Accepting request 730771 from home:vitezslav_cizek:branches:security:Stunnel

- Install the correct file as README.openSUSE (bsc#1150730)
  * stunnel.keyring was accidentally installed instead

- update to version 5.55
  New features
    New "ticketKeySecret" and "ticketMacSecret" options to control confidentiality
      and integrity protection of the issued session tickets. These options allow for
      session resumption on other nodes in a cluster.
    Logging of the assigned bind address instead of the requested bind address.
    Check whether "output" is not a relative file name.
    Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.
    Hexadecimal PSK keys are automatically converted to binary.
    Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address
      persistence is currently unsupported with session tickets.
    SMTP HELO before authentication (thx to Jacopo Giudici).
    New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
    New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites.
    Include file name and line number in OpenSSL errors.
    Compatibility with the current OpenSSL 3.0.0-dev branch.
    Better performance with SSL_set_read_ahead()/SSL_pending().
  Bugfixes
    A number of testing framework fixes and improvements.
    Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown.
    Fixed data transfer stalls introduced in stunnel 5.51.
    Fixed a transfer() loop bug introduced in stunnel 5.51.
    Fixed PSKsecrets as a global option (thx to Teodor Robas).
    Fixed a memory allocation bug (thx to matanfih).
    Fixed PSK session resumption with TLS 1.3.
    Fixed a memory leak in the WIN32 logging subsystem.
    Allow for zero value (ignored) TLS options.

OBS-URL: https://build.opensuse.org/request/show/730771
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=107

stunnel-5.49.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3d6641213a82175c19f23fde1c3d1c841738385289eb7ca1554f4a58b96d955e
-size 713560

stunnel-5.49.tar.gz.asc

@@ -1,18 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAluNmNhfFIAAAAAALgAo
-aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
-QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
-4BT3Qw//fqje0iXQjWzKBwqLxeCYByCbECWEqeD8fePGTYOOXP1GE17lpQG/+g6t
-GAU+hMDt5jXLLg4NbgGq8ty0AouC0shp62QNPRJpJFvwwvErA0rrGvpwwi1SRvx+
-KVLXa3YfHxiMK14nSHS/WEoSXEYrLt0zjCRwEn9h3tXVq0Z6eydb81QueGWm6ENJ
-jP+FEEFVbdf/8Z/LoZR67AEVlPMLu91bGjyBHlIOUOBek61F6zAdLxOHv+kdaul/
-HiJkZLgVY+dfmqAnUc9sZNL0o4o3ro64GroNS36PUrA2kOmljD8+6gBtulQ87sbu
-I6KSZ91yBa0F9andhanqtKIkeCgTuuFHDYPM/bqKijW4qytMJJ9FKwXpuZdEdRN2
-DBjIsgidePuJFCovjIsl6+SdcwFFy5KasjQLc63IB2Ak9ujOYuyt3OjkD3JrFYX9
-ZP5reXUcxgksa4wnPHCnhgfs3BSWbLpMGrO9uoua8x8Z4kmXX4h+dgNQYx9ezpn3
-vlsdXHW4MeNDNMe0dYnjQcAb0YEuVI1zoIinQWypUtejJ6eezdde87cTNsVhkLIu
-N+S55gWohxQJUSDA4sYAAhh4LJI7cKUyugOicwA1DGIjGDnKdnhm9nrtx3nCroXT
-ViyF8ae0QBBaFPa/qnBpOZg44cfspX0c3Ra1Mcu3l/awsmfkR44=
-=UzwM
------END PGP SIGNATURE-----

stunnel-5.55.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:90de69f41c58342549e74c82503555a6426961b29af3ed92f878192727074c62
+size 986873

