Accepting request 281295 from home:stroeder:branches:security:Stunnel

Update to 5.09

OBS-URL: https://build.opensuse.org/request/show/281295
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=68

stunnel-5.03.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9a1e369466fa756e6f48b11480a3338c1fa4717e6472871bf4a3a96c483edd03
-size 590778

stunnel-5.03.tar.gz.sha256

@@ -1 +0,0 @@
-9a1e369466fa756e6f48b11480a3338c1fa4717e6472871bf4a3a96c483edd03  stunnel-5.03.tar.gz

stunnel-5.09.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8
+size 588436

stunnel-5.09.tar.gz.sha256

@@ -0,0 +1 @@
+87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8  stunnel-5.09.tar.gz

stunnel-listenqueue-option.patch

@@ -1,6 +1,7 @@
---- src/options.c
-+++ src/options.c
-@@ -1218,6 +1218,24 @@
+diff -u src.orig/options.c src/options.c
+--- src.orig/options.c	2015-01-02 15:29:55.000000000 +0100
++++ src/options.c	2015-01-14 13:01:04.118253473 +0100
+@@ -1635,6 +1635,24 @@
          break;
      }
  
@@ -22,12 +23,13 @@
 +        break;
 +    }
 +
- #ifdef HAVE_OSSL_OCSP_H
+ #ifndef OPENSSL_NO_OCSP
  
      /* OCSP */
---- src/prototypes.h
-+++ src/prototypes.h
-@@ -207,6 +207,7 @@
+diff -u src.orig/prototypes.h src/prototypes.h
+--- src.orig/prototypes.h	2015-01-02 16:00:49.000000000 +0100
++++ src/prototypes.h	2015-01-14 13:01:50.242676838 +0100
+@@ -223,6 +223,7 @@
      int timeout_close;                          /* maximum close_notify time */
      int timeout_connect;                           /* maximum connect() time */
      int timeout_idle;                        /* maximum idle connection time */
@@ -35,14 +37,15 @@
      enum {FAILOVER_RR, FAILOVER_PRIO} failover;         /* failover strategy */
      char *username;
  
---- src/stunnel.c
-+++ src/stunnel.c
-@@ -414,7 +414,7 @@
-                 str_free(local_address);
-                 return 1;
-             }
--            if(listen(opt->fd, SOMAXCONN)) {
-+            if(listen(opt->fd, opt->listenqueue)) {
-                 sockerror("listen");
-                 closesocket(opt->fd);
-                 opt->fd=-1;
+diff -u src.orig/stunnel.c src/stunnel.c
+--- src.orig/stunnel.c	2015-01-02 15:29:55.000000000 +0100
++++ src/stunnel.c	2015-01-14 13:02:19.440311818 +0100
+@@ -449,7 +449,7 @@
+                     str_free(local_address);
+                     return 1;
+                 }
+-                if(listen(opt->fd, SOMAXCONN)) {
++                if(listen(opt->fd, opt->listenqueue)) {
+                     sockerror("listen");
+                     closesocket(opt->fd);
+                     opt->fd=-1;

