Changelog:
This release fixes a serious (though not security-related) bug in the
SSL/TLS negotiation over UDP that can cause SSL/TLS handshake failures.
PR: 127392
Submitted by: Matthias Andree <matthias.andree@gmx.de> (maintainer)
Approved by: portmgr (pav)
(arbitrary code execution).
- VulnDB update was submitted in a previous PR.
- Add PKCS#11 option which explicitly disables PKCS11 at
build time if not desired to avoid invisible pkcs11-helper
dependency, else openvpn would silently pick up security/pkcs11-helper.
PR: 126356
Submitted by: Matthias Andree <matthias.andree@gmx.de> (maintainer)
- Port rc script changes from security/openvpn 2.0.6_7 to support multiple
instances
PR: ports/109909
Submitted by: Matthias Andree <matthias.andree at gmx.de> (maintainer)
OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private networks
using an encrypted tunnel over the internet. It can operate over UDP or TCP,
can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one
server can handle many clients.
PR: ports/101802
Submitted by: Matthias Andree <matthias.andree@gmx.de> (openvpn maintainer)
* security fix for client LD_PRELOAD code injection vulnerability
through compromised upstream servers
(FreeBSD VuXML Vuln VID be4ccb7b-c48b-11da-ae12-0002b3b60e4c,
filed in separate PR)
CVE id not known yet
* 2 other changes only relevant for Linux and NetBSD, not detailed here.
PR: ports/95345
Submitted by: maintainer
Security: VuXML be4ccb7b-c48b-11da-ae12-0002b3b60e4c
- fix bug that would exhaust file descriptors as the routing table was modified
(this had already been part of the port previously)
- fix bug that would block the management socket until the peer connected
- fix pkitool sh incompatibilities (from NetBSD)
PR: ports/85299
Submitted by: maintainer
CAN-2005-2531, CAN-2005-2532, CAN-2005-2533, CAN-2005-2534
- Drop old init script and add a modern rcNG script in its place,
requested by Matthias Grimm and Dirk Gouders (although the script below is
one I, Matthias Andree, wrote). It can automatically load tun/tap drivers.
- move pkg-message to files/pkg-message.in, revise it, list it in SUB_FILES
to expand ${PREFIX}.
- print pkg-message after installation from port
- switch to official "make check" as smoke-test, rather than wiring our own.
- prefer LZO2 in most situations, as OpenVPN will pick up LZO2 rather than
LZO1 if both are installed.
PR: ports/85109
Submitted by: maintainer
Approved by: portmgr (krion)
