Accepting request 314344 from home:sdrahn:branches:security:Stunnel

- update to version 5.19
  Bugfixes:
  - Improved socket error handling. 
  - Fixed handling of dynamic connect targets. 
  - Fixed handling of trailing whitespaces in the Content-Length header of the
    NTLM authentication. 
  - Fixed memory leaks in certificate verification.
  New features:
  - The "redirect" option was improved to not only redirect sessions established
    with an untrusted certificate, but also sessions established without a
    client certificate. 
  - Randomize the initial value of the round-robin counter. 
  - Added "include" configuration file option to include all configuration file
    parts located in a specified directory. 
  - Temporary DH parameters are refreshed every 24 hours, unless static DH
    parameters were provided in the certificate file. 
  - Warnings are logged on potentially insecure authentication. 
- stunnel-listenqueue-option.patch: Refresh.
- stunnel3-binpath.patch: Obsolete, dropped.
- stunnel.service: Modified to start after network.target, not syslog.target.

OBS-URL: https://build.opensuse.org/request/show/314344
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=69

stunnel-5.09.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8
-size 588436

stunnel-5.09.tar.gz.sha256

@@ -1 +0,0 @@
-87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8  stunnel-5.09.tar.gz

stunnel-5.19.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0b543242cf26649acfdd9f00de564c3e8de7ac2237d53935ffdc7eb24f4d556d
+size 620810

stunnel-5.19.tar.gz.sha256

@@ -0,0 +1 @@
+0b543242cf26649acfdd9f00de564c3e8de7ac2237d53935ffdc7eb24f4d556d  stunnel-5.19.tar.gz

stunnel-listenqueue-option.patch

@@ -1,7 +1,6 @@
-diff -u src.orig/options.c src/options.c
+--- src/options.c
---- src.orig/options.c	2015-01-02 15:29:55.000000000 +0100
++++ src/options.c
-+++ src/options.c	2015-01-14 13:01:04.118253473 +0100
+@@ -1872,6 +1872,24 @@
-@@ -1635,6 +1635,24 @@
          break;
      }
  
@@ -26,10 +25,9 @@ diff -u src.orig/options.c src/options.c
  #ifndef OPENSSL_NO_OCSP
  
      /* OCSP */
-diff -u src.orig/prototypes.h src/prototypes.h
+--- src/prototypes.h
---- src.orig/prototypes.h	2015-01-02 16:00:49.000000000 +0100
++++ src/prototypes.h
-+++ src/prototypes.h	2015-01-14 13:01:50.242676838 +0100
+@@ -248,6 +248,7 @@
-@@ -223,6 +223,7 @@
      int timeout_close;                          /* maximum close_notify time */
      int timeout_connect;                           /* maximum connect() time */
      int timeout_idle;                        /* maximum idle connection time */
@@ -37,10 +35,9 @@ diff -u src.orig/prototypes.h src/prototypes.h
      enum {FAILOVER_RR, FAILOVER_PRIO} failover;         /* failover strategy */
      char *username;
  
-diff -u src.orig/stunnel.c src/stunnel.c
+--- src/stunnel.c
---- src.orig/stunnel.c	2015-01-02 15:29:55.000000000 +0100
++++ src/stunnel.c
-+++ src/stunnel.c	2015-01-14 13:02:19.440311818 +0100
+@@ -451,7 +451,7 @@
-@@ -449,7 +449,7 @@
                      str_free(local_address);
                      return 1;
                  }
@@ -48,4 +45,4 @@ diff -u src.orig/stunnel.c src/stunnel.c
 +                if(listen(opt->fd, opt->listenqueue)) {
                      sockerror("listen");
                      closesocket(opt->fd);
-                     opt->fd=-1;
+                     opt->fd=INVALID_SOCKET;

