From f25c4c5cca95b170209235f3ed505c84aaca01d78b100537168601c2b1e7cdd1 Mon Sep 17 00:00:00 2001 From: Andreas Vetter Date: Fri, 25 Nov 2011 09:53:07 +0000 Subject: [PATCH] Accepting request 93518 from home:darix:branches:security:Stunnel - update to version 4.47 - refreshed stunnel-listenqueue-option.patch to apply cleanly again - pass the path to the config file to the binary in the init script: without this the init script does not work for me. OBS-URL: https://build.opensuse.org/request/show/93518 OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=55 --- stunnel-4.43.tar.bz2 | 3 -- stunnel-4.47.tar.bz2 | 3 ++ stunnel-listenqueue-option.patch | 20 +++++--- stunnel.changes | 82 ++++++++++++++++++++++++++++++++ stunnel.rc | 2 +- stunnel.spec | 4 +- 6 files changed, 101 insertions(+), 13 deletions(-) delete mode 100644 stunnel-4.43.tar.bz2 create mode 100644 stunnel-4.47.tar.bz2 diff --git a/stunnel-4.43.tar.bz2 b/stunnel-4.43.tar.bz2 deleted file mode 100644 index 0c11b30..0000000 --- a/stunnel-4.43.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:994366c6ce1c378114f6a4e37debb906ddd4cb86b240ff329be6d7f16dab0f0d -size 469229 diff --git a/stunnel-4.47.tar.bz2 b/stunnel-4.47.tar.bz2 new file mode 100644 index 0000000..38b3777 --- /dev/null +++ b/stunnel-4.47.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40cbfd580bad00602d184e00276f52e50da57711916e124b525353f88147ebaa +size 414668 diff --git a/stunnel-listenqueue-option.patch b/stunnel-listenqueue-option.patch index 66c5570..a738c2f 100644 --- a/stunnel-listenqueue-option.patch +++ b/stunnel-listenqueue-option.patch @@ -1,6 +1,8 @@ ---- src/options.c +Index: src/options.c +=================================================================== +--- src/options.c.orig +++ src/options.c -@@ -1484,6 +1484,25 @@ +@@ -1535,6 +1535,25 @@ static char *parse_service_option(CMD cm break; } @@ -26,9 +28,11 @@ if(cmd==CMD_EXEC) return option_not_found; return NULL; /* OK */ ---- src/prototypes.h +Index: src/prototypes.h +=================================================================== +--- src/prototypes.h.orig +++ src/prototypes.h -@@ -165,6 +165,7 @@ +@@ -170,6 +170,7 @@ typedef struct service_options_struct { int timeout_close; /* maximum close_notify time */ int timeout_connect; /* maximum connect() time */ int timeout_idle; /* maximum idle connection time */ @@ -36,12 +40,14 @@ enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */ /* service-specific data for protocol.c */ ---- src/stunnel.c +Index: src/stunnel.c +=================================================================== +--- src/stunnel.c.orig +++ src/stunnel.c -@@ -248,7 +248,7 @@ - } +@@ -330,7 +330,7 @@ int bind_ports(void) { s_log(LOG_DEBUG, "Service %s bound to %s", opt->servname, local_address); + str_free(local_address); - if(listen(opt->fd, SOMAXCONN)) { + if(listen(opt->fd, opt->listenqueue)) { sockerror("listen"); diff --git a/stunnel.changes b/stunnel.changes index 54888a9..b315be1 100644 --- a/stunnel.changes +++ b/stunnel.changes @@ -1,3 +1,85 @@ +------------------------------------------------------------------- +Thu Nov 24 16:39:23 UTC 2011 - darix@nordisch.org + +- refreshed stunnel-listenqueue-option.patch to apply cleanly again +- pass the path to the config file to the binary in the init + script: without this the init script does not work for me. + +------------------------------------------------------------------- +Thu Nov 24 16:19:39 UTC 2011 - darix@nordisch.org + +- update to version 4.47 + * Internal improvements + - CVE-2010-3864 workaround improved to check runtime version of + OpenSSL rather than compiled version, and to allow OpenSSL + 0.x.x >= 0.9.8p. + - Encoding of man page sources changed to UTF-8. + * Bugfixes + - Handling of socket/SSL close in transfer() function was + fixed. + - Logging was modified to save and restore system error codes. + - Option "service" was restricted to Unix, as since stunnel + 4.42 it wasn't doing anything useful on Windows platform. +- additional changes from version 4.46 + * New features + - Added Unix socket support (e.g. "connect = + /var/run/stunnel/socket"). + - Added "verify = 4" mode to ignore CA chain and only verify + peer certificate. + - Removed the limit of 16 IP addresses for a single 'connect' + option. + - Removed the limit of 256 stunnel.conf sections in PTHREAD + threading model. It is still not possible have more than 63 + sections on WIN32 platform. + http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx + * Optimizations + - Reduced per-connection memory usage. + - Performed a major refactoring of internal data structures. Extensive + internal testing was performed, but some regression bugs are expected. + * Bugfixes + - Fixed WIN32 compilation with Mingw32. + - Fixed non-blocking API emulation layer in UCONTEXT threading model. + - Fixed signal handling in UCONTEXT threading model. +- additional changes from version 4.45 + * New features + - "protocol = proxy" support to send original client IP address to haproxy: + http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt + This requires accept-proxy bind option of haproxy 1.5-dev3 or later. + - Added Win32 configuration reload without a valid configuration loaded. + - Added compatibility with LTS OpenSSL versions 0.9.6 and 0.9.7. + Some features are only available in OpenSSL 1.0.0 and later. + * Performance optimizations + - Use SSL_MODE_RELEASE_BUFFERS if supported by the OpenSSL library. + - Libwrap helper processes are no longer started if libwrap is disabled + in all sections of the configuration file. + * Internal improvements + - Protocol negotiation framework was rewritten to support + additional code to be executed after + SSL_accept()/SSL_connect(). + - Handling of memory allocation errors was rewritten to + gracefully + terminate the process (thx to regenrecht for the idea). + * Bugfixes + - Fixed -l option handling in stunnel3 script + (thx to Kai Gülzau). + - Script to build default stunnel.pem was fixed + (thx to Sebastian Kayser). + - MinGW compilation script (mingw.mak) was fixed + (thx to Jose Alf). + - MSVC compilation script (vc.mak) was fixed. + - A number of problems in WINSOCK error handling were fixed. +- additional changes from version 4.44 + * New features + - Major automake/autoconf cleanup. + - Heap buffer overflow protection with canaries. + - Stack buffer overflow protection with -fstack-protector. + * Bugfixes + - Fixed garbled error messages on errors with setuid/setgid + options. + - SNI fixes (thx to Alexey Drozdov). + - Use after free in fdprintf() (thx to Alexey Drozdov). This + issue might cause GPF with "protocol" or "ident" options. + ------------------------------------------------------------------- Fri Sep 9 13:45:49 UTC 2011 - drahn@suse.com diff --git a/stunnel.rc b/stunnel.rc index cbc2617..f1cf76f 100644 --- a/stunnel.rc +++ b/stunnel.rc @@ -129,7 +129,7 @@ case "$1" in test "$2" = "-v" && echo -en \ "\nrunnning '$DAEMON_BIN '" - startproc -l $STARTPROC_LOGFILE $DAEMON_BIN || error=1 + startproc -l $STARTPROC_LOGFILE $DAEMON_BIN ${STUNNEL_CONF} || error=1 if [ $error -eq 1 ]; then echo -e -n " please see $STARTPROC_LOGFILE for details "; diff --git a/stunnel.spec b/stunnel.spec index 0452872..1b1b3b6 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -19,8 +19,8 @@ BuildRequires: gcc-c++ tcp_wrappers %endif Summary: Universal SSL Tunnel License: GNU Library General Public License v. 2.0 and 2.1 (LGPL) -Version: 4.43 -Release: 0. +Version: 4.47 +Release: 0 Group: Productivity/Networking/Security URL: http://www.stunnel.org/ Autoreqprov: on