Quantcast

tests wanted for openvpn 2.4.2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

tests wanted for openvpn 2.4.2

Daniel Jakots-3
Hey,

OpenVPN got audited and they found some vulnerabilities [1].
They released 2.4.2 to fix these issues.

Here's a diff to update the port. I tested it as a client and as always
more tests are wanted.

[1]: https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/

Cheers,
Daniel

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
retrieving revision 1.74
diff -u -p -r1.74 Makefile
--- Makefile 16 Apr 2017 20:14:17 -0000 1.74
+++ Makefile 12 May 2017 01:34:40 -0000
@@ -2,8 +2,7 @@
 
 COMMENT= easy-to-use, robust, and highly configurable VPN
 
-DISTNAME= openvpn-2.4.1
-REVISION= 0
+DISTNAME= openvpn-2.4.2
 CATEGORIES= net security
 
 HOMEPAGE= https://openvpn.net/index.php/open-source/
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/openvpn/distinfo,v
retrieving revision 1.36
diff -u -p -r1.36 distinfo
--- distinfo 28 Mar 2017 22:16:37 -0000 1.36
+++ distinfo 12 May 2017 01:34:40 -0000
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.4.1.tar.gz) = gxoaBSaP47FkbTZ+JVnP+U00fSE8qJlcxIpO7cRSCXo=
-SIZE (openvpn-2.4.1.tar.gz) = 1385789
+SHA256 (openvpn-2.4.2.tar.gz) = skdAydRKgeryvvxIRtUURaUgEEMh4yqvDBNe0uCYpiQ=
+SIZE (openvpn-2.4.2.tar.gz) = 1402516
Index: patches/patch-configure
===================================================================
RCS file: /cvs/ports/net/openvpn/patches/patch-configure,v
retrieving revision 1.15
diff -u -p -r1.15 patch-configure
--- patches/patch-configure 28 Mar 2017 22:16:37 -0000 1.15
+++ patches/patch-configure 12 May 2017 01:34:40 -0000
@@ -1,7 +1,8 @@
 $OpenBSD: patch-configure,v 1.15 2017/03/28 22:16:37 jca Exp $
---- configure.orig Wed Mar 22 16:34:35 2017
-+++ configure Mon Mar 27 06:03:11 2017
-@@ -17299,7 +17299,7 @@ else
+Index: configure
+--- configure.orig
++++ configure
+@@ -17187,7 +17187,7 @@ else
  fi
 
 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: tests wanted for openvpn 2.4.2

Gonzalo L. Rodriguez-2
Working just fine here.

OK gonzalo@

On [12/05/17] [10:05P], Daniel Jakots wrote:
; Hey,
;
; OpenVPN got audited and they found some vulnerabilities [1].
; They released 2.4.2 to fix these issues.
;
; Here's a diff to update the port. I tested it as a client and as always
; more tests are wanted.
;
; [1]: https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/
;
; Cheers,
; Daniel
;
; Index: Makefile
; ===================================================================
; RCS file: /cvs/ports/net/openvpn/Makefile,v
; retrieving revision 1.74
; diff -u -p -r1.74 Makefile
; --- Makefile 16 Apr 2017 20:14:17 -0000 1.74
; +++ Makefile 12 May 2017 01:34:40 -0000
; @@ -2,8 +2,7 @@
;  
;  COMMENT= easy-to-use, robust, and highly configurable VPN
;  
; -DISTNAME= openvpn-2.4.1
; -REVISION= 0
; +DISTNAME= openvpn-2.4.2
;  CATEGORIES= net security
;  
;  HOMEPAGE= https://openvpn.net/index.php/open-source/
; Index: distinfo
; ===================================================================
; RCS file: /cvs/ports/net/openvpn/distinfo,v
; retrieving revision 1.36
; diff -u -p -r1.36 distinfo
; --- distinfo 28 Mar 2017 22:16:37 -0000 1.36
; +++ distinfo 12 May 2017 01:34:40 -0000
; @@ -1,2 +1,2 @@
; -SHA256 (openvpn-2.4.1.tar.gz) = gxoaBSaP47FkbTZ+JVnP+U00fSE8qJlcxIpO7cRSCXo=
; -SIZE (openvpn-2.4.1.tar.gz) = 1385789
; +SHA256 (openvpn-2.4.2.tar.gz) = skdAydRKgeryvvxIRtUURaUgEEMh4yqvDBNe0uCYpiQ=
; +SIZE (openvpn-2.4.2.tar.gz) = 1402516
; Index: patches/patch-configure
; ===================================================================
; RCS file: /cvs/ports/net/openvpn/patches/patch-configure,v
; retrieving revision 1.15
; diff -u -p -r1.15 patch-configure
; --- patches/patch-configure 28 Mar 2017 22:16:37 -0000 1.15
; +++ patches/patch-configure 12 May 2017 01:34:40 -0000
; @@ -1,7 +1,8 @@
;  $OpenBSD: patch-configure,v 1.15 2017/03/28 22:16:37 jca Exp $
; ---- configure.orig Wed Mar 22 16:34:35 2017
; -+++ configure Mon Mar 27 06:03:11 2017
; -@@ -17299,7 +17299,7 @@ else
; +Index: configure
; +--- configure.orig
; ++++ configure
; +@@ -17187,7 +17187,7 @@ else
;   fi
;  
;  
;

