Created attachment 232525 [details] update to 2.5.6 2022.03.16 -- Version 2.5.6 Antonio Quartulli (4): GitHub Actions: update script to same version as master update copyright year to 2022 keyingmaterialexporter.c: include strings.h remove unused sitnl.h file David Sommerseth (2): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins Frank Lichtenheld (2): doc/Makefile: rebuild rst docs if input files change doc/options: clean up documentation for --proto and related options Gert Doering (4): fix Changes.rst errors in 2.5.3 and 2.5.5 announcement Repair --inactive with 'bytes' argument larger 2Gbytes. Fix --mtu-disc maybe|yes on Linux. Preparing release 2.5.6 Ilya Shipitsin (1): CI: github actions: keep "pdb" in artifacts Lev Stipakov (7): auth_token.c: add NULL initialization vcpkg-ports/pkcs11-helper: bump to release 1.28 vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support msvc: cleanup vcpkg: link lzo statically vcpkg-ports/pkcs11-helper: adapt to new upstream URL vcpkg-ports: add openssl 1.1.1n Tested on 12.3-p3.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2e150241fbafae40eaaae496c58c1e77306b73ae commit 2e150241fbafae40eaaae496c58c1e77306b73ae Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2022-03-17 22:18:09 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2022-03-17 22:27:50 +0000 security/openvpn: security update to 2.5.6 Changelog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256 Somewhat related to and obsoletes: PR: 262626 Security: 45a72180-a640-11ec-a08b-85298243e224 Security: CVE-2022-0547 Security: https://community.openvpn.net/openvpn/wiki/CVE-2022-0547 MFH: 2022Q1 security/openvpn/Makefile | 4 ++-- security/openvpn/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)
I haven't taken this patch because - it lacked the security entry - it lacked the MFH tag - it lacked a reference to the user-consumable release notes. - it removes the PORTREVISION although we have a slave port.
A commit in branch 2022Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7faf0a749e1f5c3e2eb9019e01f2a4f86d56f1a8 commit 7faf0a749e1f5c3e2eb9019e01f2a4f86d56f1a8 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2022-03-17 22:18:09 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2022-03-17 22:31:45 +0000 security/openvpn: security update to 2.5.6 Changelog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256 Somewhat related to and obsoletes: PR: 262626 Security: 45a72180-a640-11ec-a08b-85298243e224 Security: CVE-2022-0547 Security: https://community.openvpn.net/openvpn/wiki/CVE-2022-0547 MFH: 2022Q1 (cherry picked from commit 2e150241fbafae40eaaae496c58c1e77306b73ae) security/openvpn/Makefile | 2 +- security/openvpn/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Although I am saying thank you VVD for the contribution!
(In reply to Matthias Andree from comment #2) > I haven't taken this patch because > - it lacked the security entry It's a different patch for a different port - security/vuxml. > - it lacked the MFH tag The MFH tag is an attribute of the issue, not the patch, isn't it? > - it lacked a reference to the user-consumable release notes. https://github.com/OpenVPN/openvpn/releases/tag/v2.5.6 ??? > - it removes the PORTREVISION although we have a slave port. Didn't know this. On the other hand, I heard several times that it is necessary to remove PORTREVISION=0 when I left it in patches for other ports. But my main goal was to notify maintainer, "speed up" update the port and reduce work time of the maintainer. I think this goal has been achieved! :-D Thanks for commit!
So the story around PORTREVISION is that people do not want redundancy, but if you have a port B that .include-s port A's Makefile, and you want port B to have its own PORTREVISION, you set it with ?= in port A. I have seen several accidents over the years, either thas people then re-add PORTREVISION forgetting they need to use ?=, or that accidentally PORTEPOCH gets bumped, or - worst case - from the earlier bug, some port goes backwards in version (entailing PORTEPOCH again). I tend to lean somewhat towards making maintainability robust and manageable and reduce content churn. About the changelog, the OpenVPN project usually have the git shortlog (which is what you have included), and there is an edited user-centric log that I have referenced. I had seen Samuli Seppänen's announcement on the openvpn-devel list early yesterday but had to cover my paid working day first. :-) So thanks for lending your hand even if I did not take it. End of this month we will ditch the -mbedtls port and option so the PORTREVISION thing will become less prominent. OpenVPN is not feature complete with mbedTLS, and I do not see a real advantage in FreeBSD's context where we have a suitable OpenSSL in the base system anyways. And for security/crypto stuff we should go for the best tested (most eyeballs watching) crypto platform with the most commitment (it is in base), and that stepping stone clearly is OpenSSL, not mbedTLS.