Bug 177517 - [PATCH] security/openvpn: security maintainer upgrade to 2.3.1
[PATCH] security/openvpn: security maintainer upgrade to 2.3.1
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: Matthias Andree
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-31 11:00 UTC by Matthias Andree
Modified: 2013-03-31 17:10 UTC (History)
1 user (show)

See Also:


Attachments
openvpn-2.3.1.patch (3.28 KB, patch)
2013-03-31 11:00 UTC, Matthias Andree
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Andree freebsd_committer 2013-03-31 11:00:00 UTC
Request ports freeze override authorization for security upgrade to
OpenVPN to 2.3.1; upstream release notes are

"OpenVPN 2.3.1 -- released on 2013.03.29 (Change Log)

This release adds supports for PolarSSL 1.2. It also adds a fix to
prevent potential side-channel attacks by switching to a constant-time
memcmp when comparing HMACs in the openvpn_decrypt function. In
addition, it contains several bugfixes and documentation updates, as
well as some minor enhancements."

Full ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

The port upgrade also offers an option to use the GPLv2+-licensed PolarSSL
instead of OpenSSL (which brings in a license mix).

Generated with FreeBSD Port Tools 0.99_7 (mode: change, diff: ports)
Comment 1 Edwin Groothuis freebsd_committer 2013-03-31 11:00:09 UTC
Class Changed
From-To: change-request->maintainer-update

Fix category (submitter is maintainer) (via the GNATS Auto Assign Tool)
Comment 2 Edwin Groothuis freebsd_committer 2013-03-31 11:00:11 UTC
Responsible Changed
From-To: freebsd-ports-bugs->mandree

Submitter is maintainer and has GNATS access (via the GNATS Auto Assign 
Tool)
Comment 3 matthias.andree 2013-03-31 11:08:23 UTC
This is a multi-part message in MIME format.
Comment 4 Matthias Andree freebsd_committer 2013-03-31 11:08:38 UTC
State Changed
From-To: open->feedback

Over to portmgr for decision. 


Comment 5 Matthias Andree freebsd_committer 2013-03-31 11:08:38 UTC
Responsible Changed
From-To: mandree->portmgr

Over to portmgr for decision.
Comment 6 Matthias Andree freebsd_committer 2013-03-31 11:12:46 UTC
miwi suggested (on IRC) that I revise the wording, so how about:

OpenVPN 2.3.1 adds a fix to prevent potential side-channel attacks ...
Comment 7 Matthias Andree freebsd_committer 2013-03-31 17:00:16 UTC
State Changed
From-To: feedback->closed

Committed, with portmgr approval. 


Comment 8 Matthias Andree freebsd_committer 2013-03-31 17:00:16 UTC
Responsible Changed
From-To: portmgr->mandree

Committed, with portmgr approval.
Comment 9 dfilter freebsd_committer 2013-03-31 17:00:16 UTC
Author: mandree
Date: Sun Mar 31 16:00:02 2013
New Revision: 315640
URL: http://svnweb.freebsd.org/changeset/ports/315640

Log:
  security upgrade to OpenVPN 2.3.1; upstream release notes are
  
    "This release adds supports for PolarSSL 1.2. It also adds a fix to
    prevent potential side-channel attacks by switching to a constant-time
    memcmp when comparing HMACs in the openvpn_decrypt function. In
    addition, it contains several bugfixes and documentation updates, as
    well as some minor enhancements."
  
  Full ChangeLog:
  <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>
  
  The port upgrade also offers an option to use the GPLv2+-licensed
  PolarSSL instead of OpenSSL (which brings in a license mix).
  
  PR:		ports/177517
  Reviewed by:	miwi
  Approved by:	portmgr (miwi)
  Security:	92f30415-9935-11e2-ad4c-080027ef73ec

Modified:
  head/security/openvpn/Makefile
  head/security/openvpn/distinfo
  head/security/vuxml/vuln.xml

Modified: head/security/openvpn/Makefile
==============================================================================
--- head/security/openvpn/Makefile	Sun Mar 31 15:58:20 2013	(r315639)
+++ head/security/openvpn/Makefile	Sun Mar 31 16:00:02 2013	(r315640)
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	openvpn
-DISTVERSION=	2.3.0
-PORTREVISION=	3
+DISTVERSION=	2.3.1
 CATEGORIES=	security net
 MASTER_SITES=	http://swupdate.openvpn.net/community/releases/ \
 		http://build.openvpn.net/downloads/releases/
@@ -16,18 +15,19 @@ LICENSE=	GPLv2
 CONFLICTS_INSTALL=	openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
 GNU_CONFIGURE=	yes
-USE_OPENSSL=	yes
 USE_XZ=		yes
 # let OpenVPN's configure script pick up the requisite libraries:
 CPPFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib
 
