* New features
- New verify level 0 to request and ignore peer certificate.
- Manual page has been updated.
* Bugfixes
- Fixed a heap corruption vulnerability in versions 4.40 and 4.41.
It may possibly be leveraged to perform DoS or remote code
execution attacks (CVE-2011-2940).
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=51
* New features:
- Hardcoded 2048-bit DH parameters are used as a fallback if DH
parameters are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete
export ciphers).
- refresh stunnel-listenqueue-option.patch
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=49
* New features:
- Server-side SNI implemented (RFC 3546 section 3.1) with a new
service-level option "nsi".
- "socket" option also accepts "yes" and "no" for flags.
- Nagle's algorithm is now disabled by default for improved
interactivity.
* Bugfixes:
- A compilation fix was added for OpenSSL version < 1.0.0.
- Signal pipe set to non-blocking mode. This bug caused hangs
of stunnel features based on signals, e.g. local mode, FORK
threading, or configuration file reload on Unix.
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=46
- update package to 4.36
- obsoletes SOMAXCONN and libwrap disable patches (bnc#674554)
- forward port listenqueue patch (bnc#674554)
- explicitly enable libwrap in configure call
* New features
- Dynamic memory management for strings manipulation: no more static
STRLEN limit, lower stack footprint.
- Strict public key comparison added for "verify = 3" certificate checking
mode (thx to Philipp Hartwig).
- Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved
behavior on heavy load.
Old behavior can be restored with "listenqueue = 5" in stunnel.conf
* Bugfixes
- Missing pthread_attr_destroy() added to fix memory leak (thx to Paul
Allex and Peter Pentchev).
- Fixed the incorrect way of setting FD_CLOEXEC flag.
- Fixed --enable-libwrap option of ./configure script.
- Retry implemented on EAI_AGAIN error returned by resolver calls.
OBS-URL: https://build.opensuse.org/request/show/73837
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=40