stunnel-5.55.tar.gz.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAlz+fV9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
+QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
+4BSyJw/+K36cOr4QVkILr8xoKCgvsbyh8jC1coCKN9nVpN8jD0nez9jUOxJLlLxw
+EPRGlrrsXvM/6kaX+3leBMc+XTYz8e87tTuhZubkYNtyDBHlHjXny/DrRCjC0RQ8
+3HTnVZYPsHevASJ3L+l1aP8kwuAW79m0l4gR7a0V1P6CaIhja+iKfAq8q1HVyvnS
+4+p61iQwKGaMYJNdzyab7x8XHzwGtJhWRmADBk+6jUEE978FDsRxmHpqJ23nP0se
+ke8xWQRs40KkMCkYO77kGxOeKCI8egGL1AChAx4yPPLbNBeFLBLW1jJL3vpUUTb4
+zJbO47jh9AWh1Wq/7JNtqSAyJVVweBAY3o0WdAT2tTlpsDG6zPP6ZlF9bGFffGXd
+WmAeiy+Xd3lQHsDWJJzGApNTQZ/l0zWBhiFSS/owIX1cflhz58ZlRRfZb5cFdmNE
+mRNg0W//MyHUnbOTEy00dFpVnvNE7vkWEY7OVoyS9pemIShXged4HC0D9SwTLohj
+xirl4gzIj7B5cLB/DQXiWY2729bmw9i8lt1Fp38U4ByO898aSRmvGmsBXBQDfu9V
+vhyV2yhdsT7Fb+4Y5L433W/+ioOQ9TY8ZGZrmV4uFW7+QzzhdwV+zbjjGWb6MAu+
+LvSvGM9CyOm6ltduHyDIqtBmtktS8G5XdicAvqgxUzaipG4cBD0=
+=QAPH
+-----END PGP SIGNATURE-----

stunnel-listenqueue-option.patch

@@ -1,61 +0,0 @@
-diff -Naur a/src/options.c b/src/options.c
---- a/src/options.c	2018-08-19 09:10:47.000000000 +0200
-+++ b/src/options.c	2018-11-11 10:47:33.343794306 +0100
-@@ -3373,8 +3373,6 @@
-     case CMD_BEGIN:
-         section->ref=1;
-         break;
--    case CMD_EXEC:
--        return option_not_found;
-     case CMD_END:
-         if(new_service_options.next) { /* daemon mode checks */
-             if(endpoints!=2)
-@@ -3411,6 +3409,25 @@
-         break;
-     }
- 
-+
-+    /* listenqueue option */
-+    switch(cmd) {
-+    case CMD_BEGIN:
-+        section->listenqueue=SOMAXCONN;
-+        break;
-+    case CMD_EXEC:
-+        if(strcasecmp(opt, "listenqueue"))
-+            break;
-+        section->listenqueue=atoi(arg);
-+        return (section->listenqueue?NULL:"Bad verify level");
-+    case CMD_DEFAULT:
-+        s_log(LOG_NOTICE, "%-15s = %d", "listenqueue", SOMAXCONN);
-+        break;
-+    case CMD_HELP:
-+        s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending connections may grow to (max SOMAXCONN)", "listenqueue");
-+        break;
-+    }
-+
-     return NULL; /* OK */
- }
- 
-diff -Naur a/src/prototypes.h b/src/prototypes.h
---- a/src/prototypes.h	2018-08-19 09:10:47.000000000 +0200
-+++ b/src/prototypes.h	2018-11-11 10:47:33.347794278 +0100
-@@ -257,6 +257,7 @@
-     int timeout_close;                          /* maximum close_notify time */
-     int timeout_connect;                           /* maximum connect() time */
-     int timeout_idle;                        /* maximum idle connection time */
-+    int listenqueue;                                       /* Listen backlog */
-     enum {FAILOVER_RR, FAILOVER_PRIO} failover;         /* failover strategy */
-     unsigned rr;   /* per-service sequential number for round-robin failover */
-     char *username;
-diff -Naur a/src/stunnel.c b/src/stunnel.c
---- a/src/stunnel.c	2018-08-25 09:15:03.000000000 +0200
-+++ b/src/stunnel.c	2018-11-11 10:47:33.347794278 +0100
-@@ -572,7 +572,7 @@
-             closesocket(fd);
-             return INVALID_SOCKET;
-         }
--        if(listen(fd, SOMAXCONN)) {
-+        if(listen(fd, opt->listenqueue)) {
-             sockerror("listen");
-             str_free(local_address);
-             closesocket(fd);

