Bug 244286 - [patch] security/openvpn: Add option to build with --enable-async-push
Summary: [patch] security/openvpn: Add option to build with --enable-async-push
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Matthias Andree
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-21 17:43 UTC by Renato Botelho
Modified: 2020-04-17 19:17 UTC (History)
1 user (show)

See Also:
mandree: maintainer-feedback+


Attachments
patch (1.95 KB, patch)
2020-02-21 17:43 UTC, Renato Botelho
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Renato Botelho freebsd_committer 2020-02-21 17:43:59 UTC
Created attachment 211804 [details]
patch

Added a new option ASYNC_PUSH, disabled by default, to build it with --enable-async-push.

When this option is enabled it fails to build due to lack of -linotify, so I added it to patch-configure and submitted a bug upstream:

https://community.openvpn.net/openvpn/ticket/1256#ticket
Comment 1 Matthias Andree freebsd_committer 2020-02-21 19:27:03 UTC
Why don't we just add LIBS+=-Wl,--as-needed -linotify?
Comment 2 Renato Botelho freebsd_committer 2020-02-21 19:41:58 UTC
(In reply to Matthias Andree from comment #1)
OK.  Let me try that and update patch
Comment 3 Matthias Andree freebsd_committer 2020-02-21 19:52:04 UTC
No need, I have it
Comment 4 commit-hook freebsd_committer 2020-02-21 20:16:16 UTC
A commit references this bug:

Author: mandree
Date: Fri Feb 21 20:15:50 UTC 2020
New revision: 526692
URL: https://svnweb.freebsd.org/changeset/ports/526692

Log:
  openvpn: Add default-off ASYNC_PUSH option.

  When enabled, pulls in devel/libinotify, and
  adds --enable-async-push to configure.

  In contrast to garga@'s proposal, uses
  ASYNC_PUSH_LIBS instead of a patch file.

  PR:		244286
  Submitted by:	garga@

Changes:
  head/security/openvpn/Makefile
Comment 5 Lev Stipakov 2020-03-16 07:47:34 UTC
Hi,

Please be aware that a fix for this issue has been committed to openvpn master branch: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19566.html
Comment 6 Lev Stipakov 2020-03-16 08:12:35 UTC
Fixed also in release/2.4 https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19568.html
Comment 7 Matthias Andree freebsd_committer 2020-03-16 22:36:22 UTC
OK, thanks for driving this with the upstream maintainers - we can possibly drop the ASYNC_PUSH_LIBS line after the next release from the upstream (which might be called 2.4.9).
Comment 8 commit-hook freebsd_committer 2020-03-16 22:58:59 UTC
A commit references this bug:

Author: mandree
Date: Mon Mar 16 22:58:27 UTC 2020
New revision: 528550
URL: https://svnweb.freebsd.org/changeset/ports/528550

Log:
  security/openvpn: Add a FIXME marker to clean up a local workaround that was upstreamed for 2.4.9. [info: Lev Stipakov]
  PR: 244286

Changes:
  head/security/openvpn/Makefile
Comment 9 commit-hook freebsd_committer 2020-04-17 18:39:44 UTC
A commit references this bug:

Author: mandree
Date: Fri Apr 17 18:38:45 UTC 2020
New revision: 531957
URL: https://svnweb.freebsd.org/changeset/ports/531957

Log:
  security/openvpn: update to 2.4.9 (also for -mbedtls slave port)

  At the same time, remove ASYNC_PUSH_LIBS workaround from [1].

  Changelog (high-level):
  https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-249

  Git changelog, marking the three fixes that were already in 2.4.8_3
  as cherry-picks with a 1, 2, or 3 instead of "*" to correspond
  with the PORTREVISION, and those with "-" that are specific to other systems,
  say, Windows.

  * 9b0dafca 2020-04-16 | Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst) (tag: v2.4.9) [Gert Doering]
  3 f7b318f8 2020-04-15 | Fix illegal client float (CVE-2020-11810) [Lev Stipakov]
  * 9bb285e3 2020-03-13 | Fix broken async push with NCP is used [Lev Stipakov]
  - 5f8a9df1 2020-02-12 | Allow unicode search string in --cryptoapicert option [Selva Nair]
  - 4658b3b6 2020-02-12 | Skip expired certificates in Windows certificate store [Selva Nair]
  * df5ea7f1 2020-02-19 | Fix possible access of uninitialized pipe handles [Selva Nair]
  * 1d9e0be2 2020-02-19 | Fix possibly uninitialized return value in GetOpenvpnSettings() [Selva Nair]
  * 5ee76a8f 2020-03-28 | Fix OpenSSL 1.1.1 not using auto elliptic curve selection [Arne Schwabe]
  * ed925c0a 2020-04-07 | OpenSSL: Fix --crl-verify not loading multiple CRLs in one file [Maxim Plotnikov]
  * 2fe84732 2020-03-30 | When auth-user-pass file has no password query the management interface (if available). [Selva Nair]
  * 908eae5c 2020-04-03 | Move querying username/password from management interface to a function [Selva Nair]
  * 15bc476f 2020-04-02 | Fix OpenSSL error stack handling of tls_ctx_add_extra_certs [Arne Schwabe]
  * 22df79bb 2020-04-01 | Fetch OpenSSL versions via source/old links [Arne Schwabe]
  * 0efbd8e9 2020-03-31 | mbedTLS: Make sure TLS session survives move [Tom van Leeuwen]
  * 33395693 2020-03-25 | docs: Add reference to X509_LOOKUP_hash_dir(3) [WGH]
  * 7d19b2bb 2019-10-21 | Fix OpenSSL private key passphrase notices [Santtu Lakkala]
  2 8484f37a 2020-03-14 | Fix building with --enable-async-push in FreeBSD [Lev Stipakov]
  * 69bbfbdf 2020-02-18 | Swap the order of checks for validating interactive service user [Selva Nair]
  * 0ba4f916 2019-11-09 | socks: use the right function when printing struct openvpn_sockaddr [Antonio Quartulli]
  1 3bd91cd0 2019-10-30 | Fix broken fragmentation logic when using NCP [Lev Stipakov]

