On Tue, Oct 09 2018, Rafael Sadowski <[email protected]> wrote: > Hi All, > > simple security update. This release prevent from the following CVEs: > > oracle attacks (CVE-2018-16737, CVE-2018-16738). > MITM from forcing a NULL cipher for UDP (CVE-2018-16758). > > Our patched also merged upstream. OK before ports look?
ok jca@ It would be good to backport this to -stable (6.3). > Best regards, > > Rafael > > Index: devel/quirks/Makefile > =================================================================== > RCS file: /cvs/ports/devel/quirks/Makefile,v > retrieving revision 1.621 > diff -u -p -r1.621 Makefile > --- devel/quirks/Makefile 8 Oct 2018 12:08:08 -0000 1.621 > +++ devel/quirks/Makefile 9 Oct 2018 05:06:26 -0000 > @@ -5,7 +5,7 @@ CATEGORIES = devel databases > DISTFILES = > > # API.rev > -PKGNAME = quirks-3.14 > +PKGNAME = quirks-3.15 > PKG_ARCH = * > MAINTAINER = Marc Espie <[email protected]> > > Index: devel/quirks/files/Quirks.pm > =================================================================== > RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v > retrieving revision 1.635 > diff -u -p -r1.635 Quirks.pm > --- devel/quirks/files/Quirks.pm 8 Oct 2018 12:08:08 -0000 1.635 > +++ devel/quirks/files/Quirks.pm 9 Oct 2018 05:06:26 -0000 > @@ -1194,6 +1194,7 @@ my $cve = { > 'www/p5-CGI-Application' => 'p5-CGI-Application-<4.50p0', > 'www/webkitgtk4' => 'webkitgtk4-<2.20.5', > 'x11/gnome/gdm' => 'gdm-<3.28.3', > + 'net/tinc' => 'tinc-<1.0.35v0', > }; > # please maintain sort order in above $cve list, future updates need to > # replace existing entries > Index: net/tinc/Makefile > =================================================================== > RCS file: /cvs/ports/net/tinc/Makefile,v > retrieving revision 1.10 > diff -u -p -r1.10 Makefile > --- net/tinc/Makefile 16 Jun 2018 11:20:29 -0000 1.10 > +++ net/tinc/Makefile 9 Oct 2018 05:06:26 -0000 > @@ -1,7 +1,7 @@ > # $OpenBSD: Makefile,v 1.10 2018/06/16 11:20:29 rsadowski Exp $ > > COMMENT = Virtual Private Network (VPN) daemon > -DISTNAME = tinc-1.0.34 > +DISTNAME = tinc-1.0.35 > CATEGORIES = net security > EPOCH = 0 > > Index: net/tinc/distinfo > =================================================================== > RCS file: /cvs/ports/net/tinc/distinfo,v > retrieving revision 1.8 > diff -u -p -r1.8 distinfo > --- net/tinc/distinfo 16 Jun 2018 11:20:29 -0000 1.8 > +++ net/tinc/distinfo 9 Oct 2018 05:06:26 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (tinc-1.0.34.tar.gz) = wDqbYd7dRSEW3ZqNsjFUW6CKfJa84BHgy9PP0sVtz9o= > -SIZE (tinc-1.0.34.tar.gz) = 484174 > +SHA256 (tinc-1.0.35.tar.gz) = GMg7FHzD4hM6esJUPusBTVIHDeAcdHQofTzOzJsWiV4= > +SIZE (tinc-1.0.35.tar.gz) = 499277 > Index: net/tinc/patches/patch-doc_tinc_texi > =================================================================== > RCS file: net/tinc/patches/patch-doc_tinc_texi > diff -N net/tinc/patches/patch-doc_tinc_texi > --- net/tinc/patches/patch-doc_tinc_texi 16 Jun 2018 11:20:29 -0000 > 1.8 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,22 +0,0 @@ > -$OpenBSD: patch-doc_tinc_texi,v 1.8 2018/06/16 11:20:29 rsadowski Exp $ > -Index: doc/tinc.texi > ---- doc/tinc.texi.orig > -+++ doc/tinc.texi > -@@ -2075,7 +2075,7 @@ In switch or hub modes ARP does work so the sender alr > - In those modes every interface should have a unique MAC address, so make > sure they are not the same. > - Because switch and hub modes rely on MAC addresses to function correctly, > - these modes cannot be used on the following operating systems which don't > have a `tap' style virtual network device: > --OpenBSD, NetBSD, Darwin and Solaris. > -+NetBSD, Darwin and Solaris. > - > - > - @c ================================================================== > -@@ -2503,8 +2503,6 @@ For IPv6 addresses: > - On some platforms, when running tinc in switch mode, the VPN interface must > be set to tap mode with an ifconfig command: > - > - @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address > netmask netmask prefixlength interface} > --@item OpenBSD > --@tab @code{ifconfig} @var{interface} @code{link0} > - @end multitable > - > - On Linux, it is possible to create a persistent tun/tap interface which will > Index: net/tinc/pkg/PLIST > =================================================================== > RCS file: /cvs/ports/net/tinc/pkg/PLIST,v > retrieving revision 1.3 > diff -u -p -r1.3 PLIST > --- net/tinc/pkg/PLIST 18 Apr 2018 10:19:02 -0000 1.3 > +++ net/tinc/pkg/PLIST 9 Oct 2018 05:06:26 -0000 > @@ -1,15 +1,16 @@ > @comment $OpenBSD: PLIST,v 1.3 2018/04/18 10:19:02 kn Exp $ > @newgroup _tinc:759 > @newuser _tinc:759:_tinc:daemon:tinc user:/var/empty:/sbin/nologin > +@rcscript ${RCDIR}/tincd > @info info/tinc.info > @man man/man5/tinc.conf.5 > @man man/man8/tincd.8 > @bin sbin/tincd > share/examples/tinc/ > share/examples/tinc/hosts/ > +@mode 750 > @owner root > @group _tinc > -@mode 750 > @sample ${SYSCONFDIR}/tinc/ > @sample ${SYSCONFDIR}/tinc/example/ > @sample ${SYSCONFDIR}/tinc/example/hosts/ > @@ -20,8 +21,6 @@ share/examples/tinc/hosts/beta > @sample ${SYSCONFDIR}/tinc/example/hosts/beta > share/examples/tinc/rsa_key.priv > @sample ${SYSCONFDIR}/tinc/example/rsa_key.priv > -@owner root > -@group _tinc > @mode 750 > share/examples/tinc/tinc-down > @sample ${SYSCONFDIR}/tinc/example/tinc-down > @@ -29,7 +28,3 @@ share/examples/tinc/tinc-up > @sample ${SYSCONFDIR}/tinc/example/tinc-up > share/examples/tinc/tinc.conf > @sample ${SYSCONFDIR}/tinc/example/tinc.conf > -@owner > -@group > -@mode > -@rcscript ${RCDIR}/tincd > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