stunnel.changes

@@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Mon Jun 29 09:51:58 UTC 2015 - drahn@suse.com
+
+- update to version 5.19
+
+  Bugfixes:
+  - Improved socket error handling. 
+  - Fixed handling of dynamic connect targets. 
+  - Fixed handling of trailing whitespaces in the Content-Length header of the
+    NTLM authentication. 
+  - Fixed memory leaks in certificate verification.
+
+  New features:
+  - The "redirect" option was improved to not only redirect sessions established
+    with an untrusted certificate, but also sessions established without a
+    client certificate. 
+  - Randomize the initial value of the round-robin counter. 
+  - Added "include" configuration file option to include all configuration file
+    parts located in a specified directory. 
+  - Temporary DH parameters are refreshed every 24 hours, unless static DH
+    parameters were provided in the certificate file. 
+  - Warnings are logged on potentially insecure authentication. 
+
+- stunnel-listenqueue-option.patch: Refresh.
+- stunnel3-binpath.patch: Obsolete, dropped.
+- stunnel.service: Modified to start after network.target, not syslog.target.
+
 -------------------------------------------------------------------
 Wed Jan 14 11:29:38 UTC 2015 - michael@stroeder.com
 

stunnel.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=SSL tunnel for network daemons
-After=syslog.target
+After=network.target
 
 [Service]
 ExecStart=/usr/sbin/stunnel

stunnel.spec

@@ -16,7 +16,7 @@
 #
 
 Name:           stunnel
-Version:        5.09
+Version:        5.19
 Release:        0
 Summary:        Universal SSL Tunnel
 License:        GPL-2.0+
@@ -30,7 +30,6 @@ Source3:        sysconfig.syslog-stunnel
 Source4:        stunnel.rc
 Source5:        stunnel.service
 Patch0:         stunnel-listenqueue-option.patch
-Patch1:         stunnel3-binpath.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define VENDOR openSUSE
 BuildRequires:  tcpd-devel zlib-devel
@@ -63,7 +62,6 @@ stunnel.
 %prep
 %setup -q -n stunnel-%{version}
 %patch0 -p0 
-%patch1 -p0
 
 %build
 sed -i 's/-m 1770 -g nogroup//g' tools/Makefile.in
@@ -180,211 +178,3 @@ fi
 %doc doc/en/*
 %doc doc/pl
 
