From nobody Tue Nov 21 18:12:46 2023 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SZXXv0tBfz523QR; Tue, 21 Nov 2023 18:12:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SZXXv0G1gz4mg2; Tue, 21 Nov 2023 18:12:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1700590367; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/JCciaBwhsi23allPeWxRwKUhTXpZBhvRKRc/qSrT/4=; b=OXfOWAS9HRj8U9xkRm7+4/T+7+rTVv5RGSOuxyWbgavJIB2yUz+5b6uhhLuVNyQ9c3ueca jJ8EFXsbEHWp6x9MnRlOKwP9WGH7YdW2eAHYkPm/vkr3BUtWP90W6QbncwX/HeUZo7rpwj cprpL/0L9cKaqq3f/zVRQeVdXOae9bCuKBXtC8xCVI9UvyatBy6L5c3ER/PtWG3rGuGQ1o uBTar1GLGgfUPOAtjf7q8HypPGNOy8pRwFjaQa2bUWya8IaoP61ywvrycRghCCtZbYkVeG fgFWc8veqXINn3KauXl+J1cNwPQyL0mr/n0YdvPlQgbkK+Dl/IFSuuAsuokH7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1700590367; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/JCciaBwhsi23allPeWxRwKUhTXpZBhvRKRc/qSrT/4=; b=Gt2aHPCwi5/iC9ax46SXRyspqW33gP85f0HNzXXNkWnxDDwO4UNSCvZbyboXcid9FJawT9 Xfo4GW2gcIU+xSv3gMrUkQ6mrGWUMa5LCI9fm1BZDdTNRH14iopgOLJ3qee0UxGBuYpfrx Ges9GEVspRXF360V3tAM6Q973WOkQ5Ys6S9n7t2yR93E85hY8OjLnf/zrHl0RB/KLElcoD 8jOpqsJ9PGn2FV8ii6XCkR9Wogskr0KN5gM4fvXQ/Us4gSyPcTUG6DvWmt+rMpR7qWhfJ8 +abzibBZ1s8ezNELOlidMJfVbIV/tDFTyaIA/fVdM6v19nWd7qEq2Hq/xQriqw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1700590367; a=rsa-sha256; cv=none; b=ffX7cLGZRPad4YBdBiOU7WeDOp55m5bXSW6QjNyZkA85n8IkLW9hJZGnWUivpNSmOCmljS 3yP/f14PLE4k8+OCDqJKO9L9ZEcHUss0SoWx8P3ogSRKrxB4jqAl03ETV97bRO4x7KlcCX IMQ2XEa1tJcoYF1mYK3hlKAkLaRIeAhLfG1Y9Xxf16N7ZZc/Z2HCfotXBXXddFqRyi+5yP AvQlDAePkyVI52g/G5s2GYG5XHZL8RMJQpWg3AB6WZBZiU4f5PBGU1wIJBc2D2RH7qDoSn Kq4G3hupAKmvA+S1njUNsQrfM9otUrFa9rErSNblY4nSJf+KmghxdORmhm2ybw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SZXXt6RCWzln3; Tue, 21 Nov 2023 18:12:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3ALICkt5012359; Tue, 21 Nov 2023 18:12:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3ALICktD012356; Tue, 21 Nov 2023 18:12:46 GMT (envelope-from git) Date: Tue, 21 Nov 2023 18:12:46 GMT Message-Id: <202311211812.3ALICktD012356@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Matthias Andree Subject: git: 7120e2cc618b - 2023Q4 - security/openvpn: update to 2.6.8 bug-fix release List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/2023Q4 X-Git-Reftype: branch X-Git-Commit: 7120e2cc618b1572f3d7c680e318355395ac2959 Auto-Submitted: auto-generated The branch 2023Q4 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=7120e2cc618b1572f3d7c680e318355395ac2959 commit 7120e2cc618b1572f3d7c680e318355395ac2959 Author: Matthias Andree AuthorDate: 2023-11-21 17:03:09 +0000 Commit: Matthias Andree CommitDate: 2023-11-21 17:50:12 +0000 security/openvpn: update to 2.6.8 bug-fix release hopefully fixes... PR: 275206 Changelog: https://github.com/OpenVPN/openvpn/blob/v2.6.8/Changes.rst#overview-of-changes-in-268 MFH: 2023Q4 (cherry picked from commit f6ef06771b5a341e91ea38b0d758c4cf614f1b3c) --- security/openvpn/Makefile | 4 +- security/openvpn/distinfo | 6 +- ...ch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 | 89 ---------------------- ...ch-git-a903ebe9361d451daee71c225e141f4e1b67107d | 48 ------------ 4 files changed, 5 insertions(+), 142 deletions(-) diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 18f50eac70b2..9a7597924532 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,6 +1,6 @@ PORTNAME= openvpn -DISTVERSION= 2.6.7 -PORTREVISION?= 1 +DISTVERSION= 2.6.8 +PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo index ca10ef7b6996..8e92d4543863 100644 --- a/security/openvpn/distinfo +++ b/security/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1699892936 -SHA256 (openvpn-2.6.7.tar.gz) = ee9877340b1d8de47eb5b52712c3366855fa6a4a1955bf950c68577bd2039913 -SIZE (openvpn-2.6.7.tar.gz) = 1895682 +TIMESTAMP = 1700585155 +SHA256 (openvpn-2.6.8.tar.gz) = 5ede1565c8a6d880100f7f235317a7ee9eea83d5052db5547f13a9e76af7805d +SIZE (openvpn-2.6.8.tar.gz) = 1896563 diff --git a/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 deleted file mode 100644 index 9939c46f3d36..000000000000 --- a/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 +++ /dev/null @@ -1,89 +0,0 @@ -From 457f468a76f324a14b1236988cc5f5a95f14abf5 Mon Sep 17 00:00:00 2001 -From: Aquila Macedo -Date: Thu, 19 Oct 2023 16:40:49 -0300 -Subject: [PATCH] doc: Correct typos in multiple documentation files - -Fixed typographical errors in various documentation files for improved clarity and readability. - -Signed-off-by: Aquila Macedo -Acked-by: Frank Lichtenheld -Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html -Signed-off-by: Gert Doering -(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314) ---- - doc/man-sections/client-options.rst | 4 ++-- - doc/man-sections/generic-options.rst | 2 +- - doc/man-sections/server-options.rst | 2 +- - doc/man-sections/vpn-network-options.rst | 2 +- - src/openvpn/options.c | 2 +- - 5 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst -index 3616ed7f3f8..54c4ec63073 100644 ---- ./doc/man-sections/client-options.rst -+++ b/doc/man-sections/client-options.rst -@@ -51,9 +51,9 @@ configuration. - react according to ``--auth-retry`` - - --auth-token-user base64username -- Companion option to ``--auth-token``. This options allows to override -+ Companion option to ``--auth-token``. This options allows one to override - the username used by the client when reauthenticating with the ``auth-token``. -- It also allows to use ``--auth-token`` in setups that normally do not use -+ It also allows one to use ``--auth-token`` in setups that normally do not use - username and password. - - The username has to be base64 encoded. -diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst -index 97e1b5aa610..95e4ca233bd 100644 ---- ./doc/man-sections/generic-options.rst -+++ b/doc/man-sections/generic-options.rst -@@ -483,7 +483,7 @@ which mode OpenVPN is configured as. - - * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns - success/failure via :code:`auth_control_file` when using deferred auth -- method and pending authentification via :code:`pending_auth_file`. -+ method and pending authentication via :code:`pending_auth_file`. - - --use-prediction-resistance - Enable prediction resistance on mbed TLS's RNG. -diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst -index 6b9ad21b816..e7a7b2dba43 100644 ---- ./doc/man-sections/server-options.rst -+++ b/doc/man-sections/server-options.rst -@@ -739,7 +739,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. - - --vlan-pvid v - Specifies which VLAN identifier a "port" is associated with. Only valid -- when ``--vlan-tagging`` is speficied. -+ when ``--vlan-tagging`` is specified. - - In the client context, the setting specifies which VLAN ID a client is - associated with. In the global context, the VLAN ID of the server TAP -diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst -index 3fa3ccf1073..41d367bfd0e 100644 ---- ./doc/man-sections/vpn-network-options.rst -+++ b/doc/man-sections/vpn-network-options.rst -@@ -548,7 +548,7 @@ routing. - It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal - with MTU sizing issues. - -- Note: Depending on the platform, the operating system allows to receive -+ Note: Depending on the platform, the operating system allows one to receive - packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms - (like macOS) limit received packets to the same size as the MTU. - -diff --git a/src/openvpn/options.c b/src/openvpn/options.c -index 631ac73db8f..895ce830f6a 100644 ---- ./src/openvpn/options.c -+++ b/src/openvpn/options.c -@@ -598,7 +598,7 @@ static const char usage_message[] = - " Windows Certificate System Store.\n" - #endif - "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" -- "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n" -+ "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n" - " : Use --show-tls to see a list of supported TLS ciphers (suites).\n" - "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n" - " (default=legacy).\n" diff --git a/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d deleted file mode 100644 index 4c347593ac7a..000000000000 --- a/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d +++ /dev/null @@ -1,48 +0,0 @@ -From a903ebe9361d451daee71c225e141f4e1b67107d Mon Sep 17 00:00:00 2001 -From: Arne Schwabe -Date: Wed, 15 Nov 2023 11:33:31 +0100 -Subject: [PATCH] Do not check key_state buffers that are in S_UNDEF state - -When a key_state is in S_UNDEF the send_reliable is not initialised. So -checking it might access invalid memory or null pointers. - -Github: fixes OpenVPN/openvpn#449 - -Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac -[a@unstable.cc: add check for !send_reliable and message] -Signed-off-by: Arne Schwabe -Acked-by: Gert Doering -Message-Id: <20231115103331.18050-1-gert@greenie.muc.de> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html -Signed-off-by: Gert Doering ---- - src/openvpn/ssl.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c -index cee4afe19f3..b4cd8f5a567 100644 ---- ./src/openvpn/ssl.c -+++ b/src/openvpn/ssl.c -@@ -3189,6 +3189,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) - for (int i = 0; i < KS_SIZE; i++) - { - struct key_state *ks = &session->key[i]; -+ if (ks->state == S_UNDEF) -+ { -+ continue; -+ } -+ -+ /* we don't expect send_reliable to be NULL when state is -+ * not S_UNDEF, but people have reported crashes nonetheless, -+ * therefore we better catch this event, report and exit. -+ */ -+ if (!ks->send_reliable) -+ { -+ msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL " -+ "while key state is %s. Exiting.", -+ i, state_name(ks->state)); -+ } -+ - for (int j = 0; j < ks->send_reliable->size; j++) - { - if (ks->send_reliable->array[i].buf.data == dataptr)