--
Sending from my toaster.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

openvpn-2.4.2 security update for -stable

Jérémie Courrèges-Anglas-4
In reply to this post by Daniel Jakots-3
Daniel Jakots <[hidden email]> writes:

> Hey,
>
> OpenVPN got audited and they found some vulnerabilities [1].
> They released 2.4.2 to fix these issues.
>
> Here's a diff to update the port. I tested it as a client and as always
> more tests are wanted.
>
> [1]: https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/

Thanks.  Here's a diff for 6.1, can someone give it a try on -stable?


Index: Makefile
===================================================================
RCS file: /d/cvs/ports/net/openvpn/Makefile,v
retrieving revision 1.73
diff -u -p -r1.73 Makefile
--- Makefile 28 Mar 2017 22:16:37 -0000 1.73
+++ Makefile 14 May 2017 17:29:16 -0000
@@ -2,7 +2,7 @@
 
 COMMENT= easy-to-use, robust, and highly configurable VPN
 
-DISTNAME= openvpn-2.4.1
+DISTNAME= openvpn-2.4.2
 CATEGORIES= net security
 
 HOMEPAGE= https://openvpn.net/index.php/open-source/
Index: distinfo
===================================================================
RCS file: /d/cvs/ports/net/openvpn/distinfo,v
retrieving revision 1.36
diff -u -p -r1.36 distinfo
--- distinfo 28 Mar 2017 22:16:37 -0000 1.36
+++ distinfo 12 May 2017 13:42:40 -0000
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.4.1.tar.gz) = gxoaBSaP47FkbTZ+JVnP+U00fSE8qJlcxIpO7cRSCXo=
-SIZE (openvpn-2.4.1.tar.gz) = 1385789
+SHA256 (openvpn-2.4.2.tar.gz) = skdAydRKgeryvvxIRtUURaUgEEMh4yqvDBNe0uCYpiQ=
+SIZE (openvpn-2.4.2.tar.gz) = 1402516
Index: patches/patch-configure
===================================================================
RCS file: /d/cvs/ports/net/openvpn/patches/patch-configure,v
retrieving revision 1.15
diff -u -p -r1.15 patch-configure
--- patches/patch-configure 28 Mar 2017 22:16:37 -0000 1.15
+++ patches/patch-configure 12 May 2017 13:42:40 -0000
@@ -1,7 +1,8 @@
 $OpenBSD: patch-configure,v 1.15 2017/03/28 22:16:37 jca Exp $
---- configure.orig Wed Mar 22 16:34:35 2017
-+++ configure Mon Mar 27 06:03:11 2017
-@@ -17299,7 +17299,7 @@ else
+Index: configure
+--- configure.orig
++++ configure
+@@ -17187,7 +17187,7 @@ else
  fi
 
 
Index: patches/patch-src_openvpn_tun_c
===================================================================
RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v
retrieving revision 1.12
diff -u -p -r1.12 patch-src_openvpn_tun_c
--- patches/patch-src_openvpn_tun_c 28 Mar 2017 22:16:37 -0000 1.12
+++ patches/patch-src_openvpn_tun_c 14 May 2017 17:29:51 -0000
@@ -2,8 +2,9 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.12
 
 - no need for link0 any more, we have separate tap interfaces
 
---- src/openvpn/tun.c.orig Wed Mar 22 16:34:21 2017
-+++ src/openvpn/tun.c Mon Mar 27 06:01:57 2017
+Index: src/openvpn/tun.c
+--- src/openvpn/tun.c.orig
++++ src/openvpn/tun.c
 @@ -1201,7 +1201,7 @@ do_ifconfig(struct tuntap *tt,
          if (tun)
          {
@@ -37,3 +38,18 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.12
                          IFCONFIG_PATH,
                          actual,
                          ifconfig_local,
+@@ -1654,11 +1659,11 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int
+     {
+         u_int32_t type;
+         struct iovec iv[2];
+-        struct ip *iph;
++        struct ip iph;
+
+-        iph = (struct ip *) buf;
++        memcpy(&iph, buf, sizeof(iph));
+
+-        if (iph->ip_v == 6)
++        if (iph.ip_v == 6)
+         {
+             type = htonl(AF_INET6);
+         }


--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openvpn-2.4.2 security update for -stable

Paul Irofti-4
I have the same diff in my tree that I tested this morning with success.

