git: e8b825e62c8e - 2025Q1 - security/easy-rsa: report weak build-ca crypto on CA private keys
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 31 Jan 2025 21:12:26 UTC
The branch 2025Q1 has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=e8b825e62c8ed415b2e9b37c78304f7ad044fb63
commit e8b825e62c8ed415b2e9b37c78304f7ad044fb63
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-01-31 21:10:58 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-01-31 21:11:43 +0000
security/easy-rsa: report weak build-ca crypto on CA private keys
By adding to UPDATING and pkg-message, and bumping PORTREVISION so
as to trigger updates that show these messages so that
easyrsa users can re-encrypt their CA private keys with AES instead of
Triple-DES.
It is pointless to add vuln.xml, supported port branch versions,
main and 2025Q1, already carry a bugfixed Easy-RSA version.
Reported by: pkelsey@
Security: CVE-2024-13454
MFH: 2025Q1
(cherry picked from commit d8c76b98576f28d468d2aa9ecd6b7d8cad93046f)
(cherry picked from commit cccf1379f3cfc4148193c63927393bcf9eda1264)
---
UPDATING | 15 +++++++++++++++
security/easy-rsa/Makefile | 2 +-
security/easy-rsa/files/pkg-message.in | 18 ++++++++++++++++++
3 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/UPDATING b/UPDATING
index 7c86848c4d8d..6afd5780e242 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,21 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
+20250131:
+ AFFECTS: users of security/easy-rsa
+ AUTHOR: mandree@FreeBSD.org
+
+ easy-rsa (easyrsa) versions between 3.0.5 and 3.1.7 inclusively
+ may have chosen the wrong, a weak, cipher (des-ede3-cbc) when
+ encrypting the CA private keys with the build-ca command, when
+ running on a system where openssl was OpenSSL 3.
+
+ Such CA private keys should be re-encrypted with a stronger cipher
+ in order to protect them better, after upgrading EasyRSA to 3.2.1.
+ To that end, the easyrsa set-pass ca command can be used.
+
+ Details: https://community.openvpn.net/openvpn/wiki/CVE-2024-13454
+
20250109:
AFFECTS: users of www/kiwix-tools and devel/libkiwix
AUTHOR: olce@FreeBSD.org
diff --git a/security/easy-rsa/Makefile b/security/easy-rsa/Makefile
index e9599b1438cd..9eda71b01c86 100644
--- a/security/easy-rsa/Makefile
+++ b/security/easy-rsa/Makefile
@@ -1,6 +1,6 @@
PORTNAME= easy-rsa
DISTVERSION= 3.2.1
-PORTREVISION= 1
+PORTREVISION= 3
PORTEPOCH= 1
CATEGORIES= security net-mgmt
MASTER_SITES= https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/ \
diff --git a/security/easy-rsa/files/pkg-message.in b/security/easy-rsa/files/pkg-message.in
index 698bf9ad17fb..2efeed9ffba5 100644
--- a/security/easy-rsa/files/pkg-message.in
+++ b/security/easy-rsa/files/pkg-message.in
@@ -13,3 +13,21 @@ An on-line help is available, you can run:
easyrsa help # for help on commands
easyrsa help options # for help on options
+**** SECURITY WARNING FOR PAST security/easy-rsa versions ****
+**** easyrsa may have encrypted your CA private key with a weak cipher
+
+Per CVE-2024-13454, Easy-RSA 3.0.5 inclusively up to and including 3.1.7,
+when used with OpenSSL 3, may have accidentally encrypted the CA private
+key with a weak cipher, des-ede3-cbc, instead of the intended aes-256-cbc,
+when a CA was created with the easyrsa build-ca command.
+
+Such mistakes cannot be corrected by upgrading Easy-RSA alone.
+
+The standing recommendation for CA private keys is to
+re-encrypt the CA privat keys with the aes-256-cbc cipher,
+by using the easyrsa set-pass ca command.
+
+For details, see https://community.openvpn.net/openvpn/wiki/CVE-2024-13454.
+
+**** END SECURITY WARNING FOR PAST security/easy-rsa versions ****
+