Diffusion FreeBSD ports repository 0a38d940c92e

security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025…
0a38d940c92e
Actions

Description

security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)

This is a MFH combined (squashed) from four commits from main to 2025Q3
to fix CVE-2025-10680.

Two patches were skipped because they are a change that got reverted in a
later commit. I'll leave Gert as the author of most patches;
my contribution was only the "fix mbedTLS3 bootstrapping" -- Matthias Andree, mandree@

security/openvpn-devel: upgrade port to git commit 7b1b283478 (2.7_alpha3, 2025-07-31)

This commit brings the port to "openvpn 2.7_alpha3".

For FreeBSD, the most significant change is that "floating clients with
DCO" are supported, if the kernel has support for it (-current).

Platform-independent the "big new feature" is client side support
for PUSH_UPDATE (send new configuration data while a client-server
connection is established).

(cherry picked from commit cd97894175202e9ca2358cb9be360f286f472bdd)

security/openvpn-devel: upgrade port to git commit 1e7b9a0fb0 (2.7_beta1, 2025-09-03)

This commit brings the port to "openvpn 2.7_beta1".

New features alpha3 -> beta1 are

a large number of signed/unsigned related warnings have been fixed
bugfixes in --dns-updown script for linux systems using resolvconf
rewrite of the management interface "bytecount" infastructure to better interact with DCO
PUSH_UPDATE server support (via management interface)
introduction of route_redirect_gateway_ipv4 and _ipv6 env variables
speeding up t_client tests by reducing per-test startup delay 3s -> 1s

The biggest noticeable difference in beta1 is the reformatting using
clang-format, leaving uncrustify as that wasn't stable across versions.

PR: 289315

(cherry picked from commit c31236c680ee48f640b86a94d41838c80153568a)

security/openvpn-devel: fix mbedTLS3 bootstrapping

and switch to depend on the net/mbedtls3 port,
as we no longer carry mbedtls2 in ports.

Also, mbedTLS 3 supports TLSv1.3, so drop our local MBEDTLS_DESC
and go with the official description instead.

Approved by: Gert Doering (maintainer, via IRC)
Related to:
PR: 289315

(cherry picked from commit 97ca816e6d79034bf936814d19e0a1d27d038bf5)

security/openvpn-devel: upgrade port to git commit 0fb5a00549 (2.7_beta2, 2025-09-25)

This commit brings the port to "openvpn 2.7_beta2".

Notable changes beta1 -> beta2 (relevant for FreeBSD) are:

even more of signed/unsigned related warnings have been fixed
#pragmas have been added to all to-be-fixed source files, so we can now always enable -Wconversion to see if new code brings new warnings (and the CI infra builds with -Werror)
add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call)
Switch test_ssl certificate from RSA 2048 to secp384r1 (so "make check" runs with OpenSSL set to @SECLEVEL=3)
clean up MI prefix handling
replace all assert() calls with OpenVPN ASSERT()

PR: 289838
Security: e5cf9f44-9a64-11f0-8241-93c889bb8de1
Security: CVE-2025-10680
MFH: 2025Q3
(cherry picked from commit 5f2c6fc6b90582ad187be6c0387b059f2f0dfefb)