security/easy-rsa: sync with upstream
Taken from: FreeBSD
This commit is contained in:
Franco Fichtner
parent
f781b6b44b
commit
a9635c5a26
2 changed files with 19 additions and 1 deletions
|
|
@ -1,6 +1,6 @@
|
|||
PORTNAME= easy-rsa
|
||||
DISTVERSION= 3.2.1
|
||||
PORTREVISION= 1
|
||||
PORTREVISION= 3
|
||||
PORTEPOCH= 1
|
||||
CATEGORIES= security net-mgmt
|
||||
MASTER_SITES= https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/ \
|
||||
|
|
|
|||
|
|
@ -13,3 +13,21 @@ An on-line help is available, you can run:
|
|||
easyrsa help # for help on commands
|
||||
easyrsa help options # for help on options
|
||||
|
||||
**** SECURITY WARNING FOR PAST security/easy-rsa versions ****
|
||||
**** easyrsa may have encrypted your CA private key with a weak cipher
|
||||
|
||||
Per CVE-2024-13454, Easy-RSA 3.0.5 inclusively up to and including 3.1.7,
|
||||
when used with OpenSSL 3, may have accidentally encrypted the CA private
|
||||
key with a weak cipher, des-ede3-cbc, instead of the intended aes-256-cbc,
|
||||
when a CA was created with the easyrsa build-ca command.
|
||||
|
||||
Such mistakes cannot be corrected by upgrading Easy-RSA alone.
|
||||
|
||||
The standing recommendation for CA private keys is to
|
||||
re-encrypt the CA private keys with the aes-256-cbc cipher,
|
||||
by using the easyrsa set-pass ca command.
|
||||
|
||||
For details, see https://community.openvpn.net/openvpn/wiki/CVE-2024-13454.
|
||||
|
||||
**** END SECURITY WARNING FOR PAST security/easy-rsa versions ****
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue