On Tue, Oct 09 2018, Jeremie Courreges-Anglas <[email protected]> wrote: > On Tue, Oct 09 2018, Rafael Sadowski <[email protected]> wrote: >> Hi All, >> >> simple security update. This release prevent from the following CVEs: >> >> oracle attacks (CVE-2018-16737, CVE-2018-16738). >> MITM from forcing a NULL cipher for UDP (CVE-2018-16758). >> >> Our patched also merged upstream. OK before ports look? > > ok jca@ > > It would be good to backport this to -stable (6.3).
Here's a diff for 6.3, tested by danj@ (thanks!). ok? Index: Makefile =================================================================== RCS file: /cvs/ports/net/tinc/Makefile,v retrieving revision 1.6 diff -u -p -r1.6 Makefile --- Makefile 11 Jan 2018 19:27:08 -0000 1.6 +++ Makefile 9 Oct 2018 20:54:16 -0000 @@ -1,9 +1,8 @@ # $OpenBSD: Makefile,v 1.6 2018/01/11 19:27:08 rpe Exp $ COMMENT = Virtual Private Network (VPN) daemon -DISTNAME = tinc-1.0.33 +DISTNAME = tinc-1.0.35 CATEGORIES = net security -REVISION = 0 HOMEPAGE = https://www.tinc-vpn.org/ Index: distinfo =================================================================== RCS file: /cvs/ports/net/tinc/distinfo,v retrieving revision 1.5 diff -u -p -r1.5 distinfo --- distinfo 26 Dec 2017 22:03:07 -0000 1.5 +++ distinfo 9 Oct 2018 20:54:37 -0000 @@ -1,2 +1,2 @@ -SHA256 (tinc-1.0.33.tar.gz) = f29dxkRLxlGsY1yB9HRbzOWBu9HUXtYMvcTuEb67EPQ= -SIZE (tinc-1.0.33.tar.gz) = 486374 +SHA256 (tinc-1.0.35.tar.gz) = GMg7FHzD4hM6esJUPusBTVIHDeAcdHQofTzOzJsWiV4= +SIZE (tinc-1.0.35.tar.gz) = 499277 Index: patches/patch-doc_tinc_texi =================================================================== RCS file: patches/patch-doc_tinc_texi diff -N patches/patch-doc_tinc_texi --- patches/patch-doc_tinc_texi 26 Dec 2017 22:03:07 -0000 1.5 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,22 +0,0 @@ -$OpenBSD: patch-doc_tinc_texi,v 1.5 2017/12/26 22:03:07 rsadowski Exp $ -Index: doc/tinc.texi ---- doc/tinc.texi.orig -+++ doc/tinc.texi -@@ -2075,7 +2075,7 @@ In switch or hub modes ARP does work so the sender alr - In those modes every interface should have a unique MAC address, so make sure they are not the same. - Because switch and hub modes rely on MAC addresses to function correctly, - these modes cannot be used on the following operating systems which don't have a `tap' style virtual network device: --OpenBSD, NetBSD, Darwin and Solaris. -+NetBSD, Darwin and Solaris. - - - @c ================================================================== -@@ -2502,8 +2502,6 @@ For IPv6 addresses: - On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command: - - @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} --@item OpenBSD --@tab @code{ifconfig} @var{interface} @code{link0} - @end multitable - - On Linux, it is possible to create a persistent tun/tap interface which will -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
