git: d8c76b98576f - main - security/easy-rsa: report weak build-ca crypto on CA private keys
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 31 Jan 2025 21:04:10 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=d8c76b98576f28d468d2aa9ecd6b7d8cad93046f
commit d8c76b98576f28d468d2aa9ecd6b7d8cad93046f
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-01-31 20:59:11 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-01-31 21:03:50 +0000
security/easy-rsa: report weak build-ca crypto on CA private keys
By adding to UPDATING and pkg-message, and bumping PORTREVISION so
as to trigger updates that show these messages so that
easyrsa users can re-encrypt their CA private keys with AES instead of
Triple-DES.
It is pointless to add vuln.xml, supported port branch versions,
main and 2025Q1, already carry a bugfixed Easy-RSA version.
Reported by: pkelsey@
Security: CVE-2024-13454
MFH: 2025Q1
---
UPDATING | 15 +++++++++++++++
security/easy-rsa/Makefile | 2 +-
security/easy-rsa/pkg-message | 19 +++++++++++++++++++
3 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/UPDATING b/UPDATING
index db617a99b66b..9e94cd674a8e 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,21 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
+20250131:
+ AFFECTS: users of security/easy-rsa
+ AUTHOR: mandree@FreeBSD.org
+
+ easy-rsa (easyrsa) versions between 3.0.5 and 3.1.7 inclusively
+ may have chosen the wrong, a weak, cipher (des-ede3-cbc) when
+ encrypting the CA private keys with the build-ca command, when
+ running on a system where openssl was OpenSSL 3.
+
+ Such CA private keys should be re-encrypted with a stronger cipher
+ in order to protect them better, after upgrading EasyRSA to 3.2.1.
+ To that end, the easyrsa set-pass ca command can be used.
+
+ Details: https://community.openvpn.net/openvpn/wiki/CVE-2024-13454
+
20250125:
AFFECTS: users of www/apache24
AUTHOR: brnrd@FreeBSD.org
diff --git a/security/easy-rsa/Makefile b/security/easy-rsa/Makefile
index e9599b1438cd..621d400b5700 100644
--- a/security/easy-rsa/Makefile
+++ b/security/easy-rsa/Makefile
@@ -1,6 +1,6 @@
PORTNAME= easy-rsa
DISTVERSION= 3.2.1
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security net-mgmt
MASTER_SITES= https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/ \
diff --git a/security/easy-rsa/pkg-message b/security/easy-rsa/pkg-message
new file mode 100644
index 000000000000..4878550b10ba
--- /dev/null
+++ b/security/easy-rsa/pkg-message
@@ -0,0 +1,19 @@
+
+**** SECURITY WARNING FOR PAST security/easy-rsa versions ****
+**** easyrsa may have encrypted your CA private key with a weak cipher
+
+Per CVE-2024-13454, Easy-RSA 3.0.5 inclusively up to and including 3.1.7,
+when used with OpenSSL 3, may have accidentally encrypted the CA private
+key with a weak cipher, des-ede3-cbc, instead of the intended aes-256-cbc,
+when a CA was created with the easyrsa build-ca command.
+
+Such mistakes cannot be corrected by upgrading Easy-RSA alone.
+
+The standing recommendation for CA private keys is to
+re-encrypt the CA privat keys with the aes-256-cbc cipher,
+by using the easyrsa set-pass ca command.
+
+For details, see https://community.openvpn.net/openvpn/wiki/CVE-2024-13454.
+
+**** END SECURITY WARNING FOR PAST security/easy-rsa versions ****
+