notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
Want a good monitor light? See my photosAll times are UTC
Ukraine
This referral link gives you 10% off a Fastmail.com account and gives me a discount on my Fastmail account.

Get notified when packages are built

A new feature has been added. FreshPorts already tracks package built by the FreeBSD project. This information is displayed on each port page. You can now get an email when FreshPorts notices a new package is available for something on one of your watch lists. However, you must opt into that. Click on Report Subscriptions on the right, and New Package Notification box, and click on Update.

Finally, under Watch Lists, click on ABI Package Subscriptions to select your ABI (e.g. FreeBSD:14:amd64) & package set (latest/quarterly) combination for a given watch list. This is what FreshPorts will look for.

non port: security/openvpn/files/patch-CVE-2020-11810

Number of commits found: 2

Friday, 17 Apr 2020
18:38 mandree search for other commits by this committer
security/openvpn: update to 2.4.9 (also for -mbedtls slave port)

At the same time, remove ASYNC_PUSH_LIBS workaround from [1].

Changelog (high-level):
https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-249

Git changelog, marking the three fixes that were already in 2.4.8_3
as cherry-picks with a 1, 2, or 3 instead of "*" to correspond
with the PORTREVISION, and those with "-" that are specific to other systems,
say, Windows.

* 9b0dafca 2020-04-16 | Preparing release v2.4.9 (ChangeLog, version.m4,
Changes.rst) (tag: v2.4.9) [Gert Doering]
3 f7b318f8 2020-04-15 | Fix illegal client float (CVE-2020-11810) [Lev Stipakov]
* 9bb285e3 2020-03-13 | Fix broken async push with NCP is used [Lev Stipakov]
- 5f8a9df1 2020-02-12 | Allow unicode search string in --cryptoapicert option
[Selva Nair]
- 4658b3b6 2020-02-12 | Skip expired certificates in Windows certificate store
[Selva Nair]
* df5ea7f1 2020-02-19 | Fix possible access of uninitialized pipe handles [Selva
Nair]
* 1d9e0be2 2020-02-19 | Fix possibly uninitialized return value in
GetOpenvpnSettings() [Selva Nair]
* 5ee76a8f 2020-03-28 | Fix OpenSSL 1.1.1 not using auto elliptic curve
selection [Arne Schwabe]
* ed925c0a 2020-04-07 | OpenSSL: Fix --crl-verify not loading multiple CRLs in
one file [Maxim Plotnikov]
* 2fe84732 2020-03-30 | When auth-user-pass file has no password query the
management interface (if available). [Selva Nair]
* 908eae5c 2020-04-03 | Move querying username/password from management
interface to a function [Selva Nair]
* 15bc476f 2020-04-02 | Fix OpenSSL error stack handling of
tls_ctx_add_extra_certs [Arne Schwabe]
* 22df79bb 2020-04-01 | Fetch OpenSSL versions via source/old links [Arne
Schwabe]
* 0efbd8e9 2020-03-31 | mbedTLS: Make sure TLS session survives move [Tom van
Leeuwen]
* 33395693 2020-03-25 | docs: Add reference to X509_LOOKUP_hash_dir(3) [WGH]
* 7d19b2bb 2019-10-21 | Fix OpenSSL private key passphrase notices [Santtu
Lakkala]
2 8484f37a 2020-03-14 | Fix building with --enable-async-push in FreeBSD [Lev
Stipakov]
* 69bbfbdf 2020-02-18 | Swap the order of checks for validating interactive
service user [Selva Nair]
* 0ba4f916 2019-11-09 | socks: use the right function when printing struct
openvpn_sockaddr [Antonio Quartulli]
1 3bd91cd0 2019-10-30 | Fix broken fragmentation logic when using NCP [Lev
Stipakov]

PR:		244286 [1]
MFH:		2020Q2 (patchlevel bugfix release)
Original commitRevision:531957 
Thursday, 16 Apr 2020
09:46 mandree search for other commits by this committer
security/openvpn: Fix illegal client float (CVE-2020-11810)

There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.

If a "rogue" data channel packet arrives during that time frame from another
address and with same peer-id, this would cause client to float to that new
address.

The net effect of this behaviour is that the VPN session for the "victim
client" is broken. Since the "attacker client" does not have suitable keys,
it can not inject or steal VPN traffic from the other session. The time
window is small and it can not be used to attack a specific client's session,
unless some other way is found to make it disconnect and reconnect first.

This fix is inherited by the openvpn-mbedtls slave port.

Obtained from:	Lev Stipakov (OpenVPN)
MFH:		2020Q2 (blanket security patch)
Security:	CVE-2020-11810
Security:	8604121c-7fc2-11ea-bcac-7781e90b0c8f
Original commitRevision:531837 

Number of commits found: 2