefile | 5 +-
net/openvpn-nagios/distinfo | 10 +++---
net/openvpn/Makefile | 3 +-
net/openvpn/Makefile.common | 4 +-
net/openvpn/distinfo | 12 +++---
net/openvpn/patches/patch-src_openvpn_socket.c | 40 +++++++------------------
8 files changed, 33 insertions(+), 54 deletions(-)
diffs (199 lines):
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-acct-wtmpx/Makefile
--- a/net/openvpn-acct-wtmpx/Makefile Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-acct-wtmpx/Makefile Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.7 2016/07/08 08:50:25 jperkin Exp $
+# $NetBSD: Makefile,v 1.8 2017/05/19 18:11:04 spz Exp $
.include "../../net/openvpn/Makefile.common"
DISTNAME= openvpn-acct-wtmpx-20130210
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${OPENVPN_DISTFILE}
-PKGREVISION= 3
CATEGORIES= net
MASTER_SITES= http://ftp.espci.fr/pub/openvpn-acct-wtmpx/
EXTRACT_SUFX= .tgz
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-acct-wtmpx/distinfo
--- a/net/openvpn-acct-wtmpx/distinfo Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-acct-wtmpx/distinfo Fri May 19 18:11:04 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.10 2016/07/08 08:50:25 jperkin Exp $
+$NetBSD: distinfo,v 1.11 2017/05/19 18:11:04 spz Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
SHA1 (openvpn-acct-wtmpx-20130210.tgz) = cf7bc26b12a65493cdf5db93b03bbb938a2f0f33
RMD160 (openvpn-acct-wtmpx-20130210.tgz) = d9000789f04606bfa17db1597a45a4235b1119ea
SHA512 (openvpn-acct-wtmpx-20130210.tgz) = 7b8fd4929e65d8d84158f62e5a17ff3adb3b4a6cff63b29038acfb368750719f2f593786ed9b02402824c19d872b188d2a46740a5c5f853e8873a71481b13aaf
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-nagios/Makefile
--- a/net/openvpn-nagios/Makefile Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-nagios/Makefile Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.6 2016/07/08 08:50:55 jperkin Exp $
+# $NetBSD: Makefile,v 1.7 2017/05/19 18:11:04 spz Exp $
.include "../../net/openvpn/Makefile.common"
DISTNAME= openvpn-nagios-20130210
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${OPENVPN_DISTFILE}
-PKGREVISION= 4
CATEGORIES= net
MASTER_SITES= http://ftp.espci.fr/pub/openvpn-nagios/
EXTRACT_SUFX= .tgz
@@ -25,7 +24,7 @@
PLIST_SUBST+= OPENVPN_PLUGINSDIR=${OPENVPN_PLUGINSDIR:Q}
MESSAGE_SUBST+= OPENVPN_PLUGINSDIR=${PREFIX:Q}/${OPENVPN_PLUGINSDIR:Q}
-DEPENDS+= openvpn>=2.3.0:../../net/openvpn
+DEPENDS+= openvpn>=2.3.0<2.4:../../net/openvpn
.include "../../security/openssl/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-nagios/distinfo
--- a/net/openvpn-nagios/distinfo Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-nagios/distinfo Fri May 19 18:11:04 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.7 2016/07/08 08:50:55 jperkin Exp $
+$NetBSD: distinfo,v 1.8 2017/05/19 18:11:04 spz Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
SHA1 (openvpn-nagios-20130210.tgz) = 8a0fd4e3eba27584aa53c5589c13d4b38af43ba2
RMD160 (openvpn-nagios-20130210.tgz) = 2a47893ec2db2c280adc7b9fbbea97794ec1a6f4
SHA512 (openvpn-nagios-20130210.tgz) = 80e565f32379c39eb6c7f3b4744af221ae882ff07dce9dae5bd7feb73b0edcfc7c7ac7f70d23fdcd4f492b66f095f09833deb122449840b36ea606ce91900358
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/Makefile
--- a/net/openvpn/Makefile Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/Makefile Fri May 19 18:11:04 2017 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.60 2016/09/19 13:04:25 wiz Exp $
+# $NetBSD: Makefile,v 1.61 2017/05/19 18:11:04 spz Exp $
DISTNAME= ${OPENVPN_DISTNAME}
-PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= ${OPENVPN_MASTER_SITES}
EXTRACT_SUFX= .tar.xz
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/Makefile.common
--- a/net/openvpn/Makefile.common Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/Makefile.common Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile.common,v 1.5 2016/07/08 08:49:41 jperkin Exp $
+# $NetBSD: Makefile.common,v 1.6 2017/05/19 18:11:04 spz Exp $
# used by net/openvpn/Makefile
# used by net/openvpn-acct-wtmpx/Makefile
# used by net/openvpn-nagios/Makefile
-OPENVPN_DISTNAME= openvpn-2.3.11