  PR:		244286 [1]
  MFH:		2020Q2 (patchlevel bugfix release)

Changes:
  head/security/openvpn/Makefile
  head/security/openvpn/distinfo
  head/security/openvpn/files/patch-CVE-2020-11810
  head/security/openvpn/files/patch-g3bd91cd-Fix-broken-fragmentation-logic-when-using-NCP
Comment 10 commit-hook freebsd_committer 2020-04-17 19:17:51 UTC
A commit references this bug:

Author: mandree
Date: Fri Apr 17 19:16:53 UTC 2020
New revision: 531963
URL: https://svnweb.freebsd.org/changeset/ports/531963

Log:
  MFH: r531957

  security/openvpn: update to 2.4.9 (also for -mbedtls slave port)

  At the same time, remove ASYNC_PUSH_LIBS workaround from [1].

  Changelog (high-level):
  https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-249

  Git changelog, marking the three fixes that were already in 2.4.8_3
  as cherry-picks with a 1, 2, or 3 instead of "*" to correspond
  with the PORTREVISION, and those with "-" that are specific to other systems,
  say, Windows.

  * 9b0dafca 2020-04-16 | Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst) (tag: v2.4.9) [Gert Doering]
  3 f7b318f8 2020-04-15 | Fix illegal client float (CVE-2020-11810) [Lev Stipakov]
  * 9bb285e3 2020-03-13 | Fix broken async push with NCP is used [Lev Stipakov]
  - 5f8a9df1 2020-02-12 | Allow unicode search string in --cryptoapicert option [Selva Nair]
  - 4658b3b6 2020-02-12 | Skip expired certificates in Windows certificate store [Selva Nair]
  * df5ea7f1 2020-02-19 | Fix possible access of uninitialized pipe handles [Selva Nair]
  * 1d9e0be2 2020-02-19 | Fix possibly uninitialized return value in GetOpenvpnSettings() [Selva Nair]
  * 5ee76a8f 2020-03-28 | Fix OpenSSL 1.1.1 not using auto elliptic curve selection [Arne Schwabe]
  * ed925c0a 2020-04-07 | OpenSSL: Fix --crl-verify not loading multiple CRLs in one file [Maxim Plotnikov]
  * 2fe84732 2020-03-30 | When auth-user-pass file has no password query the management interface (if available). [Selva Nair]
  * 908eae5c 2020-04-03 | Move querying username/password from management interface to a function [Selva Nair]
  * 15bc476f 2020-04-02 | Fix OpenSSL error stack handling of tls_ctx_add_extra_certs [Arne Schwabe]
  * 22df79bb 2020-04-01 | Fetch OpenSSL versions via source/old links [Arne Schwabe]
  * 0efbd8e9 2020-03-31 | mbedTLS: Make sure TLS session survives move [Tom van Leeuwen]
  * 33395693 2020-03-25 | docs: Add reference to X509_LOOKUP_hash_dir(3) [WGH]
  * 7d19b2bb 2019-10-21 | Fix OpenSSL private key passphrase notices [Santtu Lakkala]
  2 8484f37a 2020-03-14 | Fix building with --enable-async-push in FreeBSD [Lev Stipakov]
  * 69bbfbdf 2020-02-18 | Swap the order of checks for validating interactive service user [Selva Nair]
  * 0ba4f916 2019-11-09 | socks: use the right function when printing struct openvpn_sockaddr [Antonio Quartulli]
  1 3bd91cd0 2019-10-30 | Fix broken fragmentation logic when using NCP [Lev Stipakov]

  PR:		244286 [1]

  Approved by:	ports-secteam (joneum@)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/security/openvpn/Makefile
  branches/2020Q2/security/openvpn/distinfo
  branches/2020Q2/security/openvpn/files/patch-CVE-2020-11810
  branches/2020Q2/security/openvpn/files/patch-g3bd91cd-Fix-broken-fragmentation-logic-when-using-NCP