Fri May 19 18:11:04 2017 UTC ()

update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044

relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>

2017.05.11 -- Version 2.3.15
David Sommerseth (5):
      dev-tools: Added script for updating copyright years in files
      Update copyrights
      docs: Further improve --reneg-bytes and SWEET32 information
      git: Merge .gitignore files into a single file
      Make --cipher/--auth none more explicit on the risks

Gert Doering (1):
      Document --proto udp6, tcp6, etc.

Julien Muchembled (1):
      Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

Steffan Karger (6):
      Add missing includes in error.h
      cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
      Document that OpenVPN 2.3 does not check the CRL signature
      Introduce and use secure_memzero() to erase secrets
      Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
      Don't assert out on receiving too-large control packets (CVE-2017-7478)

2016.12.06 -- Version 2.3.14
Christian Hesse (1):
      update year in copyright message

David Sommerseth (1):
      Document the --auth-token option

Gert Doering (2):
      Repair topology subnet on FreeBSD 11
      Repair topology subnet on OpenBSD

Lev Stipakov (1):
      Drop recursively routed packets

Selva Nair (4):
      Support --block-outside-dns on multiple tunnels
      When parsing '--setenv opt xx ..' make sure a third parameter is present
      Map restart signals from event loop to SIGTERM during exit-notification wait
      Correctly state the default dhcp server address in man page

Steffan Karger (1):
      Clean up format_hex_ex()

2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
      Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
      Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer

David Sommerseth (4):
      t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
      t_client.sh: Add support for Kerberos/ksu
      t_client.sh: Improve detection if the OpenVPN process did start during tests
      t_client.sh: Add prepare/cleanup possibilties for each test case

Gert Doering (5):
      Do not abort t_client run if OpenVPN instance does not start.
      Fix t_client runs on OpenSolaris
      make t_client robust against sudoers misconfiguration
      add POSTINIT_CMD_suf to t_client.sh and sample config
      Fix --multihome for IPv6 on 64bit BSD systems.

Ilya Shipitsin (1):
      skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto

Lev Stipakov (2):
      Exclude peer-id from pulled options digest
      Fix compilation in pedantic mode

Samuli Sepp辰nen (1):
      Automatically cache expected IPs for t_client.sh on the first run

Steffan Karger (6):
      Fix unittests for out-of-source builds
      Make gnu89 support explicit
      cleanup: remove code duplication in msg_test()
      Update cipher-related man page text
      Limit --reneg-bytes to 64MB when using small block ciphers
      Add a revoked cert to the sample keys

2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
      Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
      Move ASSERT so external-key with OpenSSL works again

David Sommerseth (3):
      Only build and run cmocka unit tests if its submodule is initialized
      Another fix related to unit test framework
      Remove NOP function and callers

Dorian Harmans (1):
      Add CHACHA20-POLY1305 ciphersuite IANA name translations.

Ivo Manca (1):
      Plug memory leak in mbedTLS backend

Jeffrey Cutter (1):
      Update contrib/pull-resolv-conf/client.up for no DOMAIN

Jens Neuhalfen (2):
      Add unit testing support via cmocka
      Add a test for auth-pam searchandreplace

Josh Cepek (1):
      Push an IPv6 CIDR mask used by the server, not the pool's size

Leon Klingele (1):
      Add link to bug tracker

Samuli Sepp辰nen (2):
      Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
      Clarify the fact that build instructions in README are for release tarballs

Selva Nair (4):
      Make error non-fatal while deleting address using netsh
      Make block-outside-dns work with persist-tun
      Ignore SIGUSR1/SIGHUP during exit notification
      Promptly close the netcmd_semaphore handle after use

Steffan Karger (4):
      Fix polarssl / mbedtls builds
      Don't limit max incoming message size based on c2->frame
      Fix '--cipher none --cipher' crash
      Discourage using 64-bit block ciphers


(spz)

diff -r1.60 -r1.61 pkgsrc/net/openvpn/Makefile
diff -r1.5 -r1.6 pkgsrc/net/openvpn/Makefile.common
diff -r1.33 -r1.34 pkgsrc/net/openvpn/distinfo
diff -r1.7 -r1.8 pkgsrc/net/openvpn-acct-wtmpx/Makefile
diff -r1.10 -r1.11 pkgsrc/net/openvpn-acct-wtmpx/distinfo
diff -r1.6 -r1.7 pkgsrc/net/openvpn-nagios/Makefile
diff -r1.7 -r1.8 pkgsrc/net/openvpn-nagios/distinfo
diff -r1.2 -r1.3 pkgsrc/net/openvpn/patches/patch-src_openvpn_socket.c

