Update to 5.76 jsc#PED-14814

2026-02-02 11:21:39 +01:00
7 changed files with 100 additions and 41 deletions
--- a/stunnel-5.69-system-ciphers.patch
+++ b/stunnel-5.69-system-ciphers.patch
@@ -16,22 +16,20 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 src/options.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-diff --git a/src/options.c b/src/options.c
-index 6e4a18b..4d31815 100644
--- a/src/options.c
-+++ b/src/options.c
-@@ -321,9 +321,9 @@ static const char *option_not_found=
+Index: stunnel-5.76/src/options.c
+===================================================================
+--- stunnel-5.76.orig/src/options.c
+++ stunnel-5.76/src/options.c
+@@ -332,10 +332,10 @@ static const char *option_not_found=
     "Specified option name is not valid here";
 
 static const char *stunnel_cipher_list=
 -    "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
 +    "PROFILE=SYSTEM";
+ #ifdef USE_FIPS
 static const char *fips_cipher_list=
 -    "FIPS:!DH:!kDHEPSK";
 +    "PROFILE=SYSTEM";
+ #endif /* USE_FIPS */
 
 #ifndef OPENSSL_NO_TLS1_3
- static const char *stunnel_ciphersuites=
-- 
-2.39.2
-
--- a/stunnel-5.74.tar.gz
+++ b/stunnel-5.74.tar.gz
--- a/stunnel-5.74.tar.gz.asc
+++ b/stunnel-5.74.tar.gz.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmdcZ6EACgkQLvx/8NQW
-4BRl/RAAjWHEueTMN6fvs79hKTSIWLiDNs5rTOPLylt69nlr5oYsUS9yfk0ox70j
-IcaWBrLGZn5rEXf/J/D0wQW2Jqvl+R5TWPDiwq9N0VPI8LqH0cd0Yz5wW4vEsAIo
-wlYeFJeaMjS9McYDfiuhRmhWvETV3bu2KPSiENLo/lTHYKh4apRN2opMWKjKh+/N
-/wWUZByVogkjSNzM7lqqqOk6RVGaTcjWvfux3e+HN+/4AV0uSleF8k3N6nKrkJUs
-OhZ8aIXheEIp/LoXnG5PxnOBzMg4pT47FphI8//5193CERgHiHjlsHuZwRqyYInp
-B7fbPpDGtwCAOC42OZOzSpekDWbnvNgCT4e5NFkpaa6+UJ40rR1O+oCMcx+kSc+t
-rZvapGT/zh+rYJnZ4wveaMY3NY/poUO7huFO4kVz/mgL550wfp2Xgx0y1GmvFas8
-OMXFPtRCXUnkcmxPESHwtwHYCcJIxMjPKLHHzQ/m1DBnZTdfQWvhSWWhez+0SltS
-Hh1ImQiWlFWzVhXtZIUi7FtGieybDMQgr/FEMsYX4e2NaSefKvHxur4S7QufKukX
-rWjAlk7wUqHYTaRztiX81fXOwv7SGABEOfrMVRQ4Lxk0lLNAFdrPmRFSy14k4ObD
-BTvq2QlPaOTiQLhNNVNCX6l57ODrF2QIsXUaOQU9JnL8f8uC1AY=
-=Qhan
-----END PGP SIGNATURE-----
--- a/stunnel-5.76.tar.gz
+++ b/stunnel-5.76.tar.gz
--- a/stunnel-5.76.tar.gz.asc
+++ b/stunnel-5.76.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmjzuUAACgkQLvx/8NQW
+4BSjTg//VO2xPv2p6h3hE3Xzoc3L+rssmjgQC5K5QsCuUTEjQAJCQzjOvIR0DMjH
+MDvpFSzmhan8XpqNSpwy51L8CY7h+Fw1I3PJmwDyM/iFzBu7LoJHKdt+GyM4XTUS
+LqGizxUrHoRsnMW75Lo1D0GNpteBcutAsDrnWXe6Ge32ypIQsEW2H7nMifdGLrTq
+hDpVo4XXKe9o14gQt5jOcAEhBZFNBLllleaZKDxrM5HvHvwZbU4qjO6sy8G1UdzI
+eixdKwKEpDql3HBjPoA4NUhIZ83DNYBG26lH9wD+rlnSDgyGRu46lcIOVcFeQluL
