security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)
This is a MFH combined (squashed) from four commits from main to 2025Q3 to fix CVE-2025-10680. Two patches were skipped because they are a change that got reverted in a later commit. I'll leave Gert as the author of most patches; my contribution was only the "fix mbedTLS3 bootstrapping" -- Matthias Andree, mandree@ ---------------- security/openvpn-devel: upgrade port to git commit 7b1b283478 (2.7_alpha3, 2025-07-31) This commit brings the port to "openvpn 2.7_alpha3". For FreeBSD, the most significant change is that "floating clients with DCO" are supported, if the kernel has support for it (-current). Platform-independent the "big new feature" is client side support for PUSH_UPDATE (send new configuration data while a client-server connection is established). (cherry picked from commit cd978941) ---------------- security/openvpn-devel: upgrade port to git commit 1e7b9a0fb0 (2.7_beta1, 2025-09-03) This commit brings the port to "openvpn 2.7_beta1". New features alpha3 -> beta1 are - a large number of signed/unsigned related warnings have been fixed - bugfixes in --dns-updown script for linux systems using resolvconf - rewrite of the management interface "bytecount" infastructure to better interact with DCO - PUSH_UPDATE server support (via management interface) - introduction of route_redirect_gateway_ipv4 and _ipv6 env variables - speeding up t_client tests by reducing per-test startup delay 3s -> 1s The biggest noticeable difference in beta1 is the reformatting using clang-format, leaving uncrustify as that wasn't stable across versions. PR: 289315 (cherry picked from commit c31236c6) ---------------- security/openvpn-devel: fix mbedTLS3 bootstrapping and switch to depend on the net/mbedtls3 port, as we no longer carry mbedtls2 in ports. Also, mbedTLS 3 supports TLSv1.3, so drop our local MBEDTLS_DESC and go with the official description instead. Approved by: Gert Doering (maintainer, via IRC) Related to: PR: 289315 (cherry picked from commit 97ca816e) ---------------- security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25) This commit brings the port to "openvpn 2.7_beta2". Notable changes beta1 -> beta2 (relevant for FreeBSD) are: - even more of signed/unsigned related warnings have been fixed - #pragmas have been added to all to-be-fixed source files, so we can now always enable -Wconversion to see if new code brings new warnings (and the CI infra builds with -Werror) - add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call) - Switch test_ssl certificate from RSA 2048 to secp384r1 (so "make check" runs with OpenSSL set to @SECLEVEL=3) - clean up MI prefix handling - replace all assert() calls with OpenVPN ASSERT() PR: 289838 Security: e5cf9f44-9a64-11f0-8241-93c889bb8de1 Security: CVE-2025-10680 MFH: 2025Q3 (cherry picked from commit 5f2c6fc6)
Loading
Please register or sign in to comment