+OPENVPN_DISTNAME= openvpn-2.3.15
OPENVPN_DISTFILE= ${OPENVPN_DISTNAME}.tar.xz
OPENVPN_MASTER_SITES= http://swupdate.openvpn.net/community/releases/
SITES.${OPENVPN_DISTFILE}= ${OPENVPN_MASTER_SITES}
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/distinfo
--- a/net/openvpn/distinfo Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/distinfo Fri May 19 18:11:04 2017 +0000
@@ -1,13 +1,13 @@
-$NetBSD: distinfo,v 1.33 2016/07/08 08:49:41 jperkin Exp $
+$NetBSD: distinfo,v 1.34 2017/05/19 18:11:04 spz Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
SHA1 (patch-ac) = 3071423ae978dd7d1d79cb140325bde96ba8d21b
SHA1 (patch-ad) = 1e2c34a37157ff9c091e0120817a8c8bae9aef4e
SHA1 (patch-ae) = fce5d2b7c8ef830cba3df4408af79301f347cafd
SHA1 (patch-af) = 8d728c36a6eccdebf6c7e5a02d457903b255f4fb
SHA1 (patch-src_compat_compat-basename.c) = 45a58ef2e05f6e0265f229da8540760e60e65143
-SHA1 (patch-src_openvpn_socket.c) = 74668d39f5e6fdab64825d38d4b287c8004f5af3
+SHA1 (patch-src_openvpn_socket.c) = d091fdf614c7673755b9f1fdbdd11ce33276cfda
SHA1 (patch-src_openvpn_socket.h) = b4b952af347e0f2d0aff307a5025b3d27a2e6ee5
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/patches/patch-src_openvpn_socket.c
--- a/net/openvpn/patches/patch-src_openvpn_socket.c Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/patches/patch-src_openvpn_socket.c Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,10 @@
-$NetBSD: patch-src_openvpn_socket.c,v 1.2 2014/07/20 17:43:29 adam Exp $
+$NetBSD: patch-src_openvpn_socket.c,v 1.3 2017/05/19 18:11:04 spz Exp $
Fix for systems without ipi_spec_dst in struct in_pktinfo.
---- src/openvpn/socket.c.orig 2014-05-01 11:12:22.000000000 +0000
+--- src/openvpn/socket.c.orig 2017-05-11 10:34:40.000000000 +0000
+++ src/openvpn/socket.c
-@@ -654,7 +654,7 @@ create_socket_udp (const unsigned int fl
+@@ -650,7 +650,7 @@ create_socket_udp (const unsigned int fl
else if (flags & SF_USE_IP_PKTINFO)
{
int pad = 1;
@@ -13,7 +13,7 @@
if (setsockopt (sd, SOL_IP, IP_PKTINFO,
(void*)&pad, sizeof(pad)) < 0)
msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO");
-@@ -2254,7 +2254,7 @@ print_link_socket_actual_ex (const struc
+@@ -2263,7 +2263,7 @@ print_link_socket_actual_ex (const struc
struct openvpn_sockaddr sa;
CLEAR (sa);
sa.addr.in4.sin_family = AF_INET;
@@ -22,39 +22,21 @@
sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst;
if_indextoname(act->pi.in4.ipi_ifindex, ifname);
#elif defined(IP_RECVDSTADDR)
-@@ -2651,7 +2651,7 @@ link_socket_read_tcp (struct link_socket
- struct openvpn_in4_pktinfo
- {
- struct cmsghdr cmsghdr;
--#ifdef HAVE_IN_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- struct in_pktinfo pi4;
- #elif defined(IP_RECVDSTADDR)
- struct in_addr pi4;
-@@ -2696,7 +2696,7 @@ link_socket_read_udp_posix_recvmsg (stru
- cmsg = CMSG_FIRSTHDR (&mesg);
- if (cmsg != NULL
- && CMSG_NXTHDR (&mesg, cmsg) == NULL
--#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- && cmsg->cmsg_level == SOL_IP
- && cmsg->cmsg_type == IP_PKTINFO
- #elif defined(IP_RECVDSTADDR)
-@@ -2707,7 +2707,7 @@ link_socket_read_udp_posix_recvmsg (stru
+@@ -2721,7 +2721,7 @@ link_socket_read_udp_posix_recvmsg (stru
+ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
#endif
- && cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo))
{
-#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
++#if defined(IP_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA (cmsg);
from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst;
-@@ -2802,7 +2802,7 @@ link_socket_write_udp_posix_sendmsg (str
+@@ -2814,7 +2814,7 @@ link_socket_write_udp_posix_sendmsg (str
mesg.msg_namelen = sizeof (struct sockaddr_in);
- mesg.msg_control = &opi;
+ mesg.msg_control = pktinfo_buf;
mesg.msg_flags = 0;
-#ifdef HAVE_IN_PKTINFO
+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);
+ mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_pktinfo));
cmsg = CMSG_FIRSTHDR (&mesg);
- cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
+ cmsg->cmsg_len = CMSG_LEN(sizeof (struct in_pktinfo));
Home |
Main Index |
Thread Index |
Old Index