--- pkgsrc/net/openvpn/Makefile 2016/09/19 13:04:25 1.60
+++ pkgsrc/net/openvpn/Makefile 2017/05/19 18:11:04 1.61

 @@ -1,17 +1,16 @@
-# $NetBSD: Makefile,v 1.60 2016/09/19 13:04:25 wiz Exp $
+# $NetBSD: Makefile,v 1.61 2017/05/19 18:11:04 spz Exp $
 DISTNAME=	${OPENVPN_DISTNAME}
 PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	${OPENVPN_MASTER_SITES}
 EXTRACT_SUFX=	.tar.xz
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://openvpn.net/
 COMMENT=	Easy-to-use SSL VPN daemon
 LICENSE=	gnu-gpl-v2
 PKG_DESTDIR_SUPPORT=	user-destdir
 USE_LIBTOOL=		yes
 USE_TOOLS+=		aclocal autoconf autom4te grep:run pkg-config

--- pkgsrc/net/openvpn/Makefile.common 2016/07/08 08:49:41 1.5
+++ pkgsrc/net/openvpn/Makefile.common 2017/05/19 18:11:04 1.6

 @@ -1,14 +1,14 @@
-# $NetBSD: Makefile.common,v 1.5 2016/07/08 08:49:41 jperkin Exp $
+# $NetBSD: Makefile.common,v 1.6 2017/05/19 18:11:04 spz Exp $
 # used by net/openvpn/Makefile
 # used by net/openvpn-acct-wtmpx/Makefile
 # used by net/openvpn-nagios/Makefile
-OPENVPN_DISTNAME=	openvpn-2.3.11
+OPENVPN_DISTNAME=	openvpn-2.3.15
 OPENVPN_DISTFILE=	${OPENVPN_DISTNAME}.tar.xz
 OPENVPN_MASTER_SITES=	http://swupdate.openvpn.net/community/releases/
 SITES.${OPENVPN_DISTFILE}=	${OPENVPN_MASTER_SITES}
 OPENVPN_USER?=		openvpn
 OPENVPN_GROUP?=		openvpn
 OPENVPN_PLUGINSDIR?=	lib/openvpn/plugins

--- pkgsrc/net/openvpn/distinfo 2016/07/08 08:49:41 1.33
+++ pkgsrc/net/openvpn/distinfo 2017/05/19 18:11:04 1.34

 @@ -1,13 +1,13 @@
-$NetBSD: distinfo,v 1.33 2016/07/08 08:49:41 jperkin Exp $
+$NetBSD: distinfo,v 1.34 2017/05/19 18:11:04 spz Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
 SHA1 (patch-ac) = 3071423ae978dd7d1d79cb140325bde96ba8d21b
 SHA1 (patch-ad) = 1e2c34a37157ff9c091e0120817a8c8bae9aef4e
 SHA1 (patch-ae) = fce5d2b7c8ef830cba3df4408af79301f347cafd
 SHA1 (patch-af) = 8d728c36a6eccdebf6c7e5a02d457903b255f4fb
 SHA1 (patch-src_compat_compat-basename.c) = 45a58ef2e05f6e0265f229da8540760e60e65143
-SHA1 (patch-src_openvpn_socket.c) = 74668d39f5e6fdab64825d38d4b287c8004f5af3
+SHA1 (patch-src_openvpn_socket.c) = d091fdf614c7673755b9f1fdbdd11ce33276cfda
 SHA1 (patch-src_openvpn_socket.h) = b4b952af347e0f2d0aff307a5025b3d27a2e6ee5

--- pkgsrc/net/openvpn-acct-wtmpx/Makefile 2016/07/08 08:50:25 1.7
+++ pkgsrc/net/openvpn-acct-wtmpx/Makefile 2017/05/19 18:11:04 1.8