stunnel.changes

@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Fri Sep 13 14:49:32 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Install the correct file as README.openSUSE (bsc#1150730)
+  * stunnel.keyring was accidentally installed instead
+
+-------------------------------------------------------------------
+Fri Sep 13 13:02:46 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- update to version 5.55
+  New features
+    New "ticketKeySecret" and "ticketMacSecret" options to control confidentiality
+      and integrity protection of the issued session tickets. These options allow for
+      session resumption on other nodes in a cluster.
+    Logging of the assigned bind address instead of the requested bind address.
+    Check whether "output" is not a relative file name.
+    Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.
+    Hexadecimal PSK keys are automatically converted to binary.
+    Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address
+      persistence is currently unsupported with session tickets.
+    SMTP HELO before authentication (thx to Jacopo Giudici).
+    New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
+    New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites.
+    Include file name and line number in OpenSSL errors.
+    Compatibility with the current OpenSSL 3.0.0-dev branch.
+    Better performance with SSL_set_read_ahead()/SSL_pending().
+  Bugfixes
+    A number of testing framework fixes and improvements.
+    Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown.
+    Fixed data transfer stalls introduced in stunnel 5.51.
+    Fixed a transfer() loop bug introduced in stunnel 5.51.
+    Fixed PSKsecrets as a global option (thx to Teodor Robas).
+    Fixed a memory allocation bug (thx to matanfih).
+    Fixed PSK session resumption with TLS 1.3.
+    Fixed a memory leak in the WIN32 logging subsystem.
+    Allow for zero value (ignored) TLS options.
+    Partially refactored configuration file parsing and logging subsystems for clearer code and minor bugfixes.
+  Caveats
+    We removed FIPS support from our standard builds. FIPS will still be available with custom builds.
+- drop stunnel-listenqueue-option.patch
+  Its original purpose (from bsc#674554) was to allow setting a higher
+  backlog value for listen(). As that value was raised to SOMAXCONN
+  years ago (in 4.36), we don't need it anymore
+
 -------------------------------------------------------------------
 Fri Feb 22 07:49:21 UTC 2019 - Franck Bui <fbui@suse.com>
 

stunnel.spec

@@ -38,7 +38,7 @@ Requires(pre):  /usr/sbin/useradd
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           stunnel
-Version:        5.49
+Version:        5.55
 Release:        0
 Summary:        Universal SSL Tunnel
 License:        GPL-2.0-or-later
@@ -52,7 +52,6 @@ Source4:        stunnel.rc
 Source5:        stunnel.service
 Source6:        stunnel.conf
 Source7:        stunnel.README
-Patch0:         stunnel-listenqueue-option.patch
 BuildRequires:  libopenssl-devel
 BuildRequires:  tcpd-devel
 BuildRequires:  zlib-devel
@@ -86,7 +85,6 @@ This package contains additional documentation for the stunnel program.
 
 %prep
 %setup -q -n stunnel-%{version}
-%patch0 -p1
 chmod -x %{_builddir}/stunnel-%{version}/tools/ca.*
 chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.*
 
@@ -112,7 +110,7 @@ make %{?_smp_mflags} LDADD="-pie -Wl,-z,defs,-z,relro"
 %endif
 
 cp -p %{SOURCE1} tools/stunnel.conf-sample.%{VENDORAFFIX}
-cp -p %{SOURCE2} README.%{VENDORAFFIX}
+cp -p %{SOURCE7} README.%{VENDORAFFIX}
 mkdir -p %{buildroot}%{_fillupdir}
 cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/
 %if 0%{?has_systemd}