stunnel.changes

@@ -1,3 +1,129 @@
+-------------------------------------------------------------------
+Wed Jan 14 11:29:38 UTC 2015 - michael@stroeder.com
+
+- Update to version 5.09
+
+Version 5.09, 2015.01.02, urgency: LOW:
+* New features
+  - Added PSK authentication with two new service-level
+    configuration file options "PSKsecrets" and "PSKidentity".
+  - Added additional security checks to the OpenSSL memory
+    management functions.
+  - Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
+    OpenSSL configuration flags.
+  - Added compatibility with the current OpenSSL 1.1.0-dev tree.
+* Bugfixes
+  - Removed defective s_poll_error() code occasionally causing
+    connections to be prematurely closed (truncated).
+    This bug was introduced in stunnel 4.34.
+  - Fixed ./configure systemd detection (thx to Kip Walraven).
+  - Fixed ./configure sysroot detection (thx to Kip Walraven).
+  - Fixed compilation against old versions of OpenSSL.
+  - Removed outdated French manual page.
+
+Version 5.08, 2014.12.09, urgency: MEDIUM:
+* New features
+  - Added SOCKS4/SOCKS4a protocol support.
+  - Added SOCKS5 protocol support.
+  - Added SOCKS RESOLVE [F0] TOR extension support.
+  - Updated automake to version 1.14.1.
+  - OpenSSL directory searching is now relative to the sysroot.
+* Bugfixes
+  - Fixed improper hangup condition handling.
+  - Fixed missing -pic linker option.  This is required for
+    Android 5.0 and improves security.
+
+Version 5.07, 2014.11.01, urgency: MEDIUM:
+* New features
+  - Several SMTP server protocol negotiation improvements.
+  - Added UTF-8 byte order marks to stunnel.conf templates.
+  - DH parameters are no longer generated by "make cert".
+    The hardcoded DH parameters are sufficiently secure,
+    and modern TLS implementations will use ECDH anyway.
+  - Updated manual for the "options" configuration file option.
+  - Added support for systemd 209 or later.
+  - New --disable-systemd ./configure option.
+  - setuid/setgid commented out in stunnel.conf-sample.
+* Bugfixes
+  - Added support for UTF-8 byte order mark in stunnel.conf.
+  - Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
+  - Non-blocking mode set on inetd and systemd descriptors.
+  - shfolder.h replaced with shlobj.h for compatibility
+    with modern Microsoft compilers.
+
+Version 5.06, 2014.10.15, urgency: HIGH:
+* Security bugfixes
+  - OpenSSL DLLs updated to version 1.0.1j.
+    https://www.openssl.org/news/secadv_20141015.txt
+  - The insecure SSLv2 protocol is now disabled by default.
+    It can be enabled with "options = -NO_SSLv2".
+  - The insecure SSLv3 protocol is now disabled by default.
+    It can be enabled with "options = -NO_SSLv3".
+  - Default sslVersion changed to "all" (also in FIPS mode)
+    to autonegotiate the highest supported TLS version.
+* New features
+  - Added missing SSL options to match OpenSSL 1.0.1j.
+  - New "-options" commandline option to display the list
+    of supported SSL options.
+* Bugfixes
+  - Fixed FORK threading build regression bug.
+  - Fixed missing periodic Win32 GUI log updates.
+
+Version 5.05, 2014.10.10, urgency: MEDIUM:
+* New features
+  - Asynchronous communication with the GUI thread for faster
+    logging on Win32.
+  - systemd socket activation (thx to Mark Theunissen).
+  - The parameter of "options" can now be prefixed with "-"
+    to clear an SSL option, for example:
+    "options = -LEGACY_SERVER_CONNECT".
+  - Improved "transparent = destination" manual page (thx to
+    Vadim Penzin).
+* Bugfixes
+  - Fixed POLLIN|POLLHUP condition handling error resulting
+    in prematurely closed (truncated) connection.
+  - Fixed a null pointer dereference regression bug in the
+    "transparent = destination" functionality (thx to
+    Vadim Penzin). This bug was introduced in stunnel 5.00.
+  - Fixed startup thread synchronization with Win32 GUI.
+  - Fixed erroneously closed stdin/stdout/stderr if specified
+    as the -fd commandline option parameter.
+  - A number of minor Win32 GUI bugfixes and improvements.
+  - Merged most of the Windows CE patches (thx to Pierre Delaage).
+  - Fixed incorrect CreateService() error message on Win32.
+  - Implemented a workaround for defective Cygwin file
+    descriptor passing breaking the libwrap support:
+    http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
+
+Version 5.04, 2014.09.21, urgency: LOW:
+* New features
+  - Support for local mode ("exec" option) on Win32.
+  - Support for UTF-8 config file and log file.
+  - Win32 UTF-16 build (thx to Pierre Delaage for support).
+  - Support for Unicode file names on Win32.
+  - A more explicit service description provided for the
+    Windows SCM (thx to Pierre Delaage).
+  - TCP/IP dependency added for NT service in order to prevent
+    initialization failure at boot time.
+  - FIPS canister updated to version 2.0.8 in the Win32 binary
+    build.
+* Bugfixes
+  - load_icon_default() modified to return copies of default icons
+    instead of the original resources to prevent the resources
+    from being destroyed.
+  - Partially merged Windows CE patches (thx to Pierre Delaage).
+  - Fixed typos in stunnel.init.in and vc.mak.
+  - Fixed incorrect memory allocation statistics update in
+    str_realloc().
+  - Missing REMOTE_PORT environmental variable is provided to
+    processes spawned with "exec" on Unix platforms.
+  - Taskbar icon is no longer disabled for NT service.
+  - Fixed taskbar icon initialization when commandline options are
+    specified.
+  - Reportedly more compatible values used for the dwDesiredAccess
+    parameter of the CreateFile() function (thx to Pierre Delaage).
+  - A number of minor Win32 GUI bugfixes and improvements.
+
 -------------------------------------------------------------------
 Thu Sep 18 08:06:36 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de
 
@@ -8,7 +134,7 @@ Thu Sep 18 08:06:36 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de
 -------------------------------------------------------------------
 Thu Aug 21 08:31:46 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de
 
-- - Update to version 5.03
+- Update to version 5.03
 
 Version 5.03, 2014.08.07, urgency: HIGH:
 * Security bugfixes

stunnel.spec

@@ -16,7 +16,7 @@
 #
 
 Name:           stunnel
-Version:        5.03
+Version:        5.09
 Release:        0
 Summary:        Universal SSL Tunnel
 License:        GPL-2.0+