openvpn 2.1.1 security =88

Secure IP/Ethernet tunnel daemon
Maintained by: mandree@FreeBSD.org
Port Added: 24 Jun 2002 17:19:12
Also Listed In: net

---

---

OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private networks
using an encrypted tunnel over the internet. It can operate over UDP or TCP,
can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one
server can handle many clients.

WWW: http://openvpn.net/index.php/open-source.html

- Matthias Andree
mandree@FreeBSD.org

CVSWeb : Sources : Main Web Site : Distfiles Availability : PortsMon

---

Required Libraries: archivers/lzo2

---

To install the port: cd /usr/ports/security/openvpn/ && make install clean
To add the package: pkg_add -r openvpn

---

Configuration Options

===> The following configuration options are available for openvpn-2.1.1:
     PW_SAVE=off (default) "Interactive passwords may be read from a file"
     PKCS11=off (default) "Use security/pkcs11-helper"
===> Use 'make config' to modify these settings

---

Master Sites:

http://openvpn.net/release/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

• 2010-01-07

  Affects: users of security/openvpn*

  Author: mandree@FreeBSD.org

  Reason: 
    security/openvpn has been moved to security/openvpn20 and upgraded to 2.0.9.
    security/openvpn has been upgraded to 2.1.1, and security/openvpn-devel has
    been removed.
  
    Regular upgrades of the security/openvpn port should succeed without
    manual intervention, but if you want to stick to openvpn 2.0 or if you
    had been using openvpn-devel, manual intervention is needed, as
    follows:
  
    If you'd been using the security/openvpn-devel port, please use one of
    these commands for upgrading:
  
      portmaster -m-DDISABLE_CONFLICTS -o security/openvpn security/openvpn-devel
  
      portupgrade -m-DDISABLE_CONFLICTS -o security/openvpn security/openvpn-devel
  
    If you want to stick to openvpn 2.0, please use one of these two
    upgrade commands:
  
      portmaster -m-DDISABLE_CONFLICTS -o security/openvpn20 security/openvpn
  
      portupgrade -m-DDISABLE_CONFLICTS -o security/openvpn20 security/openvpn
  
  

Move security/openvpn to security/openvpn20 (after previous repocopy).
Update security/openvpn20 to 2.0.9, revising pkg-message.

Move security/openvpn-devel to security/openvpn and
update security/openvpn to 2.1.1.

Remove security/openvpn-devel, adding a MOVED entry.

Update security/Makefile to remove openvpn-devel and add openvpn20 to
SUBDIRS.

Add a UPDATING entry for this shuffle.  Currently without upgrade
instructions since neither portupgrade nor portmaster are up to the
task (because of the CONFLICTS).

Approved by:  garga@ (mentor)

Fix a few "bad example" problems in the rc.d scripts that have been
propogated by copy and paste.

1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).

No PORTREVISION bumps because all of these changes are noops.

- Add logging knob

PR:             ports/130893
Submitted by:   Michael Scheidell <scheidell@secnap.net>
Approved by:    Matthias Andree <matthias.andree@gmx.de> (maintainer)

Update CONFIGURE_ARGS for how we pass CONFIGURE_TARGET to configure script.
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.

To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.

To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.

Changes to Mk/*:
 - Add runtime detection magic in bsd.port.mk

- Force commit to correct the previous commit log:

Correct permissions/owner of DOCSDIR-installed files

PR:             125726 / 125727
Request by:     maintainer via im

- Respect NOPORTDOCS

PR:             125726
Submitted by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)

- Run opensvn with --daemon ${name} in order to get distinguishable and
  useful syslog tags

PR:             ports/120862
Submitted by:   Matthias Andree <matthias.andree at gmx.de> (maintainer)

Remove spurious empty BEFORE: lines

Approved by:    maintainer

rcfile:
- fix for FreeBSD releases before rcorder integration
- update copyright notice
- replace shell backticks by $().

Port:
- bump revision
- reformat comment

PR:             ports/109856
Submitted by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)
Approved by:    miwi (mentor)

Fix a bug I introduced with last commit which resulted in openvpn not
being started during boot. The reason for this is that at boot $0 is not
/usr/local/etc/rc.d/openvpn but /etc/rc. The fix is a bit hackish because
it retrieves the script name from $_file - variable used in run_rc_script().

