ports/177517: [PATCH] security/openvpn: security maintainer upgrade to 2.3.1

Matthias Andree mandree at FreeBSD.org
Sun Mar 31 10:00:00 UTC 2013 

>Number:         177517
>Category:       ports
>Synopsis:       [PATCH] security/openvpn: security maintainer upgrade to 2.3.1
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 31 10:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Matthias Andree
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD apollo.emma.line.org 9.1-RELEASE FreeBSD 9.1-RELEASE #2 r244869: Sun Dec 30 22:05:16 CET
>Description:
Request ports freeze override authorization for security upgrade to
OpenVPN to 2.3.1; upstream release notes are

"OpenVPN 2.3.1 -- released on 2013.03.29 (Change Log)

This release adds supports for PolarSSL 1.2. It also adds a fix to
prevent potential side-channel attacks by switching to a constant-time
memcmp when comparing HMACs in the openvpn_decrypt function. In
addition, it contains several bugfixes and documentation updates, as
well as some minor enhancements."

Full ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

The port upgrade also offers an option to use the GPLv2+-licensed PolarSSL
instead of OpenSSL (which brings in a license mix).

Generated with FreeBSD Port Tools 0.99_7 (mode: change, diff: ports)
>How-To-Repeat:
>Fix:

--- openvpn-2.3.1.patch begins here ---
diff -ruN /usr/ports/security/openvpn/Makefile ./Makefile
--- /usr/ports/security/openvpn/Makefile	2013-01-20 04:54:24.000000000 +0100
+++ ./Makefile	2013-03-30 13:20:12.000000000 +0100
@@ -1,9 +1,8 @@
 # Created by: Matthias Andree <mandree at FreeBSD.org>
-# $FreeBSD: ports/security/openvpn/Makefile,v 1.66 2013/01/20 03:54:24 svnexp Exp $
+# $FreeBSD: head/security/openvpn/Makefile 310670 2013-01-20 02:55:48Z mandree $
 
 PORTNAME=	openvpn
-DISTVERSION=	2.3.0
-PORTREVISION=	3
+DISTVERSION=	2.3.1
 CATEGORIES=	security net
 MASTER_SITES=	http://swupdate.openvpn.net/community/releases/ \
 		http://build.openvpn.net/downloads/releases/
@@ -16,18 +15,19 @@
 CONFLICTS_INSTALL=	openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
 GNU_CONFIGURE=	yes
-USE_OPENSSL=	yes
 USE_XZ=		yes
 # let OpenVPN's configure script pick up the requisite libraries:
 CPPFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib
 
-# PolarSSL is not provided; OpenVPN does not currently compile with PolarSSL 1.2.0+
 OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA
-OPTIONS_DEFAULT=	EASYRSA
+OPTIONS_DEFAULT=	EASYRSA OPENSSL
+OPTIONS_SINGLE=		SSL
+OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 PW_SAVE_DESC=	Interactive passwords may be read from a file
 PKCS11_DESC=	Use security/pkcs11-helper
 EASYRSA_DESC=	Install security/easy-rsa RSA helper package
+POLARSSL_DESC=	SSL/TLS support via PolarSSL
 
 .include <bsd.port.options.mk>
 
@@ -40,7 +40,15 @@
 RUN_DEPENDS+=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 .endif
 
-INSTALL_TARGET+=	mandir=${MANPREFIX}/man
+.if ${PORT_OPTIONS:MPOLARSSL}
+LIB_DEPENDS+=	polarssl:${PORTSDIR}/security/polarssl
+CONFIGURE_ARGS+=	--with-crypto-library=polarssl
+.else
+USE_OPENSSL=	yes
+CONFIGURE_ARGS+=	--with-crypto-library=openssl
+.endif
+
+.INSTALL_TARGET+=	mandir=${MANPREFIX}/man
 MAN8=		openvpn.8
 
 USE_RC_SUBR=	openvpn
@@ -98,7 +106,6 @@
 	${INSTALL_DATA} ${_stagedir}${PREFIX}/include/* ${PREFIX}/include/
 	${INSTALL_MAN} ${_stagedir}${PREFIX}/man/man8/* ${MAN8PREFIX}/man/man8/
 .if ${PORT_OPTIONS:MDOCS}
-	-${RMDIR} ${_stagedir}${DOCSDIR}/sample
 	(cd ${_stagedir}${DOCSDIR} && ${COPYTREE_SHARE} \* ${DOCSDIR}/)
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_MAN} ${WRKSRC}/${i} ${DOCSDIR}/
diff -ruN /usr/ports/security/openvpn/distinfo ./distinfo
--- /usr/ports/security/openvpn/distinfo	2013-01-12 00:43:25.000000000 +0100
+++ ./distinfo	2013-03-30 12:51:03.000000000 +0100
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.3.0.tar.xz) = a9fcf7bc1c1cd88cd8867ff567e8f8df5e695f0e983bd0aed3a3e1f6ae14d107
-SIZE (openvpn-2.3.0.tar.xz) = 762052
+SHA256 (openvpn-2.3.1.tar.xz) = 9d7723ea83cdc0c78b32005f4b9c1f7ca1cc9e53e90b77bd643a203e6189884b
+SIZE (openvpn-2.3.1.tar.xz) = 776076
diff -ruN /usr/ports/security/openvpn/files/openvpn.in ./files/openvpn.in
--- /usr/ports/security/openvpn/files/openvpn.in	2012-11-17 07:01:09.000000000 +0100
+++ ./files/openvpn.in	2012-10-08 23:21:26.000000000 +0200
@@ -8,7 +8,7 @@
 # and Vasil Dimov
 # softrestart feature suggested by Nick Hibma
 #
-# $FreeBSD: ports/security/openvpn/files/openvpn.in,v 1.2 2012/11/17 06:01:09 svnexp Exp $
+# $FreeBSD: head/security/openvpn/files/openvpn.in 302141 2012-08-05 23:19:36Z dougb $
 # 
 # This program is free software; you can redistribute it and/or modify it under
 # the terms of the GNU General Public License as published by the Free Software
--- openvpn-2.3.1.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list