git: cccf1379f3cf - main - security/easy-rsa: report weak build-ca crypto on CA private keys
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 31 Jan 2025 21:07:51 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=cccf1379f3cfc4148193c63927393bcf9eda1264
commit cccf1379f3cfc4148193c63927393bcf9eda1264
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-01-31 21:06:09 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-01-31 21:07:29 +0000
security/easy-rsa: report weak build-ca crypto on CA private keys
This version folds the message into files/pkg-message.in (which
overwrote pkg-message in PORTREVISION 2 of this change.)
By adding to UPDATING and pkg-message, and bumping PORTREVISION so
as to trigger updates that show these messages so that
easyrsa users can re-encrypt their CA private keys with AES instead of
Triple-DES.
It is pointless to add vuln.xml, supported port branch versions,
main and 2025Q1, already carry a bugfixed Easy-RSA version.
Reported by: pkelsey@
Security: CVE-2024-13454
MFH: 2025Q1
---
security/easy-rsa/Makefile | 2 +-
security/easy-rsa/files/pkg-message.in | 18 ++++++++++++++++++
security/easy-rsa/pkg-message | 19 -------------------
3 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/security/easy-rsa/Makefile b/security/easy-rsa/Makefile
index 621d400b5700..9eda71b01c86 100644
--- a/security/easy-rsa/Makefile
+++ b/security/easy-rsa/Makefile
@@ -1,6 +1,6 @@
PORTNAME= easy-rsa
DISTVERSION= 3.2.1
-PORTREVISION= 2
+PORTREVISION= 3
PORTEPOCH= 1
CATEGORIES= security net-mgmt
MASTER_SITES= https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/ \
diff --git a/security/easy-rsa/files/pkg-message.in b/security/easy-rsa/files/pkg-message.in
index 698bf9ad17fb..2efeed9ffba5 100644
--- a/security/easy-rsa/files/pkg-message.in
+++ b/security/easy-rsa/files/pkg-message.in
@@ -13,3 +13,21 @@ An on-line help is available, you can run:
easyrsa help # for help on commands
easyrsa help options # for help on options
+**** SECURITY WARNING FOR PAST security/easy-rsa versions ****
+**** easyrsa may have encrypted your CA private key with a weak cipher
+
+Per CVE-2024-13454, Easy-RSA 3.0.5 inclusively up to and including 3.1.7,
+when used with OpenSSL 3, may have accidentally encrypted the CA private
+key with a weak cipher, des-ede3-cbc, instead of the intended aes-256-cbc,
+when a CA was created with the easyrsa build-ca command.
+
+Such mistakes cannot be corrected by upgrading Easy-RSA alone.
+
+The standing recommendation for CA private keys is to
+re-encrypt the CA privat keys with the aes-256-cbc cipher,
+by using the easyrsa set-pass ca command.
+
+For details, see https://community.openvpn.net/openvpn/wiki/CVE-2024-13454.
+
+**** END SECURITY WARNING FOR PAST security/easy-rsa versions ****
+
diff --git a/security/easy-rsa/pkg-message b/security/easy-rsa/pkg-message
deleted file mode 100644
index 4878550b10ba..000000000000
--- a/security/easy-rsa/pkg-message
+++ /dev/null
@@ -1,19 +0,0 @@
-
-**** SECURITY WARNING FOR PAST security/easy-rsa versions ****
-**** easyrsa may have encrypted your CA private key with a weak cipher
-
-Per CVE-2024-13454, Easy-RSA 3.0.5 inclusively up to and including 3.1.7,
-when used with OpenSSL 3, may have accidentally encrypted the CA private
-key with a weak cipher, des-ede3-cbc, instead of the intended aes-256-cbc,
-when a CA was created with the easyrsa build-ca command.
-
-Such mistakes cannot be corrected by upgrading Easy-RSA alone.
-
-The standing recommendation for CA private keys is to
-re-encrypt the CA privat keys with the aes-256-cbc cipher,
-by using the easyrsa set-pass ca command.
-
-For details, see https://community.openvpn.net/openvpn/wiki/CVE-2024-13454.
-
-**** END SECURITY WARNING FOR PAST security/easy-rsa versions ****
-