 @@ -1,20 +1,19 @@
-# $NetBSD: Makefile,v 1.7 2016/07/08 08:50:25 jperkin Exp $
+# $NetBSD: Makefile,v 1.8 2017/05/19 18:11:04 spz Exp $
 .include "../../net/openvpn/Makefile.common"
 DISTNAME=	openvpn-acct-wtmpx-20130210
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${OPENVPN_DISTFILE}
 PKGREVISION=	3
 CATEGORIES=	net
 MASTER_SITES=	http://ftp.espci.fr/pub/openvpn-acct-wtmpx/
 EXTRACT_SUFX=	.tgz
 MAINTAINER=	manu@NetBSD.org
 HOMEPAGE=	http://ftp.espci.fr/pub/openvpn-acct-wtmpx/
 COMMENT=	Log OpenVPN logins and logouts to wtmpx
 LICENSE=	2-clause-bsd
 PKG_DESTDIR_SUPPORT=	user-destdir
 USE_LIBTOOL=	yes
 USE_TOOLS+=	install

--- pkgsrc/net/openvpn-acct-wtmpx/distinfo 2016/07/08 08:50:25 1.10
+++ pkgsrc/net/openvpn-acct-wtmpx/distinfo 2017/05/19 18:11:04 1.11

 @@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.10 2016/07/08 08:50:25 jperkin Exp $
+$NetBSD: distinfo,v 1.11 2017/05/19 18:11:04 spz Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
 SHA1 (openvpn-acct-wtmpx-20130210.tgz) = cf7bc26b12a65493cdf5db93b03bbb938a2f0f33
 RMD160 (openvpn-acct-wtmpx-20130210.tgz) = d9000789f04606bfa17db1597a45a4235b1119ea
 SHA512 (openvpn-acct-wtmpx-20130210.tgz) = 7b8fd4929e65d8d84158f62e5a17ff3adb3b4a6cff63b29038acfb368750719f2f593786ed9b02402824c19d872b188d2a46740a5c5f853e8873a71481b13aaf
 Size (openvpn-acct-wtmpx-20130210.tgz) = 2778 bytes
 SHA1 (patch-aa) = 95d9382b74d791306766433506eb0228a806dbdc

--- pkgsrc/net/openvpn-nagios/Makefile 2016/07/08 08:50:55 1.6
+++ pkgsrc/net/openvpn-nagios/Makefile 2017/05/19 18:11:04 1.7

 @@ -1,31 +1,30 @@
-# $NetBSD: Makefile,v 1.6 2016/07/08 08:50:55 jperkin Exp $
+# $NetBSD: Makefile,v 1.7 2017/05/19 18:11:04 spz Exp $
 .include "../../net/openvpn/Makefile.common"
 DISTNAME=	openvpn-nagios-20130210
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${OPENVPN_DISTFILE}
 PKGREVISION=	4
 CATEGORIES=	net
 MASTER_SITES=	http://ftp.espci.fr/pub/openvpn-nagios/
 EXTRACT_SUFX=	.tgz
 MAINTAINER=	manu@NetBSD.org
 HOMEPAGE=	http://ftp.espci.fr/pub/openvpn-nagios/
 COMMENT=	OpenVPN certificate checks for Nagios
 LICENSE=	2-clause-bsd
 PKG_DESTDIR_SUPPORT=	user-destdir
 USE_LIBTOOL=	yes
 USE_TOOLS+=	install
 MAKE_ENV+=	OPENVPN_PLUGINSDIR=${PREFIX:Q}/${OPENVPN_PLUGINSDIR:Q}
 MAKE_ENV+=	OPENVPN_DISTNAME=${OPENVPN_DISTNAME:Q}
 PLIST_SUBST+=	OPENVPN_PLUGINSDIR=${OPENVPN_PLUGINSDIR:Q}
 MESSAGE_SUBST+=	OPENVPN_PLUGINSDIR=${PREFIX:Q}/${OPENVPN_PLUGINSDIR:Q}
-DEPENDS+=	openvpn>=2.3.0:../../net/openvpn
+DEPENDS+=	openvpn>=2.3.0<2.4:../../net/openvpn
 .include "../../security/openssl/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"

--- pkgsrc/net/openvpn-nagios/distinfo 2016/07/08 08:50:55 1.7
+++ pkgsrc/net/openvpn-nagios/distinfo 2017/05/19 18:11:04 1.8