+JehgwwSBF9WpYx1qH0hF00C+Rtzp+jnKBVLg6b3ONLrQDE5z+OWMP5mrNPp6ZGqs
+oK2OjWNVjXzKfQ65vlicNf6dT/vhVwqqoo4w/GLYQcARTME1DzKB2jabR/5TOYe
+DXAi7NpoqmQVJqwdGGFIKC1fXJB/llnxM6SXTFFs7+m78hGQxwBzzBWp7Ia8/4nS
+kFmtwFEpNPVj94+4VcwUCcUpuuAOzkDtzZT6Z3AZnJ4pACKrGLfHlhFQwQvc98+o
+IHI6iEzWnWh3py18M7+LBhpvqecw0XTW77EIA/c/rXVEJrAGrhyLwxaMoz2tu+dz
+OcINBdyK/OW1SksVQoG6DmCFinLPcXM48Z8XTUO8D38msVL+jBw=
+=3wQb
+-----END PGP SIGNATURE-----
--- a/stunnel.changes
+++ b/stunnel.changes
@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Fri Jan 23 13:34:31 UTC 2026 - Pedro Monreal <pmonreal@suse.com>
+
+- Adapt the .spec file for Immutable Mode [jsc#PED-14814]
+
+-------------------------------------------------------------------
+Thu Nov  6 14:11:20 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 5.76:
+  * Security bugfixes:
+    - Service-level multivalued options now override (rather than
+      append to) global defaults, preventing unintended configurations.
+  * Bugfixes:
+    - Fixed enabling/disabling of the default fips=yes property.
+    - Missing OCSP stapling is no longer logged as an error.
+    - Fixed a crash when a PIN was required due to the PKCS#11
+      CKA_ALWAYS_AUTHENTICATE attribute.
+  * Features:
+    - Quantum-resistant hybrid key agreement X25519+ML-KEM-768
+      (X25519MLKEM768) used by default with OpenSSL 3.5+ and TLS 1.3.
+    - Multiple cert sources are supported, allowing a certificate to
+      be fetched from a provider while loading the chain from a file.
+    - Android build switched to a 16 KB page size.
+  * Rebase stunnel-5.69-system-ciphers.patch
+
+-------------------------------------------------------------------
+Tue Jun  3 11:37:37 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 5.75:
+  * Security bugfixes
+    - OpenSSL FIPS Provider updated to version 3.1.2.
+  * Bugfixes
+    - Fixed infinite loop triggered by OCSP URL parsing errors
+    - Fixed OPENSSL_NO_OCSP build issues
+    - Fixed default curve selection in FIPS mode with OpenSSL 3.4+.
+    - Fixed tests with modern Python versions.
+    - Fixed tests with multiple OpenSSL versions installed.
+  * Features
+    - Added provider URI support for "cert" and "key" options.
+    - Added new "CAstore" service-level option (OpenSSL 3.0+).
+    - Added "provider" (OpenSSL 3.0+), "providerParameter"
+      (OpenSSL 3.5+), and "setEnv" global options.
+    - Key file/URI path added to passphrase prompt on Unix.
+
 -------------------------------------------------------------------
 Tue Jan  7 09:32:26 UTC 2025 - Pedro Monreal <pmonreal@suse.com>

