From 51621515824ddec266780d216a4dee2ba60e0960d7ad53e10567f1f75e9be415 Mon Sep 17 00:00:00 2001 From: Andreas Vetter Date: Fri, 16 Jan 2015 10:49:39 +0000 Subject: [PATCH] Accepting request 281295 from home:stroeder:branches:security:Stunnel Update to 5.09 OBS-URL: https://build.opensuse.org/request/show/281295 OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=68 --- stunnel-5.03.tar.gz | 3 - stunnel-5.03.tar.gz.sha256 | 1 - stunnel-5.09.tar.gz | 3 + stunnel-5.09.tar.gz.sha256 | 1 + stunnel-listenqueue-option.patch | 39 +++++----- stunnel.changes | 128 ++++++++++++++++++++++++++++++- stunnel.spec | 2 +- 7 files changed, 153 insertions(+), 24 deletions(-) delete mode 100644 stunnel-5.03.tar.gz delete mode 100644 stunnel-5.03.tar.gz.sha256 create mode 100644 stunnel-5.09.tar.gz create mode 100644 stunnel-5.09.tar.gz.sha256 diff --git a/stunnel-5.03.tar.gz b/stunnel-5.03.tar.gz deleted file mode 100644 index 4e6a45a..0000000 --- a/stunnel-5.03.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9a1e369466fa756e6f48b11480a3338c1fa4717e6472871bf4a3a96c483edd03 -size 590778 diff --git a/stunnel-5.03.tar.gz.sha256 b/stunnel-5.03.tar.gz.sha256 deleted file mode 100644 index 1ad5594..0000000 --- a/stunnel-5.03.tar.gz.sha256 +++ /dev/null @@ -1 +0,0 @@ -9a1e369466fa756e6f48b11480a3338c1fa4717e6472871bf4a3a96c483edd03 stunnel-5.03.tar.gz diff --git a/stunnel-5.09.tar.gz b/stunnel-5.09.tar.gz new file mode 100644 index 0000000..81c7e6a --- /dev/null +++ b/stunnel-5.09.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8 +size 588436 diff --git a/stunnel-5.09.tar.gz.sha256 b/stunnel-5.09.tar.gz.sha256 new file mode 100644 index 0000000..2adb29e --- /dev/null +++ b/stunnel-5.09.tar.gz.sha256 @@ -0,0 +1 @@ +87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8 stunnel-5.09.tar.gz diff --git a/stunnel-listenqueue-option.patch b/stunnel-listenqueue-option.patch index 63dd010..4fe805f 100644 --- a/stunnel-listenqueue-option.patch +++ b/stunnel-listenqueue-option.patch @@ -1,6 +1,7 @@ ---- src/options.c -+++ src/options.c -@@ -1218,6 +1218,24 @@ +diff -u src.orig/options.c src/options.c +--- src.orig/options.c 2015-01-02 15:29:55.000000000 +0100 ++++ src/options.c 2015-01-14 13:01:04.118253473 +0100 +@@ -1635,6 +1635,24 @@ break; } @@ -22,12 +23,13 @@ + break; + } + - #ifdef HAVE_OSSL_OCSP_H + #ifndef OPENSSL_NO_OCSP /* OCSP */ ---- src/prototypes.h -+++ src/prototypes.h -@@ -207,6 +207,7 @@ +diff -u src.orig/prototypes.h src/prototypes.h +--- src.orig/prototypes.h 2015-01-02 16:00:49.000000000 +0100 ++++ src/prototypes.h 2015-01-14 13:01:50.242676838 +0100 +@@ -223,6 +223,7 @@ int timeout_close; /* maximum close_notify time */ int timeout_connect; /* maximum connect() time */ int timeout_idle; /* maximum idle connection time */ @@ -35,14 +37,15 @@ enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */ char *username; ---- src/stunnel.c -+++ src/stunnel.c -@@ -414,7 +414,7 @@ - str_free(local_address); - return 1; - } -- if(listen(opt->fd, SOMAXCONN)) { -+ if(listen(opt->fd, opt->listenqueue)) { - sockerror("listen"); - closesocket(opt->fd); - opt->fd=-1; +diff -u src.orig/stunnel.c src/stunnel.c +--- src.orig/stunnel.c 2015-01-02 15:29:55.000000000 +0100 ++++ src/stunnel.c 2015-01-14 13:02:19.440311818 +0100 +@@ -449,7 +449,7 @@ + str_free(local_address); + return 1; + } +- if(listen(opt->fd, SOMAXCONN)) { ++ if(listen(opt->fd, opt->listenqueue)) { + sockerror("listen"); + closesocket(opt->fd); + opt->fd=-1; diff --git a/stunnel.changes b/stunnel.changes index aefd818..58e0d43 100644 --- a/stunnel.changes +++ b/stunnel.changes @@ -1,3 +1,129 @@ +------------------------------------------------------------------- +Wed Jan 14 11:29:38 UTC 2015 - michael@stroeder.com + +- Update to version 5.09 + +Version 5.09, 2015.01.02, urgency: LOW: +* New features + - Added PSK authentication with two new service-level + configuration file options "PSKsecrets" and "PSKidentity". + - Added additional security checks to the OpenSSL memory + management functions. + - Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE + OpenSSL configuration flags. + - Added compatibility with the current OpenSSL 1.1.0-dev tree. +* Bugfixes + - Removed defective s_poll_error() code occasionally causing + connections to be prematurely closed (truncated). + This bug was introduced in stunnel 4.34. + - Fixed ./configure systemd detection (thx to Kip Walraven). + - Fixed ./configure sysroot detection (thx to Kip Walraven). + - Fixed compilation against old versions of OpenSSL. + - Removed outdated French manual page. + +Version 5.08, 2014.12.09, urgency: MEDIUM: +* New features + - Added SOCKS4/SOCKS4a protocol support. + - Added SOCKS5 protocol support. + - Added SOCKS RESOLVE [F0] TOR extension support. + - Updated automake to version 1.14.1. + - OpenSSL directory searching is now relative to the sysroot. +* Bugfixes + - Fixed improper hangup condition handling. + - Fixed missing -pic linker option. This is required for + Android 5.0 and improves security. + +Version 5.07, 2014.11.01, urgency: MEDIUM: +* New features + - Several SMTP server protocol negotiation improvements. + - Added UTF-8 byte order marks to stunnel.conf templates. + - DH parameters are no longer generated by "make cert". + The hardcoded DH parameters are sufficiently secure, + and modern TLS implementations will use ECDH anyway. + - Updated manual for the "options" configuration file option. + - Added support for systemd 209 or later. + - New --disable-systemd ./configure option. + - setuid/setgid commented out in stunnel.conf-sample. +* Bugfixes + - Added support for UTF-8 byte order mark in stunnel.conf. + - Compilation fix for OpenSSL with disabled SSLv2 or SSLv3. + - Non-blocking mode set on inetd and systemd descriptors. + - shfolder.h replaced with shlobj.h for compatibility + with modern Microsoft compilers. + +Version 5.06, 2014.10.15, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1j. + https://www.openssl.org/news/secadv_20141015.txt + - The insecure SSLv2 protocol is now disabled by default. + It can be enabled with "options = -NO_SSLv2". + - The insecure SSLv3 protocol is now disabled by default. + It can be enabled with "options = -NO_SSLv3". + - Default sslVersion changed to "all" (also in FIPS mode) + to autonegotiate the highest supported TLS version. +* New features + - Added missing SSL options to match OpenSSL 1.0.1j. + - New "-options" commandline option to display the list + of supported SSL options. +* Bugfixes + - Fixed FORK threading build regression bug. + - Fixed missing periodic Win32 GUI log updates. + +Version 5.05, 2014.10.10, urgency: MEDIUM: +* New features + - Asynchronous communication with the GUI thread for faster + logging on Win32. + - systemd socket activation (thx to Mark Theunissen). + - The parameter of "options" can now be prefixed with "-" + to clear an SSL option, for example: + "options = -LEGACY_SERVER_CONNECT". + - Improved "transparent = destination" manual page (thx to + Vadim Penzin). +* Bugfixes + - Fixed POLLIN|POLLHUP condition handling error resulting + in prematurely closed (truncated) connection. + - Fixed a null pointer dereference regression bug in the + "transparent = destination" functionality (thx to + Vadim Penzin). This bug was introduced in stunnel 5.00. + - Fixed startup thread synchronization with Win32 GUI. + - Fixed erroneously closed stdin/stdout/stderr if specified + as the -fd commandline option parameter. + - A number of minor Win32 GUI bugfixes and improvements. + - Merged most of the Windows CE patches (thx to Pierre Delaage). + - Fixed incorrect CreateService() error message on Win32. + - Implemented a workaround for defective Cygwin file + descriptor passing breaking the libwrap support: + http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors + +Version 5.04, 2014.09.21, urgency: LOW: +* New features + - Support for local mode ("exec" option) on Win32. + - Support for UTF-8 config file and log file. + - Win32 UTF-16 build (thx to Pierre Delaage for support). + - Support for Unicode file names on Win32. + - A more explicit service description provided for the + Windows SCM (thx to Pierre Delaage). + - TCP/IP dependency added for NT service in order to prevent + initialization failure at boot time. + - FIPS canister updated to version 2.0.8 in the Win32 binary + build. +* Bugfixes + - load_icon_default() modified to return copies of default icons + instead of the original resources to prevent the resources + from being destroyed. + - Partially merged Windows CE patches (thx to Pierre Delaage). + - Fixed typos in stunnel.init.in and vc.mak. + - Fixed incorrect memory allocation statistics update in + str_realloc(). + - Missing REMOTE_PORT environmental variable is provided to + processes spawned with "exec" on Unix platforms. + - Taskbar icon is no longer disabled for NT service. + - Fixed taskbar icon initialization when commandline options are + specified. + - Reportedly more compatible values used for the dwDesiredAccess + parameter of the CreateFile() function (thx to Pierre Delaage). + - A number of minor Win32 GUI bugfixes and improvements. + ------------------------------------------------------------------- Thu Sep 18 08:06:36 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de @@ -8,7 +134,7 @@ Thu Sep 18 08:06:36 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de ------------------------------------------------------------------- Thu Aug 21 08:31:46 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de -- - Update to version 5.03 +- Update to version 5.03 Version 5.03, 2014.08.07, urgency: HIGH: * Security bugfixes diff --git a/stunnel.spec b/stunnel.spec index 59c904b..292956c 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -16,7 +16,7 @@ # Name: stunnel -Version: 5.03 +Version: 5.09 Release: 0 Summary: Universal SSL Tunnel License: GPL-2.0+