Daniel Jakots <[email protected]> writes: > Hey, > > OpenVPN got audited and they found some vulnerabilities [1]. > They released 2.4.2 to fix these issues. > > Here's a diff to update the port. I tested it as a client and as always > more tests are wanted. > > [1]: https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/
Thanks. Here's a diff for 6.1, can someone give it a try on -stable? Index: Makefile =================================================================== RCS file: /d/cvs/ports/net/openvpn/Makefile,v retrieving revision 1.73 diff -u -p -r1.73 Makefile --- Makefile 28 Mar 2017 22:16:37 -0000 1.73 +++ Makefile 14 May 2017 17:29:16 -0000 @@ -2,7 +2,7 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.4.1 +DISTNAME= openvpn-2.4.2 CATEGORIES= net security HOMEPAGE= https://openvpn.net/index.php/open-source/ Index: distinfo =================================================================== RCS file: /d/cvs/ports/net/openvpn/distinfo,v retrieving revision 1.36 diff -u -p -r1.36 distinfo --- distinfo 28 Mar 2017 22:16:37 -0000 1.36 +++ distinfo 12 May 2017 13:42:40 -0000 @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.4.1.tar.gz) = gxoaBSaP47FkbTZ+JVnP+U00fSE8qJlcxIpO7cRSCXo= -SIZE (openvpn-2.4.1.tar.gz) = 1385789 +SHA256 (openvpn-2.4.2.tar.gz) = skdAydRKgeryvvxIRtUURaUgEEMh4yqvDBNe0uCYpiQ= +SIZE (openvpn-2.4.2.tar.gz) = 1402516 Index: patches/patch-configure =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-configure,v retrieving revision 1.15 diff -u -p -r1.15 patch-configure --- patches/patch-configure 28 Mar 2017 22:16:37 -0000 1.15 +++ patches/patch-configure 12 May 2017 13:42:40 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-configure,v 1.15 2017/03/28 22:16:37 jca Exp $ ---- configure.orig Wed Mar 22 16:34:35 2017 -+++ configure Mon Mar 27 06:03:11 2017 -@@ -17299,7 +17299,7 @@ else +Index: configure +--- configure.orig ++++ configure +@@ -17187,7 +17187,7 @@ else fi Index: patches/patch-src_openvpn_tun_c =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v retrieving revision 1.12 diff -u -p -r1.12 patch-src_openvpn_tun_c --- patches/patch-src_openvpn_tun_c 28 Mar 2017 22:16:37 -0000 1.12 +++ patches/patch-src_openvpn_tun_c 14 May 2017 17:29:51 -0000 @@ -2,8 +2,9 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.12 - no need for link0 any more, we have separate tap interfaces ---- src/openvpn/tun.c.orig Wed Mar 22 16:34:21 2017 -+++ src/openvpn/tun.c Mon Mar 27 06:01:57 2017 +Index: src/openvpn/tun.c +--- src/openvpn/tun.c.orig ++++ src/openvpn/tun.c @@ -1201,7 +1201,7 @@ do_ifconfig(struct tuntap *tt, if (tun) { @@ -37,3 +38,18 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.12 IFCONFIG_PATH, actual, ifconfig_local, +@@ -1654,11 +1659,11 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int + { + u_int32_t type; + struct iovec iv[2]; +- struct ip *iph; ++ struct ip iph; + +- iph = (struct ip *) buf; ++ memcpy(&iph, buf, sizeof(iph)); + +- if (iph->ip_v == 6) ++ if (iph.ip_v == 6) + { + type = htonl(AF_INET6); + } -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