--- a/stunnel.spec
+++ b/stunnel.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package stunnel
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           stunnel
-Version:        5.74
+Version:        5.76
 Release:        0
 Summary:        Universal TLS Tunnel
 License:        GPL-2.0-or-later
@@ -33,7 +33,7 @@ Source1:        https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz.asc
 Source2:        https://www.stunnel.org/pgp.asc#/%{name}.keyring
 Source3:        sysconfig.syslog-stunnel
 Source4:        stunnel.rc
-Source7:        stunnel.README
+Source5:        stunnel.README
 # PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after network is really up!
 Patch1:         stunnel-5.59_service_always_after_network.patch
 Patch2:         harden_stunnel.service.patch
@@ -106,6 +106,7 @@ sed -i 's/-m 1770//g' tools/Makefile.in
 mkdir -p %{buildroot}%{_docdir}
 mv %{buildroot}%{_datadir}/doc/stunnel %{buildroot}%{_docdir}/
 mkdir -p %{buildroot}%{_docdir}/stunnel/tools
+cp tools/openssl.cnf %{buildroot}%{_docdir}/stunnel/tools
 mkdir -p %{buildroot}%{_fillupdir}
 cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/
 install -D -m 0644 %{buildroot}%{_docdir}/stunnel/examples/stunnel.service %{buildroot}/%{_unitdir}/stunnel.service
@@ -125,7 +126,19 @@ rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.W32.md
 rm -rf %{buildroot}%{_docdir}/stunnel/ca-certs.pem
 rm -rf %{buildroot}%{_docdir}/stunnel/plugins/

-mkdir -p %{buildroot}%{_localstatedir}/lib/stunnel/{bin,etc,dev,%{_lib},sbin,var/run}
+# Install tmpfiles.d and define the configuration for immutable mode [jsc#PED-14814]
+install -d %{buildroot}%{_tmpfilesdir}
+cat > %{buildroot}%{_tmpfilesdir}/stunnel.conf <<EOF
+#Type Path         Mode UID  GID  Age Argument
+d /var/lib/stunnel 0755 root root - -
+d /var/lib/stunnel/bin 0755 root root - -
+d /var/lib/stunnel/etc 0755 root root - -
+d /var/lib/stunnel/dev 0755 root root - -
+d /var/lib/stunnel/lib64 0755 root root - -
+d /var/lib/stunnel/sbin 0755 root root - -
+d /var/lib/stunnel/var/run 0755 stunnel root - -
+EOF
+
 install -d %{buildroot}%{_sysconfdir}/%{name}/conf.d

 %check
@@ -144,6 +157,7 @@ fi
 %service_add_pre %{name}.service

 %post
+%tmpfiles_create %{_tmpfilesdir}/stunnel.conf
 %service_add_post %{name}.service
 %{fillup_only -ans syslog stunnel}

@@ -161,21 +175,24 @@ fi
 %{_libdir}/%{name}/
 %{_mandir}/man8/stunnel*8%{?ext_man}
 %dir %attr(700,root,root) %{_sysconfdir}/%{name}/
-%dir %attr(700,root,root) %{_sysconfdir}/%{name}//conf.d
+%dir %attr(700,root,root) %{_sysconfdir}/%{name}/conf.d
 %config(noreplace) %{_sysconfdir}/%{name}/stunnel.conf
-%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel
-%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin
-%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir}
-%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/dev
-%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/%{_lib}
-%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/sbin
-%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_localstatedir}
-%dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run
 %{_fillupdir}/sysconfig.syslog-stunnel
 %{_unitdir}/stunnel.service
 %{_datadir}/bash-completion/completions/%{name}.bash
+# Immutable mode (jsc#PED-14814)
+%{_tmpfilesdir}/stunnel.conf
+%ghost %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel
+%ghost %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin
+%ghost %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir}
+%ghost %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/dev
+%ghost %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/%{_lib}
+%ghost %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/sbin
+%ghost %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_localstatedir}
+%ghost %dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run

 %files doc
 %doc %{_docdir}/%{name}
+%doc %{_docdir}/%{name}/tools

 %changelog