 @@ -1,12 +1,12 @@
-$NetBSD: distinfo,v 1.7 2016/07/08 08:50:55 jperkin Exp $
+$NetBSD: distinfo,v 1.8 2017/05/19 18:11:04 spz Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
 SHA1 (openvpn-nagios-20130210.tgz) = 8a0fd4e3eba27584aa53c5589c13d4b38af43ba2
 RMD160 (openvpn-nagios-20130210.tgz) = 2a47893ec2db2c280adc7b9fbbea97794ec1a6f4
 SHA512 (openvpn-nagios-20130210.tgz) = 80e565f32379c39eb6c7f3b4744af221ae882ff07dce9dae5bd7feb73b0edcfc7c7ac7f70d23fdcd4f492b66f095f09833deb122449840b36ea606ce91900358
 Size (openvpn-nagios-20130210.tgz) = 3034 bytes
 SHA1 (patch-aa) = fe38ed54931c34903a1b25f387d59dc1b5e042f6
 SHA1 (patch-openvpn-nagios.c) = e1700e4f648eaca87fdcedc9d9490c9badd6c33b

--- pkgsrc/net/openvpn/patches/Attic/patch-src_openvpn_socket.c 2014/07/20 17:43:29 1.2
+++ pkgsrc/net/openvpn/patches/Attic/patch-src_openvpn_socket.c 2017/05/19 18:11:04 1.3

 @@ -1,60 +1,42 @@
-$NetBSD: patch-src_openvpn_socket.c,v 1.2 2014/07/20 17:43:29 adam Exp $
+$NetBSD: patch-src_openvpn_socket.c,v 1.3 2017/05/19 18:11:04 spz Exp $
 Fix for systems without ipi_spec_dst in struct in_pktinfo.
---- src/openvpn/socket.c.orig	2014-05-01 11:12:22.000000000 +0000
+--- src/openvpn/socket.c.orig	2017-05-11 10:34:40.000000000 +0000
 +++ src/openvpn/socket.c
-@@ -654,7 +654,7 @@ create_socket_udp (const unsigned int fl
+@@ -650,7 +650,7 @@ create_socket_udp (const unsigned int fl
    else if (flags & SF_USE_IP_PKTINFO)
+     {
        int pad = 1;
 -#ifdef IP_PKTINFO
 +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
        if (setsockopt (sd, SOL_IP, IP_PKTINFO,
  		      (void*)&pad, sizeof(pad)) < 0)
          msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO");
-@@ -2254,7 +2254,7 @@ print_link_socket_actual_ex (const struc
+@@ -2263,7 +2263,7 @@ print_link_socket_actual_ex (const struc
  		  struct openvpn_sockaddr sa;
  		  CLEAR (sa);
  		  sa.addr.in4.sin_family = AF_INET;
 -#ifdef IP_PKTINFO
 +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
  		  sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst;
  		  if_indextoname(act->pi.in4.ipi_ifindex, ifname);
  #elif defined(IP_RECVDSTADDR)
-@@ -2651,7 +2651,7 @@ link_socket_read_tcp (struct link_socket
+@@ -2721,7 +2721,7 @@ link_socket_read_udp_posix_recvmsg (stru
- struct openvpn_in4_pktinfo
+ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
    struct cmsghdr cmsghdr;
 -#ifdef HAVE_IN_PKTINFO
 +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
    struct in_pktinfo pi4;
  #elif defined(IP_RECVDSTADDR)
    struct in_addr pi4;
@@ -2696,7 +2696,7 @@ link_socket_read_udp_posix_recvmsg (stru
        cmsg = CMSG_FIRSTHDR (&mesg);
        if (cmsg != NULL
  	  && CMSG_NXTHDR (&mesg, cmsg) == NULL
 -#ifdef IP_PKTINFO
 +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
  	  && cmsg->cmsg_level == SOL_IP
  	  && cmsg->cmsg_type == IP_PKTINFO
  #elif defined(IP_RECVDSTADDR)
@@ -2707,7 +2707,7 @@ link_socket_read_udp_posix_recvmsg (stru
  #endif
  	  && cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo))
+ 	{
 -#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
++#if defined(IP_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
  	  struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA (cmsg);
  	  from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
  	  from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst;
-@@ -2802,7 +2802,7 @@ link_socket_write_udp_posix_sendmsg (str
+@@ -2814,7 +2814,7 @@ link_socket_write_udp_posix_sendmsg (str
          mesg.msg_namelen = sizeof (struct sockaddr_in);
-         mesg.msg_control = &opi;
+         mesg.msg_control = pktinfo_buf;
          mesg.msg_flags = 0;
 -#ifdef HAVE_IN_PKTINFO
 +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
-         mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);
+         mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_pktinfo));
          cmsg = CMSG_FIRSTHDR (&mesg);
-         cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
+         cmsg->cmsg_len = CMSG_LEN(sizeof (struct in_pktinfo));