Reported by:    bazzoola <bazzoola@gmail.com>

use $() instead of ``

Requested by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)

* Add support for running multiple instances of openvpn to the startup script
  Inspired by [1]
* Bump PORTREVISION
* Update the comment which says not to send notices about 2.0.8 to 2.0.9 since
  2.0.9 also introduces only Windows changes. Remove maintainer's name from
  this comment since he did not explicitly state this.

PR:             ports/108371 [1]
Submitted by:   Denis Shaposhnikov <dsh@vlink.ru>, Gleb Kozyrev
<gkozyrev@gmail.com> [1]
Approved by:    matthias.andree@gmx.de (maintainer timeout, 28 days)

- Use newly added RC_SUBR_SUFFIX

Approved by:    Matthias Andree <matthias.andree at gmx.de> (maintainer)

- Fix build failures that arose from an accidentally omitted -fPIC.
- Portrevision bumped since the change affects all architectures,
  not just those that were failing.

PR:             ports/103863
Submitted by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)
Reported by:    pointyhat

- Install additional auth-pam plugin

PR:             ports/103833
Submitted by:   Matthias Andree <matthias.andree at gmx.de> (maintainer)
Suggested by:   Michael Helmeste
Tested by:      Michael Helmeste

- Update comments for OpenVPN 2.0.8

PR:             ports/103243
Submitted by:   Matthias Andree <matthias.andree at gmx.de> (maintainer)

- conflicts with openvpn-devel-[0-9]*
- bump PORTREVISION

PR:             ports/102301
Submitted by:   Matthias Andree (maintainer)

1 - build and install lib/openvpn-down-root.so plugin (see --plugin option in
    the man page) and README.openvpn-down-root
2 - match rc.d filename as printed post install in pkg-message to actual file
    name on newer systems (which use openvpn rather than openvpn.sh)
Reported by:    Jean-Baptiste Quenot (Bcc'd)
The maintainer wishes to thank Jean-Baptiste for his report and patience.
3 - add a pkg-req script to prevent installation of 6.1 packages on older
    machines, which is a frequent source of "rc.d script doesn't work"
    complaints.

Added file(s):
- files/pkg-req.in

PR:             ports/100917
Submitted by:   Matthias Andree (maintainer)

Add a message explaining why it won't be upgraded to 2.0.7 version, to
prevent a lot of people asking maintainer about it:

# -----------------------------------------------------
# DO NOT BOTHER TO SEND NOTICES ABOUT 2.0.7 AS IT FIXES
# A WINDOWS-ONLY BUG THAT DOESN'T AFFECT *BSD AND THUS
# DOES NOT WARRANT A PORT UPGRADE! AND UPGRADE REQUESTS
# WILL BE DROPPED.       -- Matthias Andree, 2006-04-26
# -----------------------------------------------------

PR:             ports/96383
Submitted by:   maintainer

- Update to 2.0.6
  * security fix for client LD_PRELOAD code injection vulnerability
    through compromised upstream servers
    (FreeBSD VuXML Vuln VID be4ccb7b-c48b-11da-ae12-0002b3b60e4c,
     filed in separate PR)
    CVE id not known yet
  * 2 other changes only relevant for Linux and NetBSD, not detailed here.

PR:             ports/95345
Submitted by:   maintainer
Security:       VuXML be4ccb7b-c48b-11da-ae12-0002b3b60e4c

Fix FreeBSD 4 jail build

PR:             ports/93833
Patch by:       dinoex
Submitted by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)
Approved by:    portmgr (marcus)

Remove the FreeBSD KEYWORD from all rc.d scripts where it appears.
We have not checked for this KEYWORD for a long time now, so this
is a complete noop, and thus no PORTREVISION bump. Removing it at
this point is mostly for pedantic reasons, and partly to avoid
perpetuating this anachronism by copy and paste to future scripts.

