- update to version 5.22
New features
- "OCSPaia = yes" added to the configuration file templates.
- Improved double free detection.
Bugfixes
- Fixed a number of OCSP bugs. The most severe of those bugs caused stunnel to
treat OCSP responses that failed OCSP_basic_verify() checks as if they were
successful.
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
- Remove executable bit from sample scripts
- stunnel-5.22-code11-openssl-compat.diff: Compatibility for openssl on CODE11
OBS-URL: https://build.opensuse.org/request/show/319695
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=72
- update to version 5.21
New features
- Signal names are displayed instead of numbers.
- First resolve IPv4 addresses on passive resolver requests.
- More elaborate descriptions were added to the warning about using
"verify = 2" without "checkHost" or "checkIP".
- Performance optimization was performed on the debug code.
Bugfixes
- Fixed the FORK and UCONTEXT threading support.
- Fixed "failover=prio" (broken since stunnel 5.15).
- Added a retry when sleep(3) was interrupted by a signal in the cron
thread scheduler.
OBS-URL: https://build.opensuse.org/request/show/319059
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=71
- update to version 5.20
New features
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to include the name of
the affected service section.
- Documentation updates (closes Debian bug #781669).
Bugfixes
- Signal pipe reinitialization added to prevent turning the main accepting
thread into a busy wait loop when an external condition breaks the signal pipe.
This bug was found to surface on Win32, but other platforms may also be
affected.
- Generated temporary DH parameters are used for configuration reload instead
of the static defaults.
- Fixed the manual page headers (thx to Gleydson Soares).
OBS-URL: https://build.opensuse.org/request/show/316545
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=70
- update to version 5.19
Bugfixes:
- Improved socket error handling.
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length header of the
NTLM authentication.
- Fixed memory leaks in certificate verification.
New features:
- The "redirect" option was improved to not only redirect sessions established
with an untrusted certificate, but also sessions established without a
client certificate.
- Randomize the initial value of the round-robin counter.
- Added "include" configuration file option to include all configuration file
parts located in a specified directory.
- Temporary DH parameters are refreshed every 24 hours, unless static DH
parameters were provided in the certificate file.
- Warnings are logged on potentially insecure authentication.
- stunnel-listenqueue-option.patch: Refresh.
- stunnel3-binpath.patch: Obsolete, dropped.
- stunnel.service: Modified to start after network.target, not syslog.target.
OBS-URL: https://build.opensuse.org/request/show/314344
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=69
- Default "pid" is now "", i.e. not to create a pid file at startup.
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to
AlFBPPS attack and bad performance of DH ciphersuites.
- New service-level option "redirect" to redirect SSL client connections on
authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control which
OpenSSL tasks are delegated to the current engine.
- New service-level configuration file option "engineId" to select the engine
by identifier, e.g. "engineId = capi".
- Improved readability of error messages printed when stunnel refuses to start
due to a critical error.
- Patches:
- stunnel-CVE-2013-1762.patch obsoleted. Drpped.
- stunnel-default-fips-off.patch obsoleted. Dropped.
- stunnel-listenqueue-option.patch refreshed.
- update to version 4.56
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=62
- Usage of uninitialized variables fixed in exec+connect services.
- Fixed handling of a rare inetd mode use case, where either stdin
or stdout is a socket, but not both of them at the same time.
- Fixed crash on termination with FORK threading model.
- Fixed missing file descriptors passed to local mode processes.
- refreshed stunnel-listenqueue-option.patch to apply cleanly again
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=57
- update to version 4.49
- A bug was fixed causing crashes on MacOS X and some other
platforms.
- additional changes from 4.48
- FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs
based on FIPS 1.2.3 canister are included with this version of
stunnel. FIPS mode can be disabled with "fips = no"
configuration file option.
- Fixed canary initialization problem on Win32 platform.
OBS-URL: https://build.opensuse.org/request/show/94360
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=56
* New features
- New verify level 0 to request and ignore peer certificate.
- Manual page has been updated.
* Bugfixes
- Fixed a heap corruption vulnerability in versions 4.40 and 4.41.
It may possibly be leveraged to perform DoS or remote code
execution attacks (CVE-2011-2940).
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=51
* New features:
- Hardcoded 2048-bit DH parameters are used as a fallback if DH
parameters are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete
export ciphers).
- refresh stunnel-listenqueue-option.patch
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=49
* New features:
- Server-side SNI implemented (RFC 3546 section 3.1) with a new
service-level option "nsi".
- "socket" option also accepts "yes" and "no" for flags.
- Nagle's algorithm is now disabled by default for improved
interactivity.
* Bugfixes:
- A compilation fix was added for OpenSSL version < 1.0.0.
- Signal pipe set to non-blocking mode. This bug caused hangs
of stunnel features based on signals, e.g. local mode, FORK
threading, or configuration file reload on Unix.
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=46
- update package to 4.36
- obsoletes SOMAXCONN and libwrap disable patches (bnc#674554)
- forward port listenqueue patch (bnc#674554)
- explicitly enable libwrap in configure call
* New features
- Dynamic memory management for strings manipulation: no more static
STRLEN limit, lower stack footprint.
- Strict public key comparison added for "verify = 3" certificate checking
mode (thx to Philipp Hartwig).
- Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved
behavior on heavy load.
Old behavior can be restored with "listenqueue = 5" in stunnel.conf
* Bugfixes
- Missing pthread_attr_destroy() added to fix memory leak (thx to Paul
Allex and Peter Pentchev).
- Fixed the incorrect way of setting FD_CLOEXEC flag.
- Fixed --enable-libwrap option of ./configure script.
- Retry implemented on EAI_AGAIN error returned by resolver calls.
OBS-URL: https://build.opensuse.org/request/show/73837
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=40