-%changelog
-* Wed Feb 18 2009 - vetter@physik.uni-wuerzburg.de
-- updated to 4.26
-- adjust ownership of /var/lib/stunnel/var/run (pid file creation)
-* Thu May 10 2007 - ro@suse.de
-- added openssl to buildrequires
-* Mon Apr 02 2007 - rguenther@suse.de
-- add zlib-devel BuildRequires
-* Tue Oct 17 2006 - poeml@suse.de
-- there is no SuSEconfig.syslog script anymore, thus remove the
-  YaST hint from the sysconfig template
-* Wed Sep 27 2006 - poeml@suse.de
-- upstream 4.16
-  * New features sponsored by Hewlett-Packard
-    - A new global option to control engine: engineCtrl = <command>[:<parameter>]
-    - A new service-level option to select engine to read private key: engineNum = <engine number>
-    - OCSP support: ocsp = <URL>
-  * New features
-    - A new option to select version of SSL protocol: sslVersion = all|SSLv2|SSLv3|TLSv1
-    - Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
-    - OS2 support by Paul Smedley (http://smedley.info)
-  * Bugfixes
-    - An ordinary user can install stunnel again.
-    - Compilation problem with --enable-dh fixed.
-    - Some minor compilation warnings fixed.
-    - Service-level CRL cert store implemented.
-    - GPF on protocol negotiations fixed.
-    - Problem detecting addrinfo() on Tru64 fixed.
-    - Default group is now detected by configure script.
-    - Check for maximum number of defined services added.
-    - OpenSSL_add_all_algorithms() added to SSL initialization.
-    - configure script sections reordered to detect pthread library funcions.
-    - RFC 2487 autdetection improved (thx to Hans Werner Strube).  High
-  resolution s_poll_wait() not currently supported by UCONTEXT threading.
-    - More precise description of cert directory file names (thx to Muhammad
-  Muquit).
-  * Other changes
-    - Maximum number of services increased from 64 to 256 when poll() is used.
-- add BuildRequires: tcp_wrappers gcc-c++ for building on Fedora
-- remove doc files installed by make install, which are picked up
-  by %%doc
-* Fri Jun 23 2006 - poeml@suse.de
-- build as non-root
-- build with fPIE/pie on SUSE 10.0 or newer, or on any other
-  platform
-- fix BuildRequires for Fedora Core, and wrap suse_version macros
-- upstream 4.15
-  * Release notes
-    - There are a lot of new features in this version.  I recommend
-  to test it well before upgrading your mission-critical systems.
-  [note by packager: out since 3 months, without major problems]
-  * Bugfixes
-    - Default threading model changed to pthread for better portability.
-    - DH parameters are not included in the certificate by default.
-  * New features sponsored by Software House http://www.swhouse.com/
-    - Most SSL-related options (including client, cert, key) are now
-  available on service level, so it is possible to have an SSL
-  client and an SSL server in a single stunnel process.
-  * New features
-    - Client mode CONNECT protocol support (RFC 2817 section 5.2).
-  http://www.ietf.org/rfc/rfc2817.txt
-    - Retrying exec+connect services added.
-- make install now tries to create /var/lib/stunnel chmoded 1770
-  and group nogroup, which we don't do.
-* Wed Jan 25 2006 - mls@suse.de
-- converted neededforbuild to BuildRequires
-* Sun Nov 27 2005 - lmuelle@suse.de
-- update to 4.14
-* Thu Oct 06 2005 - poeml@suse.de
-- fix hang/segfault upon connect. Use pthreads by removing
-  configure check for ucontext.h [#119650]
-* Tue Aug 30 2005 - poeml@suse.de
-- fix parsing of ldd output when setting up the chroot jail [#114090]
-* Tue Jun 21 2005 - poeml@suse.de
-- update to 4.10
-  - Some bugfixes and code cleanup were done.
-  - A new user-level non-preemptive thread model was added for even
-  greater scalability.
-  - The stunnel3 script was improved to be more compatible with
-  getopt.
-- add post-4.10 stunnel-4.10-inetd.patch
-- compile with tcp wrappers
-- compile as PIE and link with -z relro
-* Tue Jan 04 2005 - poeml@suse.de
-- update to 4.07
-  * Bugfixes
-    - Problem with infinite poll() timeout negative, but not equal
-  to -1 fixed.
-    - Problem with a file descriptor ready to be read just after a
-  non-blocking connect call fixed.
-    - Compile error with EAI_NODATA not defined or equal to
-  EAI_NONAME fixed.
-    - IP address and TCP port textual representation length (IPLEN)
-  increased to 128 bytes.
-    - OpenSSL engine support is only used if engine.h header file
-  exists.
-    - Broken NT Service mode on WIN32 platform fixed.
-    - Support for IPv4-only WIN32 machines restored.
-* Tue Dec 28 2004 - poeml@suse.de
-- update to 4.06
-  In this version, IPv6 support, compression support, hardware
-  engine selection and many other features were added. A new
-  stunnel3 Perl script to emulate version 3.x command line options
-  was added.  poll() is used instead of select() where available,
-  so FD_SETSIZE no longer limits the number of concurrent
-  connections.
-- add stunnel-4.06-nfds.dif