- CATEGORY CHANGE: add "net" secondary category
- fix jail build on FreeBSD 4 (no security.jail.jailed oid in sysctl)
- catch jail IP misconfiguration and print clear error message
- add SHA256 checksum
- revise pkg-message and pkg-descr

PR:             ports/88785
Submitted by:   maintainer

Enables self-tests with WITH_JAIL
Bump PORTREVISION

PR:             88488
Submitted by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)

- Update to 2.0.5

PR:             ports/88437
Submitted by:   maintainer

Update to 2.0.4

PR:             88379
Submitted by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)
Security:       CVE-2005-3393, CVE-2005-3409

- fix build in jail

maintainer emailed 2005-10-04
Approved by:    (maintainer timeout)

FreeBSD 6 no longer adds debug.if_* sysctl variables in its default kernel
(according to the release notes), so our heuristic assumes the module is
missing and tries to load it, which fails as the module already exists.

PR:             ports/86286
Submitted by:   maintainer

- Update to 2.0.2 that brings these upstream changes:

  - fix bug that would exhaust file descriptors as the routing table was
modified
    (this had already been part of the port previously)
  - fix bug that would block the management socket until the peer connected
  - fix pkitool sh incompatibilities (from NetBSD)

PR:             ports/85299
Submitted by:   maintainer

Fix a typo in the new rc file, where documentation didn't match the
actual variables.

PR:             ports/85156
Submitted by:   maintainer
Reported by:    Benjamin Lutz <benlutz@datacomm.ch>
Approved by:    portmgr (krion)

- Security update to version 2.0.1, fixing four denial of service bugs,
  CAN-2005-2531, CAN-2005-2532, CAN-2005-2533, CAN-2005-2534
- Drop old init script and add a modern rcNG script in its place,
  requested by Matthias Grimm and Dirk Gouders (although the script below is
  one I, Matthias Andree, wrote). It can automatically load tun/tap drivers.
- move pkg-message to files/pkg-message.in, revise it, list it in SUB_FILES
  to expand ${PREFIX}.
- print pkg-message after installation from port
- switch to official "make check" as smoke-test, rather than wiring our own.
- prefer LZO2 in most situations, as OpenVPN will pick up LZO2 rather than
  LZO1 if both are installed.

PR:             ports/85109
Submitted by:   maintainer
Approved by:    portmgr (krion)

Add PW_PASS option to compile with --enable-pass-save

PR:             82494
Submitted by:   Landon Fuller <landonf@threerings.net>
Reviewed by:    Matthias Andree <matthias.andree@gmx.de> (maintainer)
Approved by:    mantainer, flz (mentor)

- Backout latest commit, it needs a repocopy due to API change.

Noticed by:     Matthias Andree <matthias.andree@gmx.de>

- Bump lzo lib version.
- Bump PORTREVISION.

Plug socket (file descriptor) leak.

PR:             ports/81267
Submitted by:   Jaroslav Klaus via maintainer

Revise pkg-message to mark more prominently that the default
port is now 1194 rather than 5000, and refer users to the
online release notes if looking for information WRT older versions.

PR:             80300
Submitted by:   maintainer

Update to 2.0

PR:             ports/80082
Submitted by:   Matthias Andree <matthias.andree@gmx.de> (maintainer)
Approved by:    adamw (mentor, implicit)

Add CONFLICTS with openvpn-devel

PR:             ports/71337
Submitted by:   maintainer

Update to latest stable version.

PR:             ports/66473
Submitted by:   Matthias Andree (maintainer)

Add size data.

Approved by:    maintainers

- Support for TCP as the tunnel transport was added
- Change maintainer email

PR:             59543
Submitted by:   maintainer

updates the OpenVPN port from 1.4.0 to 1.4.2.

PR:             54597
Submitted by:   Matthias Andree <matthias.andree@gmx.de>

upgrade to 1.4.0

PR:             51956
Submitted by:   maintainer

De-pkg-comment.

* Upgrade to 1.3.2.
* Add init script.

PR:             44436
Submitted by:   maintainer

upgrade to 1.3.0

PR:             40424
Submitted by:   maintainer

Add new port openvpn: Secure IP/Ethernet tunnel daemon

PR:             ports/39750
Submitted by:   Matthias Andree <matthias.andree@web.de>

5 vulnerabilities affecting 16 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities