ab11b3a269
- Update to 2.2.4: * Fix CVE-2025-46806 (bsc#1243120) for "Misaligned Memory Accesses in is_openvpn_protocol()" * Fix CVE-2025-46807 (bsc#1243122) for "File Descriptor Exhaustion in sslh-select and sslh-ev" * Fix potential parsing of undefined data in syslog probe (no CVE assigned)
Michael Vetter2025-06-02 05:29:39 +00:00
dd6d351855
- Update to 2.2.3: * Reverse older commit: version.h cannot be included without breaking the build (everything recompiles every time) and the release archive creation (which relies on git tags).
Michael Vetter2025-05-08 07:01:08 +00:00
8f7966a118
Accepting request 1267690 from security
Ana Guerrero2025-04-07 16:41:43 +00:00
3e9eb2fd5e
- Update to 2.2.1: * Fix compilation when libproxyprotocol is not present
Michael Vetter2025-04-07 13:52:34 +00:00
84376cc705
Accepting request 1231378 from security
Ana Guerrero2024-12-16 18:17:53 +00:00
e5b7d6ea88
Accepting request 1157812 from security
Ana Guerrero2024-03-14 16:45:00 +00:00
b58740e545
- Update to 2.1.0: * Support for the Landlock LSM. After initial setup, sslh gives up all local file access rights. * Reintroduced --ssl as an alias to --tls. * Introduce autoconf to adapt to landlock presence. * Close connexion without error message if remote client forcefully closes connexion, for Windows.
Michael Vetter2024-03-14 06:14:20 +00:00
09cf95d6b8
Accepting request 1138229 from security
Ana Guerrero2024-01-12 22:45:43 +00:00
f9a55d42d2
- Update to 2.0.1: * New semver-compatible version number * New sslh-ev: this is functionaly equivalent to sslh-select (mono-process, only forks for specified protocols), but based on libev, which should make it scalable to large numbers of connections. * New log system: instead of –verbose with arbitrary levels, there are now several message classes. Each message class can be set to go to stderr, syslog, or both. Classes are documented in example.cfg. * UDP connections are now managed in a hash to avoid linear searches. The downside is that the number of UDP connections is a hard limit, configurable with the ‘udp_max_connections’, which defaults to 1024. Timeouts are managed with lists. * inetd merges stderr output to what is sent to the client, which is a security issue as it might give information to an attacker. When inetd is activated, stderr is forcibly closed. * New protocol-level option resolve_on_forward, requests that target names are resolved at each connection instead of at startup. Useful for dynamic DNS situations.
Michael Vetter2024-01-12 08:01:32 +00:00
9e03a01904
- Update to 1.22b: * do not timeout TCP connections (fix#300) * remove obsolete usage string and added lost version option * be more defensive when allocating and extending gap
Michael Vetter2021-08-25 07:05:54 +00:00
1bd294dfe6
- Update to 1.21b: * Moved configuration and command-line management to use conf2struct. Changes are: - command line option <-F|--config> no longer defaults to /etc/sslh.cfg, so you have to specify it explicitly. - command line option <-v|--verbose> takes a mandatory integer parameter * Changed exit code for illegal command line parameter from 1 to 6 (for testing purposes)
Michael Vetter2020-07-20 07:53:01 +00:00
adbadd0673
Accepting request 764577 from home:namtrac:branches:security
Michael Vetter2020-01-15 10:32:06 +00:00
0d8ce9fe03
Accepting request 651391 from home:jubalh:branches:security
Lars Vogdt
2018-11-26 10:49:10 +00:00
58f3aff345
Accepting request 539373 from home:computersalat:devel:security
Lars Vogdt
2017-11-07 17:12:38 +00:00
4a4cddccdd
Accepting request 412101 from home:jsegitz:branches:security
Lars Vogdt
2016-07-22 18:52:02 +00:00
4d1e5a16b2
Accepting request 265696 from home:jsegitz:branches:security
Marcus Meissner2014-12-18 14:01:10 +00:00
397048cffa
build with libconfig-devel on SLE11
Lars Vogdt
2014-03-25 19:29:43 +00:00
dbb04d04f8
- update to 1.16: + Probes made more resilient, to incoming data containing NULLs. Also made them behave properly when receiving too short packets to probe on the first incoming packet. (Ondrej Kuzník) + Libcap support: Keep only CAP_NET_ADMIN if started as root with transparent proxying and dropping priviledges (enable USELIBCAP in Makefile). This avoids having to mess with filesystem capabilities. (Sebastian Schmidt/yath) + Fixed bugs related to getpeername that would cause sslh to quit erroneously (getpeername can return actual errors if connections are dropped before getting to getpeername). + Set IP_FREEDBIND if available to bind to addresses that don't yet exist. - compile with libcap support - added missing-call-to-setgroups-before-setuid.patch - removed patches fixed upstream: + sslh-asprintf.patch + sslh-chroot.patch
Lars Vogdt
2014-03-25 19:16:58 +00:00
688f8078d4
Accepting request 212032 from home:robverduijn:branches:security
Dr. Werner Fink2013-12-23 12:05:38 +00:00
6a4870cab6
Accepting request 210740 from home:robverduijn:branches:security
Marcus Meissner2013-12-16 16:46:13 +00:00
Ana Guerrero
Michael Vetter
Dominique Leuenberger
Marcus Meissner
Richard Brown
Lars Vogdt
Dr. Werner Fink