-# PolarSSL is not provided; OpenVPN does not currently compile with PolarSSL 1.2.0+
 OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA
-OPTIONS_DEFAULT=	EASYRSA
+OPTIONS_DEFAULT=	EASYRSA OPENSSL
+OPTIONS_SINGLE=		SSL
+OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 PW_SAVE_DESC=	Interactive passwords may be read from a file
 PKCS11_DESC=	Use security/pkcs11-helper
 EASYRSA_DESC=	Install security/easy-rsa RSA helper package
+POLARSSL_DESC=	SSL/TLS support via PolarSSL
 
 .include <bsd.port.options.mk>
 
@@ -40,7 +40,15 @@ INSTALL_TARGET=	install DESTDIR=${_stage
 RUN_DEPENDS+=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 .endif
 
-INSTALL_TARGET+=	mandir=${MANPREFIX}/man
+.if ${PORT_OPTIONS:MPOLARSSL}
+LIB_DEPENDS+=	polarssl:${PORTSDIR}/security/polarssl
+CONFIGURE_ARGS+=	--with-crypto-library=polarssl
+.else
+USE_OPENSSL=	yes
+CONFIGURE_ARGS+=	--with-crypto-library=openssl
+.endif
+
+.INSTALL_TARGET+=	mandir=${MANPREFIX}/man
 MAN8=		openvpn.8
 
 USE_RC_SUBR=	openvpn
@@ -98,7 +106,6 @@ post-install:
 	${INSTALL_DATA} ${_stagedir}${PREFIX}/include/* ${PREFIX}/include/
 	${INSTALL_MAN} ${_stagedir}${PREFIX}/man/man8/* ${MAN8PREFIX}/man/man8/
 .if ${PORT_OPTIONS:MDOCS}
-	-${RMDIR} ${_stagedir}${DOCSDIR}/sample
 	(cd ${_stagedir}${DOCSDIR} && ${COPYTREE_SHARE} \* ${DOCSDIR}/)
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_MAN} ${WRKSRC}/${i} ${DOCSDIR}/

Modified: head/security/openvpn/distinfo
==============================================================================
--- head/security/openvpn/distinfo	Sun Mar 31 15:58:20 2013	(r315639)
+++ head/security/openvpn/distinfo	Sun Mar 31 16:00:02 2013	(r315640)
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.3.0.tar.xz) = a9fcf7bc1c1cd88cd8867ff567e8f8df5e695f0e983bd0aed3a3e1f6ae14d107
-SIZE (openvpn-2.3.0.tar.xz) = 762052
+SHA256 (openvpn-2.3.1.tar.xz) = 9d7723ea83cdc0c78b32005f4b9c1f7ca1cc9e53e90b77bd643a203e6189884b
+SIZE (openvpn-2.3.1.tar.xz) = 776076

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Mar 31 15:58:20 2013	(r315639)
+++ head/security/vuxml/vuln.xml	Sun Mar 31 16:00:02 2013	(r315640)
@@ -51,6 +51,33 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="92f30415-9935-11e2-ad4c-080027ef73ec">
+    <topic>OpenVPN -- potential side-channel/timing attack when comparing HMACs</topic>
+    <affects>
+      <package>
+	<name>openvpn</name>
+	<range><lt>2.3.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The OpenVPN project reports:</p>
+	<blockquote cite="https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.1<">
+	  <p>[OpenVPN 2.3.1 adds a fix to prevent potential side-channel
+	    attacks by switching to a] constant time memcmp when comparing HMACs in [the] openvpn_decrypt [function].</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.1</url>
+      <url>http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commit;h=11d21349a4e7e38a025849479b36ace7c2eec2ee</url>
+    </references>
+    <dates>
+      <discovery>2013-03-19</discovery>
+      <entry>2013-03-31</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="843a4641-9816-11e2-9c51-080027019be0">
     <topic>libxml2 -- cpu consumption Dos</topic>
     <affects>
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"