Date: Sun, 14 Sep 2008 17:20:00 +0200 (CEST) From: Matthias Andree <matthias.andree@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/127378: [MAINTAINER] security/openvpn-devel: update to rc10 (from rc9) Message-ID: <20080914152000.AC58AC7F5@merlin.emma.line.org> Resent-Message-ID: <200809141530.m8EFU1SC085104@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127378
>Category: ports
>Synopsis: [MAINTAINER] security/openvpn-devel: update to rc10 (from rc9)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sun Sep 14 15:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Matthias Andree
>Release: FreeBSD 6.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD merlin.emma.line.org 6.3-STABLE FreeBSD 6.3-STABLE #36: Tue Jul 29 11:16:09 CEST 2008
>Description:
update to rc10 (from rc9), upstream ChangeLog:
| OpenVPN
| Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
|
| $Id: ChangeLog 3323 2008-09-10 07:16:14Z james $
|
| 2008.09.10 -- Version 2.1_rc10
|
| * Added "--server-bridge" (without parameters) to enable
| DHCP proxy mode: Configure server mode for ethernet
| bridging using a DHCP-proxy, where clients talk to the
| OpenVPN server-side DHCP server to receive their IP address
| allocation and DNS server addresses.
|
| * Added "--route-gateway dhcp", to enable the extraction
| of the gateway address from a DHCP negotiation with the
| OpenVPN server-side LAN.
|
| * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
| on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
| ignore it.
|
| * Warn when ethernet bridging that the IP address of the bridge adapter
| is probably not the same address that the LAN adapter was set to
| previously.
|
| * When running as a server, warn if the LAN network address is
| the all-popular 192.168.[0|1].x, since this condition commonly
| leads to subnet conflicts down the road.
|
| * Primarily on the client, check for subnet conflicts between
| the local LAN and the VPN subnet.
|
| * Added a 'netmask' parameter to get_default_gateway, to return
| the netmask of the adapter containing the default gateway.
| Only implemented on Windows so far. Other platforms will
| return 255.255.255.0. Currently the netmask information is
| only used to warn about subnet conflicts.
|
| * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
| and USE_SSL flags are enabled (Alon Bar-Lev).
|
| * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
| --script-security rules. Also adds retrying if the addresses are in
| use (Matthias Andree).
|
| * Fixed build issue with ./configure --disable-socks --disable-http.
|
| * Fixed separate compile errors in options.c and ntlm.c that occur
| on strict C compilers (such as old versions of gcc) that require
| that C variable declarations occur at the start of a {} block,
| not in the middle.
|
| * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
| the new implementation of extract_x509_field_ssl depends on.
|
| * LZO compression buffer overflow errors will now invalidate
| the packet rather than trigger a fatal assertion.
|
| * Fixed minor compile issue in ntlm.c (mid-block declaration).
|
| * Added --allow-pull-fqdn option which allows client to pull DNS names
| from server (rather than only IP address) for --ifconfig, --route, and
| --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
| for these options to be pulled and translated to IP addresses by default.
| Now --allow-pull-fqdn will be explicitly required on the client to enable
| DNS-name-to-IP-address translation of pulled options.
|
| * 2.1_rc8 and earlier did implicit shell expansion on script
| arguments since all scripts were called by system().
| The security hardening changes made to 2.1_rc9 no longer
| use system(), but rather use the safer execve or CreateProcess
| system calls. The security hardening also introduced a
| backward incompatibility with 2.1_rc8 and earlier in that
| script parameters were no longer shell-expanded, so
| for example:
|
| client-connect "docc CLIENT-CONNECT"
|
| would fail to work because execve would try to execute
| a script called "docc CLIENT-CONNECT" instead of "docc"
| with "CLIENT-CONNECT" as the first argument.
|
| This patch fixes the issue, bringing the script argument
| semantics back to pre 2.1_rc9 behavior in order to preserve
| backward compatibility while still using execve or CreateProcess
| to execute the script/executable.
|
| * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
| to more closely conform to RFC 3696:
|
| (1) DNS name length must not exceed 255 characters
|
| (2) DNS name characters must be limited to alphanumeric,
| dash ('-'), and dot ('.')
|
| * Fixed bug in intra-session TLS key rollover that was introduced with
| deferred authentication features in 2.1_rc8.