-  stunnel-4.06-poll_timeout.patch
-  stunnel-4.06-race_condition.patch
-* Thu Nov 11 2004 - poeml@suse.de
-- fix filelist for /usr/lib
-* Fri Mar 05 2004 - poeml@suse.de
-- update to 4.05. new features (excerpt):
-  * New feature sponsored by SURFnet http://www.surfnet.nl/
-    - Support for CIFS aka SMB protocol SSL negotiation.
-  * New features
-    - CRL support with new CApath and CAfile global options.
-    - New -fd command line parameter to read configuration
-  from a specified file descriptor instead of a file.
-    - accept is reported as error with [section] defined (in
-  stunnel 4.04 it was silently ignored causing problems
-  for lusers that did not read the fine manual).
-    - Use fcntl() instead of ioctlsocket() to set socket
-  nonblocking when it is supported.
-    - Basic support for hardware engines with OpenSSL >= 0.9.7.
-    - French manual by Bernard Choppy <choppy@imaginet.fr>.
-    - Thread stack size reduced to 64KB for maximum scalability.
-    - Added optional code to debug thread stack usage.
-    - Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
-  * Bugfixes
-    - TCP wrappers code moved to CRIT_NTOA critical section
-  since it uses static inet_ntoa() result buffer.
-    - SSL_ERROR_SYSCALL handling problems fixed.
-    - added code to retry nonblocking SSL_shutdown() calls.
-    - Use FD_SETSIZE instead of 16 file descriptors in inetd
-  mode.
-    - fdscanf groks lowercase protocol negotiation commands.
-    - Libwrap detection bug in ./configure script fixed.
-    - Some other minor updates.
-- show readme only at first installation
-* Tue Aug 26 2003 - poeml@suse.de
-- add Config: syslog-ng to sysconfig.syslog-stunnel
-* Thu Aug 14 2003 - poeml@suse.de
-- add activation metadata to sysconfig template [#28954]
-- rename README.SuSE to README.{SuSE,UnitedLinux}
-- don't show blurb in %%post if a certificate exists
-* Tue Aug 12 2003 - poeml@suse.de
-- implement 'try-restart' in rcstunnel correctly [#28636]
-* Wed Jul 30 2003 - poeml@suse.de
-- add an example configuration for tunneling MySQL
-- make stunnel3_wrapper compatible to more shells, and merge it
-  with stunnel3_convert (which becomes a symlink)
-- new macros for stop/restart of services on rpm update/removal
-* Tue May 13 2003 - poeml@suse.de
-- delete (from the build root) files not to be packaged
-- package the libtool library file
-- add a commented option to the sample configuration
-* Thu Mar 13 2003 - poeml@suse.de
-- rc.stunnel: do not write the startup log to a world writable
-  directory [cf. #25239]
-* Mon Feb 17 2003 - poeml@suse.de
-- Version 4.04, 2003.01.12, urgency: MEDIUM:
-  * New features [excerpt]
-    - New 'options' configuration option to setup
-  OpenSSL library hacks with SSL_CTX_set_options().
-    - 'service' option also changes the name for
-  TCP Wrappers access control in inetd mode.
-    - SSL is negotiated before connecting remote host
-  or spawning local process whenever possible.
-    - REMOTE_HOST variable is always placed in the
-  enrivonment of a process spawned with 'exec'.
-    - Whole SSL error stack is dumped on errors.
-    - 'make cert' rule is back (was missing since 4.00).
-    - Manual page updated (special thanks to Brian Hatch).
-  * Bugfixes
-    - Major code cleanup (thx to Steve Grubb <linux_4ever@yahoo.com>).
-    - Unsafe functions are removed from SIGCHLD handler.
-    - Several bugs in auth_user() fixed.
-    - Incorrect port when using 'local' option fixed.
-    - OpenSSL tools '-rand' option is no longer directly
-  used with a device (like '/dev/urandom').
-  Temporary random file is created with 'dd' instead.
-- fix typo in conf file example
-* Wed Feb 12 2003 - mmj@suse.de
-- Add sysconfig metadata [#22699]
-* Thu Oct 31 2002 - poeml@suse.de
-- update to 4.03
-- add stunnel3_wrapper that translates the cmdline arguments into a
-  configuration file
-- fix default path of pidfile
-- more examples
-* Fri Oct 25 2002 - poeml@suse.de
-- write the pid file before dropping the privileges
-* Fri Oct 25 2002 - poeml@suse.de
-- major version upgrade to 4.02
-- better permissions for /etc/stunnel and keys [#18557]
-- run as "stunnel" user in chroot jail
-- add sysconfig.syslog-stunnel template and /var/lib/stunnel/dev
-  for an additional syslog socket
-- added init script and example configuration
-* Sat Jul 27 2002 - adrian@suse.de
-- use %%run_ldconfig
-* Thu Mar 08 2001 - bk@suse.de
-- update to 3.14 and fix localstatedir (/var/run/stunnel)
-* Mon Feb 05 2001 - bk@suse.de
-- fixed neededforbuild
-* Sun Feb 04 2001 - bk@suse.de
-- new package

stunnel3-binpath.patch

@@ -1,11 +0,0 @@
---- src/stunnel3.in
-+++ src/stunnel3.in
-@@ -22,7 +22,7 @@
- use Getopt::Std;
- 
- # Configuration - path to stunnel (version >=4.05)
--$stunnel_bin='@prefix@/bin/stunnel';
-+$stunnel_bin='@prefix@/sbin/stunnel';
- 
- # stunnel3 script body begins here
- ($read_fd, $write_fd)=POSIX::pipe();