git: 0a38d940c92e - 2025Q3 - security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 25 Sep 2025 23:53:08 UTC
The branch 2025Q3 has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=0a38d940c92eb658857f225ceca9a8aa66f2918f
commit 0a38d940c92eb658857f225ceca9a8aa66f2918f
Author: Gert Doering <gert@greenie.muc.de>
AuthorDate: 2025-08-01 13:07:38 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-09-25 23:52:06 +0000
security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)
This is a MFH combined (squashed) from four commits from main to 2025Q3
to fix CVE-2025-10680.
Two patches were skipped because they are a change that got reverted in a
later commit. I'll leave Gert as the author of most patches;
my contribution was only the "fix mbedTLS3 bootstrapping" -- Matthias Andree, mandree@
----------------
security/openvpn-devel: upgrade port to git commit 7b1b283478 (2.7_alpha3, 2025-07-31)
This commit brings the port to "openvpn 2.7_alpha3".
For FreeBSD, the most significant change is that "floating clients with
DCO" are supported, if the kernel has support for it (-current).
Platform-independent the "big new feature" is client side support
for PUSH_UPDATE (send new configuration data while a client-server
connection is established).
(cherry picked from commit cd97894175202e9ca2358cb9be360f286f472bdd)
----------------
security/openvpn-devel: upgrade port to git commit 1e7b9a0fb0 (2.7_beta1, 2025-09-03)
This commit brings the port to "openvpn 2.7_beta1".
New features alpha3 -> beta1 are
- a large number of signed/unsigned related warnings have been fixed
- bugfixes in --dns-updown script for linux systems using resolvconf
- rewrite of the management interface "bytecount" infastructure to better
interact with DCO
- PUSH_UPDATE server support (via management interface)
- introduction of route_redirect_gateway_ipv4 and _ipv6 env variables
- speeding up t_client tests by reducing per-test startup delay 3s -> 1s
The biggest noticeable difference in beta1 is the reformatting using
clang-format, leaving uncrustify as that wasn't stable across versions.
PR: 289315
(cherry picked from commit c31236c680ee48f640b86a94d41838c80153568a)
----------------
security/openvpn-devel: fix mbedTLS3 bootstrapping
and switch to depend on the net/mbedtls3 port,
as we no longer carry mbedtls2 in ports.
Also, mbedTLS 3 supports TLSv1.3, so drop our local MBEDTLS_DESC
and go with the official description instead.
Approved by: Gert Doering (maintainer, via IRC)
Related to:
PR: 289315
(cherry picked from commit 97ca816e6d79034bf936814d19e0a1d27d038bf5)
----------------
security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)
This commit brings the port to "openvpn 2.7_beta2".
Notable changes beta1 -> beta2 (relevant for FreeBSD) are:
- even more of signed/unsigned related warnings have been fixed
- #pragmas have been added to all to-be-fixed source files, so we can
now always enable -Wconversion to see if new code brings new warnings
(and the CI infra builds with -Werror)
- add proper input sanitation to DNS strings to prevent an attack
coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680,
affects unixoid systems with --dns-updown scripts and windows using
the built-in powershell call)
- Switch test_ssl certificate from RSA 2048 to secp384r1
(so "make check" runs with OpenSSL set to @SECLEVEL=3)
- clean up MI prefix handling
- replace all assert() calls with OpenVPN ASSERT()
PR: 289838
Security: e5cf9f44-9a64-11f0-8241-93c889bb8de1
Security: CVE-2025-10680
MFH: 2025Q3
(cherry picked from commit 5f2c6fc6b90582ad187be6c0387b059f2f0dfefb)
---
security/openvpn-devel/Makefile | 7 +++----
security/openvpn-devel/distinfo | 6 +++---
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/security/openvpn-devel/Makefile b/security/openvpn-devel/Makefile
index d41e0dba4a73..b97bf2df6c61 100644
--- a/security/openvpn-devel/Makefile
+++ b/security/openvpn-devel/Makefile
@@ -1,5 +1,5 @@
PORTNAME= openvpn
-DISTVERSION= g20250629
+DISTVERSION= g20250925
PORTREVISION= 0 # leave in even if 0 to avoid accidental PORTEPOCH bumps
PORTEPOCH= 1
CATEGORIES= security net net-vpn
@@ -21,7 +21,7 @@ LIB_DEPENDS+= liblzo2.so:archivers/lzo2
USES= autoreconf cpe libtool pkgconfig python:build shebangfix tar:xz
IGNORE_SSL= libressl libressl-devel
USE_GITLAB= yes
-GL_TAGNAME= df4863aa0e43544ea82ab9d98966a03a95c62334
+GL_TAGNAME= 0fb5a00549be6b065f9a4d61940ee06786d9fa61
USE_RC_SUBR= openvpn
SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \
@@ -63,7 +63,6 @@ OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only
DCO_DESC= Build with Data Channel Offload (ovpn(4)) support
EASYRSA_DESC= Install security/easy-rsa RSA helper package
-MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3)
PKCS11_DESC= Use security/pkcs11-helper
SMALL_DESC= Build a smaller executable with fewer features
X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
@@ -77,7 +76,7 @@ EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
LZ4_CONFIGURE_OFF= --disable-lz4
-MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls2
+MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls3
MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls
OPENSSL_USES= ssl
diff --git a/security/openvpn-devel/distinfo b/security/openvpn-devel/distinfo
index 415d52c355ea..496559990a5d 100644
--- a/security/openvpn-devel/distinfo
+++ b/security/openvpn-devel/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1751182633
-SHA256 (openvpn-openvpn-df4863aa0e43544ea82ab9d98966a03a95c62334_GL0.tar.gz) = a1f756efc7aba2fdb79231a9eede327ce4242a777c88e7eaad3cb11d9197157c
-SIZE (openvpn-openvpn-df4863aa0e43544ea82ab9d98966a03a95c62334_GL0.tar.gz) = 1319214
+TIMESTAMP = 1758791563
+SHA256 (openvpn-openvpn-0fb5a00549be6b065f9a4d61940ee06786d9fa61_GL0.tar.gz) = c9502407a96db677c9ea2665821a1f16042ed9853ce46c51db3e5064800a9a47
+SIZE (openvpn-openvpn-0fb5a00549be6b065f9a4d61940ee06786d9fa61_GL0.tar.gz) = 1338386