Added file(s):
- files/patch-t_cltsrv-down.sh
Removed file(s):
- files/patch-update-t_cltsrv
Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:
>Fix:
--- openvpn-devel-2.1.r10.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/Makefile /usr/home/emma/ports/security/openvpn-devel/Makefile
--- /usr/ports/security/openvpn-devel/Makefile 2008-08-21 08:18:19.000000000 +0200
+++ /usr/home/emma/ports/security/openvpn-devel/Makefile 2008-09-14 17:06:01.000000000 +0200
@@ -6,7 +6,7 @@
#
PORTNAME= openvpn
-DISTVERSION= 2.1_rc9
+DISTVERSION= 2.1_rc10
CATEGORIES= security net
MASTER_SITES= http://openvpn.net/release/
PKGNAMESUFFIX= -devel
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/distinfo /usr/home/emma/ports/security/openvpn-devel/distinfo
--- /usr/ports/security/openvpn-devel/distinfo 2008-08-10 23:48:26.000000000 +0200
+++ /usr/home/emma/ports/security/openvpn-devel/distinfo 2008-09-14 17:07:11.000000000 +0200
@@ -1,3 +1,3 @@
-MD5 (openvpn-2.1_rc9.tar.gz) = f435e4ad43cf4323e942da570bae4951
-SHA256 (openvpn-2.1_rc9.tar.gz) = f73ec227a5fb7f4c73190e7ae52a59a4db149e8d628f22e8a0a762a58fbb424d
-SIZE (openvpn-2.1_rc9.tar.gz) = 818716
+MD5 (openvpn-2.1_rc10.tar.gz) = b24904bd5f6e6fb4e863912743981b99
+SHA256 (openvpn-2.1_rc10.tar.gz) = f519db54cf7c7fe201eca7f8d405573acdde353e6f8c3aa39e34e2082edfb002
+SIZE (openvpn-2.1_rc10.tar.gz) = 824339
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/files/patch-t_cltsrv-down.sh /usr/home/emma/ports/security/openvpn-devel/files/patch-t_cltsrv-down.sh
--- /usr/ports/security/openvpn-devel/files/patch-t_cltsrv-down.sh 1970-01-01 01:00:00.000000000 +0100
+++ /usr/home/emma/ports/security/openvpn-devel/files/patch-t_cltsrv-down.sh 2008-09-14 17:10:11.000000000 +0200
@@ -0,0 +1,5 @@
+--- ./t_cltsrv-down.sh.orig 2008-08-07 23:24:40.000000000 +0200
++++ ./t_cltsrv-down.sh 2008-08-07 23:28:40.000000000 +0200
+@@ -0,0 +1,2 @@
++#! /bin/sh
++echo "${role}:${signal}" >&3
diff -ruN --exclude=CVS /usr/ports/security/openvpn-devel/files/patch-update-t_cltsrv /usr/home/emma/ports/security/openvpn-devel/files/patch-update-t_cltsrv
--- /usr/ports/security/openvpn-devel/files/patch-update-t_cltsrv 2008-08-10 23:52:04.000000000 +0200
+++ /usr/home/emma/ports/security/openvpn-devel/files/patch-update-t_cltsrv 1970-01-01 01:00:00.000000000 +0100
@@ -1,23 +0,0 @@
---- ./t_cltsrv.sh.orig 2008-08-07 23:14:55.000000000 +0200
-+++ ./t_cltsrv.sh 2008-08-07 23:53:27.000000000 +0200
-@@ -38,11 +38,13 @@
- fi
- ;;
- esac
-+downscript="${srcdir}/t_cltsrv-down.sh"
-+test -x $downscript || chmod +x $downscript || { echo >&2 "$downscript is not executable, failing." ; exit 1 ; }
- echo "the following test will take about two minutes..." >&2
- set +e
- (
--./openvpn --cd "${srcdir}" ${addopts} --down 'echo "srv:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-server &
--./openvpn --cd "${srcdir}" ${addopts} --down 'echo "clt:${signal}" >&3 ; : #' --tls-exit --ping-exit 180 --config sample-config-files/loopback-client
-+./openvpn --script-security 2 --cd "${srcdir}" ${addopts} --setenv role srv --down "$downscript" --tls-exit --ping-exit 180 --config sample-config-files/loopback-server &
-+./openvpn --script-security 2 --cd "${srcdir}" ${addopts} --setenv role clt --down "$downscript" --tls-exit --ping-exit 180 --config sample-config-files/loopback-client
- ) 3>log.$$.signal >log.$$ 2>&1
- e1=$?
- wait $!
---- ./t_cltsrv-down.sh.orig 2008-08-07 23:24:40.000000000 +0200
-+++ ./t_cltsrv-down.sh 2008-08-07 23:28:40.000000000 +0200
-@@ -0,0 +1,2 @@
-+#! /bin/sh
-+echo "${role}:${signal}" >&3
--- openvpn-devel-2.1.r10.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080914152000.AC58AC7F5>