* Fix CVE-2025-46806 (bsc#1243120) for "Misaligned Memory Accesses
in `is_openvpn_protocol()`"
* Fix CVE-2025-46807 (bsc#1243122) for "File Descriptor Exhaustion
in sslh-select and sslh-ev"
* Fix potential parsing of undefined data in syslog probe (no CVE assigned)
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=40
* Reverse older commit: version.h cannot be included without breaking
the build (everything recompiles every time) and the release archive
creation (which relies on git tags).
- Update to 2.2.2:
* Fix potential vulnerability similar to CVE-2020-28935
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=38
- Update to 2.2.1:
* Fix compilation when libproxyprotocol is not present
- Update to 2.2.0:
* Add a boolean setting "is_unix" for listen and
protocol entries. This will use the 'host' setting
as a path name to a socket file, and connections
(listening or connecting) will be performed on Unix
socket instead of Internet sockets.
* Support HAProxy's proxyprotocol on the backend
server side.
* Lots of documentation about a new, simpler way to
perform transparent proxying.
* New "verbose" option that overrides all other
verbose settings.
OBS-URL: https://build.opensuse.org/request/show/1267690
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sslh?expand=0&rev=14
* Fix compilation when libproxyprotocol is not present
- Update to 2.2.0:
* Add a boolean setting "is_unix" for listen and
protocol entries. This will use the 'host' setting
as a path name to a socket file, and connections
(listening or connecting) will be performed on Unix
socket instead of Internet sockets.
* Support HAProxy's proxyprotocol on the backend
server side.
* Lots of documentation about a new, simpler way to
perform transparent proxying.
* New "verbose" option that overrides all other
verbose settings.
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=36
* Support for the Landlock LSM. After initial setup,
sslh gives up all local file access rights.
* Reintroduced --ssl as an alias to --tls.
* Introduce autoconf to adapt to landlock presence.
* Close connexion without error message if remote
client forcefully closes connexion, for Windows.
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=26
- Update to 2.0.1:
* New semver-compatible version number
* New sslh-ev: this is functionaly equivalent to sslh-select
(mono-process, only forks for specified protocols), but based
on libev, which should make it scalable to large numbers
of connections.
* New log system: instead of –verbose with arbitrary levels,
there are now several message classes. Each message class
can be set to go to stderr, syslog, or both. Classes are
documented in example.cfg.
* UDP connections are now managed in a hash to avoid linear
searches. The downside is that the number of UDP connections
is a hard limit, configurable with the ‘udp_max_connections’,
which defaults to 1024. Timeouts are managed with lists.
* inetd merges stderr output to what is sent to the client,
which is a security issue as it might give information to an
attacker. When inetd is activated, stderr is forcibly closed.
* New protocol-level option resolve_on_forward, requests that
target names are resolved at each connection instead of at
startup. Useful for dynamic DNS situations.
OBS-URL: https://build.opensuse.org/request/show/1138229
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sslh?expand=0&rev=9
* New semver-compatible version number
* New sslh-ev: this is functionaly equivalent to sslh-select
(mono-process, only forks for specified protocols), but based
on libev, which should make it scalable to large numbers
of connections.
* New log system: instead of –verbose with arbitrary levels,
there are now several message classes. Each message class
can be set to go to stderr, syslog, or both. Classes are
documented in example.cfg.
* UDP connections are now managed in a hash to avoid linear
searches. The downside is that the number of UDP connections
is a hard limit, configurable with the ‘udp_max_connections’,
which defaults to 1024. Timeouts are managed with lists.
* inetd merges stderr output to what is sent to the client,
which is a security issue as it might give information to an
attacker. When inetd is activated, stderr is forcibly closed.
* New protocol-level option resolve_on_forward, requests that
target names are resolved at each connection instead of at
startup. Useful for dynamic DNS situations.
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=24
- Update to 1.22b:
* do not timeout TCP connections (fix#300)
* remove obsolete usage string and added lost version option
* be more defensive when allocating and extending gap
- Update to 1.22:
* sslh-select now supports UDP protocols.
Probes specified in the `protocols`
configuration entry are tried on incoming packets,
TCP or UDP, and forwarded based on the input
protocol (an incoming TCP connection will be
forwarded as TCP, and same with UDP).
This has been tested with DNS as shown in udp.cfg:
incoming packets that contain my domain name are
assumed to be a DNS request and forwarded
accordingly. Note this could cause problems if
combined with incoming TLS with SNI. UDP clients
and servers need to agree on the IPv4/IPv6 they use:
use the same protocol on all sides! Often, this
means explicitely using 'ip4-localhost'.
UDP sender-receiver pairs (connections, so to speak)
are kept for 60s, which can be changed with
`udp_timeout` in the configuration.
* Added probes for UDP protocols QUICK and Teamspeak.
* Added probes for syslog protocol.
* sslh-select refactored to change linear searches
through connections to linear searches through
fd_set.
* Fixed a libconfig call to support libconfig 1.7.3.
