security/openvpn: update to 2.6.8 bug-fix release

hopefully fixes... PR: 275206 Changelog: https://github.com/OpenVPN/openvpn/blob/v2.6.8/Changes.rst#overview-of-changes-in-268 MFH: 2023Q4
2025-07-18 17:59:20 -04:00 · 2023-11-21 18:03:09 +01:00 · 2023-11-21 18:03:09 +01:00 · f6ef06771b
commit f6ef06771b
parent a0a9f3e619
4 changed files with 5 additions and 142 deletions
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@ -1,6 +1,6 @@
 PORTNAME=		openvpn
-DISTVERSION=		2.6.7
-PORTREVISION?=		1
+DISTVERSION=		2.6.8
+PORTREVISION?=		0
 CATEGORIES=		security net net-vpn
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 			https://build.openvpn.net/downloads/releases/ \
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1699892936
-SHA256 (openvpn-2.6.7.tar.gz) = ee9877340b1d8de47eb5b52712c3366855fa6a4a1955bf950c68577bd2039913
-SIZE (openvpn-2.6.7.tar.gz) = 1895682
+TIMESTAMP = 1700585155
+SHA256 (openvpn-2.6.8.tar.gz) = 5ede1565c8a6d880100f7f235317a7ee9eea83d5052db5547f13a9e76af7805d
+SIZE (openvpn-2.6.8.tar.gz) = 1896563
--- a/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5
+++ b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5
@ -1,89 +0,0 @@
-From 457f468a76f324a14b1236988cc5f5a95f14abf5 Mon Sep 17 00:00:00 2001
-From: Aquila Macedo <aquilamacedo@riseup.net>
-Date: Thu, 19 Oct 2023 16:40:49 -0300
-Subject: [PATCH] doc: Correct typos in multiple documentation files
-
-Fixed typographical errors in various documentation files for improved clarity and readability.
-
-Signed-off-by: Aquila Macedo <aquilamacedo@riseup.net>
-Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
-Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
-(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314)
---
- doc/man-sections/client-options.rst      | 4 ++--
- doc/man-sections/generic-options.rst     | 2 +-
- doc/man-sections/server-options.rst      | 2 +-
- doc/man-sections/vpn-network-options.rst | 2 +-
- src/openvpn/options.c                    | 2 +-
- 5 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
-index 3616ed7f3f8..54c4ec63073 100644
--- ./doc/man-sections/client-options.rst
-+++ b/doc/man-sections/client-options.rst
-@@ -51,9 +51,9 @@ configuration.
-   react according to ``--auth-retry``
- 
- --auth-token-user base64username
-  Companion option to ``--auth-token``. This options allows to override
-+  Companion option to ``--auth-token``. This options allows one to override
-   the username used by the client when reauthenticating with the ``auth-token``.
-  It also allows to use ``--auth-token`` in setups that normally do not use
-+  It also allows one to use ``--auth-token`` in setups that normally do not use
-   username and password.
- 
-   The username has to be base64 encoded.
-diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
-index 97e1b5aa610..95e4ca233bd 100644
--- ./doc/man-sections/generic-options.rst
-+++ b/doc/man-sections/generic-options.rst
-@@ -483,7 +483,7 @@ which mode OpenVPN is configured as.
- 
-   * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns
-     success/failure via :code:`auth_control_file` when using deferred auth
-    method and pending authentification via :code:`pending_auth_file`.
-+    method and pending authentication via :code:`pending_auth_file`.
- 
- --use-prediction-resistance
-   Enable prediction resistance on mbed TLS's RNG.
-diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
-index 6b9ad21b816..e7a7b2dba43 100644
--- ./doc/man-sections/server-options.rst
-+++ b/doc/man-sections/server-options.rst
-@@ -739,7 +739,7 @@ fast hardware. SSL/TLS authentication must be used in this mode.
- 
- --vlan-pvid v
-   Specifies which VLAN identifier a "port" is associated with. Only valid
-  when ``--vlan-tagging`` is speficied.
-+  when ``--vlan-tagging`` is specified.
- 
-   In the client context, the setting specifies which VLAN ID a client is
-   associated with. In the global context, the VLAN ID of the server TAP
-diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
-index 3fa3ccf1073..41d367bfd0e 100644
--- ./doc/man-sections/vpn-network-options.rst
-+++ b/doc/man-sections/vpn-network-options.rst
-@@ -548,7 +548,7 @@ routing.
-   It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal
-   with MTU sizing issues.
- 
-  Note: Depending on the platform, the operating system allows to receive
-+  Note: Depending on the platform, the operating system allows one to receive
-   packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms
-   (like macOS) limit received packets to the same size as the MTU.
- 
-diff --git a/src/openvpn/options.c b/src/openvpn/options.c
-index 631ac73db8f..895ce830f6a 100644
--- ./src/openvpn/options.c
-+++ b/src/openvpn/options.c
-@@ -598,7 +598,7 @@ static const char usage_message[] =
-     "                  Windows Certificate System Store.\n"
- #endif
-     "--tls-cipher l  : A list l of allowable TLS ciphers separated by : (optional).\n"
-    "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
-+    "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
-     "                : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
-     "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
-     "                  (default=legacy).\n"
--- a/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d
+++ b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d
@ -1,48 +0,0 @@
-From a903ebe9361d451daee71c225e141f4e1b67107d Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne@rfc2549.org>
-Date: Wed, 15 Nov 2023 11:33:31 +0100
-Subject: [PATCH] Do not check key_state buffers that are in S_UNDEF state
-
-When a key_state is in S_UNDEF the send_reliable is not initialised. So
-checking it might access invalid memory or null pointers.
-
-Github: fixes OpenVPN/openvpn#449
-
-Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
-[a@unstable.cc: add check for !send_reliable and message]
-Signed-off-by: Arne Schwabe <arne@rfc2549.org>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
- src/openvpn/ssl.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
-index cee4afe19f3..b4cd8f5a567 100644
--- ./src/openvpn/ssl.c
-+++ b/src/openvpn/ssl.c
-@@ -3189,6 +3189,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
-     for (int i = 0; i < KS_SIZE; i++)
-     {
-         struct key_state *ks = &session->key[i];
-+        if (ks->state == S_UNDEF)
-+        {
-+            continue;
-+        }
-+
-+        /* we don't expect send_reliable to be NULL when state is
-+         * not S_UNDEF, but people have reported crashes nonetheless,
-+         * therefore we better catch this event, report and exit.
-+         */
-+        if (!ks->send_reliable)
-+        {
-+            msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
-+                "while key state is %s. Exiting.",
-+                i, state_name(ks->state));
-+        }
-+
-         for (int j = 0; j < ks->send_reliable->size; j++)
-         {
-             if (ks->send_reliable->array[i].buf.data == dataptr)