security/easy-rsa: report weak build-ca crypto on CA private keys

This version folds the message into files/pkg-message.in (which
overwrote pkg-message in PORTREVISION 2 of this change.)

By adding to UPDATING and pkg-message, and bumping PORTREVISION so
as to trigger updates that show these messages so that
easyrsa users can re-encrypt their CA private keys with AES instead of
Triple-DES.

It is pointless to add vuln.xml, supported port branch versions,
main and 2025Q1, already carry a bugfixed Easy-RSA version.

Reported by:    pkelsey@
Security:       CVE-2024-13454
MFH:            2025Q1

security/easy-rsa/Makefile

@@ -1,6 +1,6 @@
 PORTNAME=	easy-rsa
 DISTVERSION=	3.2.1
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	security net-mgmt
 MASTER_SITES=	https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/ \

security/easy-rsa/files/pkg-message.in

@@ -13,3 +13,21 @@ An on-line help is available, you can run:
   easyrsa help          # for help on commands
   easyrsa help options  # for help on options
 
+**** SECURITY WARNING FOR PAST security/easy-rsa versions ****
+**** easyrsa may have encrypted your CA private key with a weak cipher
+
+Per CVE-2024-13454, Easy-RSA 3.0.5 inclusively up to and including 3.1.7,
+when used with OpenSSL 3, may have accidentally encrypted the CA private
+key with a weak cipher, des-ede3-cbc, instead of the intended aes-256-cbc,
+when a CA was created with the   easyrsa build-ca   command.
+
+Such mistakes cannot be corrected by upgrading Easy-RSA alone.
+
+The standing recommendation for CA private keys is to 
+re-encrypt the CA privat keys with the aes-256-cbc cipher,
+by using the   easyrsa set-pass ca   command.
+
+For details, see https://community.openvpn.net/openvpn/wiki/CVE-2024-13454.
+
+**** END SECURITY WARNING FOR PAST security/easy-rsa versions ****
+