* Added symbol to support libconfig 1.4.9, still in
OBS-URL: https://build.opensuse.org/request/show/914168
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sslh?expand=0&rev=6
* do not timeout TCP connections (fix#300)
* remove obsolete usage string and added lost version option
* be more defensive when allocating and extending gap
- Update to 1.22:
* sslh-select now supports UDP protocols.
Probes specified in the `protocols`
configuration entry are tried on incoming packets,
TCP or UDP, and forwarded based on the input
protocol (an incoming TCP connection will be
forwarded as TCP, and same with UDP).
This has been tested with DNS as shown in udp.cfg:
incoming packets that contain my domain name are
assumed to be a DNS request and forwarded
accordingly. Note this could cause problems if
combined with incoming TLS with SNI. UDP clients
and servers need to agree on the IPv4/IPv6 they use:
use the same protocol on all sides! Often, this
means explicitely using 'ip4-localhost'.
UDP sender-receiver pairs (connections, so to speak)
are kept for 60s, which can be changed with
`udp_timeout` in the configuration.
* Added probes for UDP protocols QUICK and Teamspeak.
* Added probes for syslog protocol.
* sslh-select refactored to change linear searches
through connections to linear searches through
fd_set.
* Fixed a libconfig call to support libconfig 1.7.3.
* Added symbol to support libconfig 1.4.9, still in
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=20
- Update to 1.21b:
* Moved configuration and command-line management to
use conf2struct. Changes are:
- command line option <-F|--config> no longer defaults to
/etc/sslh.cfg, so you have to specify it explicitly.
- command line option <-v|--verbose> takes a mandatory
integer parameter
* Changed exit code for illegal command line parameter
from 1 to 6 (for testing purposes)
OBS-URL: https://build.opensuse.org/request/show/821821
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sslh?expand=0&rev=3
* Moved configuration and command-line management to
use conf2struct. Changes are:
- command line option <-F|--config> no longer defaults to
/etc/sslh.cfg, so you have to specify it explicitly.
- command line option <-v|--verbose> takes a mandatory
integer parameter
* Changed exit code for illegal command line parameter
from 1 to 6 (for testing purposes)
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=14
- Update to 1.21:
* Added TCP_FASTOPEN support for client sockets (if
tfo_ok is specified in their configuration) and for
listenint socket, if all client protocols support it.
* Added 'minlength' option to skip a probe if less
than that many bytes have been received (mostly for
regex)
* Moved configuration and command-line management to
use conf2struct. Hopefully this should be transparent
to users.
* Update Let's Encrypt entry in example.cfg for tls-alpn-01
challenges; tls-sni-* challenges are now deprecated.
* Log to syslog even if in foreground (for people who
use fail2ban)
* Use syslog_facility: "none" to disable syslog
output.
OBS-URL: https://build.opensuse.org/request/show/820632
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=12
- Update to 1.18
* Added USELIBPCRE to make use of regex engine optional.
* Added support for RFC4366 SNI and RFC7301 ALPN
(Travis Burtrum)
* Changed connection log to include the name of the probe that
triggered.
* Changed configuration file format: 'probe' field is
no longer required, 'name' field can now contain
'tls' or 'regex', with corresponding options (see
example.cfg)
* Added 'log_level' option to each protocol, which
allows to turn off generation of log at each
connection.
* Added 'keepalive' option.
Version 1.17
* Support RFC5952-style IPv6 addresses, e.g. [::]:443.
* Transparant proxy support for FreeBSD (Ruben van Staveren)
* Using -F with no argument will try
/etc/sslh/sslh.cfg and then /etc/sslh.cfg as configuration files.
(argument to -F can no longer be separated from the option by a space,
e.g. must be -Ffoo.cfg)
* Call setgroups() before setgid() (fixes potential
privilege escalation) (Lars Vogdt)
* Use portable way of getting modified time for OSX support (Aaron
Madlon-Kay)
* Example configuration for fail2ban (Every Mouw)
- Dropped missing-call-to-setgroups-before-setuid.patch, included
upstream
OBS-URL: https://build.opensuse.org/request/show/412101
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=7
+ Probes made more resilient, to incoming data
containing NULLs. Also made them behave properly
when receiving too short packets to probe on the
first incoming packet.
(Ondrej Kuzník)
+ Libcap support: Keep only CAP_NET_ADMIN if started
as root with transparent proxying and dropping
priviledges (enable USELIBCAP in Makefile). This
avoids having to mess with filesystem capabilities.
(Sebastian Schmidt/yath)
+ Fixed bugs related to getpeername that would cause
sslh to quit erroneously (getpeername can return
actual errors if connections are dropped before
getting to getpeername).
+ Set IP_FREEDBIND if available to bind to addresses
that don't yet exist.
- compile with libcap support
- added missing-call-to-setgroups-before-setuid.patch
- removed patches fixed upstream:
+ sslh-asprintf.patch
+ sslh-chroot.patch
OBS-URL: https://build.opensuse.org/package/show/security/sslh?expand=0&rev=4
