UPDATE: net/tinc (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758) and quirks

Rafael Sadowski Mon, 08 Oct 2018 22:12:01 -0700

Hi All,

simple security update. This release prevent from the following CVEs:


oracle attacks (CVE-2018-16737, CVE-2018-16738).
MITM from forcing a NULL cipher for UDP (CVE-2018-16758).

Our patched also merged upstream. OK before ports look?

Best regards,

Rafael

Index: devel/quirks/Makefile
===================================================================
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.621
diff -u -p -r1.621 Makefile
--- devel/quirks/Makefile       8 Oct 2018 12:08:08 -0000       1.621
+++ devel/quirks/Makefile       9 Oct 2018 05:06:26 -0000
@@ -5,7 +5,7 @@ CATEGORIES =    devel databases
 DISTFILES =
 
 # API.rev
-PKGNAME =      quirks-3.14
+PKGNAME =      quirks-3.15
 PKG_ARCH =     *
 MAINTAINER =   Marc Espie <es...@openbsd.org>
 
Index: devel/quirks/files/Quirks.pm
===================================================================
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.635
diff -u -p -r1.635 Quirks.pm
--- devel/quirks/files/Quirks.pm        8 Oct 2018 12:08:08 -0000       1.635
+++ devel/quirks/files/Quirks.pm        9 Oct 2018 05:06:26 -0000
@@ -1194,6 +1194,7 @@ my $cve = {
        'www/p5-CGI-Application' => 'p5-CGI-Application-<4.50p0',
        'www/webkitgtk4' => 'webkitgtk4-<2.20.5',
        'x11/gnome/gdm' => 'gdm-<3.28.3',
+       'net/tinc' => 'tinc-<1.0.35v0',
 };
 # please maintain sort order in above $cve list, future updates need to
 # replace existing entries
Index: net/tinc/Makefile
===================================================================
RCS file: /cvs/ports/net/tinc/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- net/tinc/Makefile   16 Jun 2018 11:20:29 -0000      1.10
+++ net/tinc/Makefile   9 Oct 2018 05:06:26 -0000
@@ -1,7 +1,7 @@
 # $OpenBSD: Makefile,v 1.10 2018/06/16 11:20:29 rsadowski Exp $
 
 COMMENT =              Virtual Private Network (VPN) daemon
-DISTNAME =             tinc-1.0.34
+DISTNAME =             tinc-1.0.35
 CATEGORIES =           net security
 EPOCH =                        0
 
Index: net/tinc/distinfo
===================================================================
RCS file: /cvs/ports/net/tinc/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- net/tinc/distinfo   16 Jun 2018 11:20:29 -0000      1.8
+++ net/tinc/distinfo   9 Oct 2018 05:06:26 -0000
@@ -1,2 +1,2 @@
-SHA256 (tinc-1.0.34.tar.gz) = wDqbYd7dRSEW3ZqNsjFUW6CKfJa84BHgy9PP0sVtz9o=
-SIZE (tinc-1.0.34.tar.gz) = 484174
+SHA256 (tinc-1.0.35.tar.gz) = GMg7FHzD4hM6esJUPusBTVIHDeAcdHQofTzOzJsWiV4=
+SIZE (tinc-1.0.35.tar.gz) = 499277
Index: net/tinc/patches/patch-doc_tinc_texi
===================================================================
RCS file: net/tinc/patches/patch-doc_tinc_texi
diff -N net/tinc/patches/patch-doc_tinc_texi
--- net/tinc/patches/patch-doc_tinc_texi        16 Jun 2018 11:20:29 -0000      
1.8
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,22 +0,0 @@
-$OpenBSD: patch-doc_tinc_texi,v 1.8 2018/06/16 11:20:29 rsadowski Exp $
-Index: doc/tinc.texi
---- doc/tinc.texi.orig
-+++ doc/tinc.texi
-@@ -2075,7 +2075,7 @@ In switch or hub modes ARP does work so the sender alr
- In those modes every interface should have a unique MAC address, so make sure 
they are not the same.
- Because switch and hub modes rely on MAC addresses to function correctly,
- these modes cannot be used on the following operating systems which don't 
have a `tap' style virtual network device:
--OpenBSD, NetBSD, Darwin and Solaris.
-+NetBSD, Darwin and Solaris.
- 
- 
- @c ==================================================================
-@@ -2503,8 +2503,6 @@ For IPv6 addresses:
- On some platforms, when running tinc in switch mode, the VPN interface must 
be set to tap mode with an ifconfig command:
- 
- @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address 
netmask netmask prefixlength interface}
--@item OpenBSD
--@tab @code{ifconfig} @var{interface} @code{link0}
- @end multitable
- 
- On Linux, it is possible to create a persistent tun/tap interface which will
Index: net/tinc/pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/tinc/pkg/PLIST,v
retrieving revision 1.3
diff -u -p -r1.3 PLIST
--- net/tinc/pkg/PLIST  18 Apr 2018 10:19:02 -0000      1.3
+++ net/tinc/pkg/PLIST  9 Oct 2018 05:06:26 -0000
@@ -1,15 +1,16 @@
 @comment $OpenBSD: PLIST,v 1.3 2018/04/18 10:19:02 kn Exp $
 @newgroup _tinc:759
 @newuser _tinc:759:_tinc:daemon:tinc user:/var/empty:/sbin/nologin
+@rcscript ${RCDIR}/tincd
 @info info/tinc.info
 @man man/man5/tinc.conf.5
 @man man/man8/tincd.8
 @bin sbin/tincd
 share/examples/tinc/
 share/examples/tinc/hosts/
+@mode 750
 @owner root
 @group _tinc
-@mode 750
 @sample ${SYSCONFDIR}/tinc/
 @sample ${SYSCONFDIR}/tinc/example/
 @sample ${SYSCONFDIR}/tinc/example/hosts/
@@ -20,8 +21,6 @@ share/examples/tinc/hosts/beta
 @sample ${SYSCONFDIR}/tinc/example/hosts/beta
 share/examples/tinc/rsa_key.priv
 @sample ${SYSCONFDIR}/tinc/example/rsa_key.priv
-@owner root
-@group _tinc
 @mode 750
 share/examples/tinc/tinc-down
 @sample ${SYSCONFDIR}/tinc/example/tinc-down
@@ -29,7 +28,3 @@ share/examples/tinc/tinc-up
 @sample ${SYSCONFDIR}/tinc/example/tinc-up
 share/examples/tinc/tinc.conf
 @sample ${SYSCONFDIR}/tinc/example/tinc.conf
-@owner
-@group
-@mode
-@rcscript ${RCDIR}/tincd

UPDATE: net/tinc (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758) and quirks

Reply via email to