De la: Jeremie Courreges-Anglas
Trimis: duminică, 14 mai 2017 21:50
Către: [hidden email]
Cc: Daniel Jakots
Subiect: openvpn-2.4.2 security update for -stable

Daniel Jakots <[hidden email]> writes:

> Hey,
>
> OpenVPN got audited and they found some vulnerabilities [1].
> They released 2.4.2 to fix these issues.
>
> Here's a diff to update the port. I tested it as a client and as always
> more tests are wanted.
>
> [1]: https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/

Thanks.  Here's a diff for 6.1, can someone give it a try on -stable?


Index: Makefile
===================================================================
RCS file: /d/cvs/ports/net/openvpn/Makefile,v
retrieving revision 1.73
diff -u -p -r1.73 Makefile
--- Makefile 28 Mar 2017 22:16:37 -0000 1.73
+++ Makefile 14 May 2017 17:29:16 -0000
@@ -2,7 +2,7 @@
 
 COMMENT= easy-to-use, robust, and highly configurable VPN
 
-DISTNAME= openvpn-2.4.1
+DISTNAME= openvpn-2.4.2
 CATEGORIES= net security
 
 HOMEPAGE= https://openvpn.net/index.php/open-source/
Index: distinfo
===================================================================
RCS file: /d/cvs/ports/net/openvpn/distinfo,v
retrieving revision 1.36
diff -u -p -r1.36 distinfo
--- distinfo 28 Mar 2017 22:16:37 -0000 1.36
+++ distinfo 12 May 2017 13:42:40 -0000
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.4.1.tar.gz) = gxoaBSaP47FkbTZ+JVnP+U00fSE8qJlcxIpO7cRSCXo=
-SIZE (openvpn-2.4.1.tar.gz) = 1385789
+SHA256 (openvpn-2.4.2.tar.gz) = skdAydRKgeryvvxIRtUURaUgEEMh4yqvDBNe0uCYpiQ=
+SIZE (openvpn-2.4.2.tar.gz) = 1402516
Index: patches/patch-configure
===================================================================
RCS file: /d/cvs/ports/net/openvpn/patches/patch-configure,v
retrieving revision 1.15
diff -u -p -r1.15 patch-configure
--- patches/patch-configure 28 Mar 2017 22:16:37 -0000 1.15
+++ patches/patch-configure 12 May 2017 13:42:40 -0000
@@ -1,7 +1,8 @@
 $OpenBSD: patch-configure,v 1.15 2017/03/28 22:16:37 jca Exp $
---- configure.orig Wed Mar 22 16:34:35 2017
-+++ configure Mon Mar 27 06:03:11 2017
-@@ -17299,7 +17299,7 @@ else
+Index: configure
+--- configure.orig
++++ configure
+@@ -17187,7 +17187,7 @@ else
  fi
 
 
Index: patches/patch-src_openvpn_tun_c
===================================================================
RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v
retrieving revision 1.12
diff -u -p -r1.12 patch-src_openvpn_tun_c
--- patches/patch-src_openvpn_tun_c 28 Mar 2017 22:16:37 -0000 1.12
+++ patches/patch-src_openvpn_tun_c 14 May 2017 17:29:51 -0000
@@ -2,8 +2,9 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.12
 
 - no need for link0 any more, we have separate tap interfaces
 
---- src/openvpn/tun.c.orig Wed Mar 22 16:34:21 2017
-+++ src/openvpn/tun.c Mon Mar 27 06:01:57 2017
+Index: src/openvpn/tun.c
+--- src/openvpn/tun.c.orig
++++ src/openvpn/tun.c
 @@ -1201,7 +1201,7 @@ do_ifconfig(struct tuntap *tt,
          if (tun)
          {
@@ -37,3 +38,18 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.12
                          IFCONFIG_PATH,
                          actual,
                          ifconfig_local,
+@@ -1654,11 +1659,11 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int
+     {
+         u_int32_t type;
+         struct iovec iv[2];
+-        struct ip *iph;
++        struct ip iph;
+
+-        iph = (struct ip *) buf;
++        memcpy(&iph, buf, sizeof(iph));
+
+-        if (iph->ip_v == 6)
++        if (iph.ip_v == 6)
+         {
+             type = htonl(AF_INET6);
+         }


--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openvpn-2.4.2 security update for -stable

Jérémie Courrèges-Anglas-4
Paul Irofti <[hidden email]> writes:

> I have the same diff in my tree that I tested this morning with success.

Committed, thanks.  The final commit also added
patches/patch-include_openvpn-plugin_h_in to avoid breaking
net/openvpn-auth-ldap.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Loading...