Accepting request 93518 from home:darix:branches:security:Stunnel

- update to version 4.47 - refreshed stunnel-listenqueue-option.patch to apply cleanly again - pass the path to the config file to the binary in the init script: without this the init script does not work for me. OBS-URL: https://build.opensuse.org/request/show/93518 OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=55
2011-11-25 09:53:07 +00:00 · 2011-11-25 09:53:07 +00:00 · f25c4c5cca
commit f25c4c5cca
parent 413f3db17c
6 changed files with 101 additions and 13 deletions
--- a/stunnel-4.43.tar.bz2
+++ b/stunnel-4.43.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:994366c6ce1c378114f6a4e37debb906ddd4cb86b240ff329be6d7f16dab0f0d
-size 469229
--- a/stunnel-4.47.tar.bz2
+++ b/stunnel-4.47.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:40cbfd580bad00602d184e00276f52e50da57711916e124b525353f88147ebaa
+size 414668
--- a/stunnel-listenqueue-option.patch
+++ b/stunnel-listenqueue-option.patch
@ -1,6 +1,8 @@
--- src/options.c
+Index: src/options.c
+===================================================================
+--- src/options.c.orig
 +++ src/options.c
-@@ -1484,6 +1484,25 @@
+@@ -1535,6 +1535,25 @@ static char *parse_service_option(CMD cm
         break;
     }
 
@ -26,9 +28,11 @@
     if(cmd==CMD_EXEC)
         return option_not_found;
     return NULL; /* OK */
--- src/prototypes.h
+Index: src/prototypes.h
+===================================================================
+--- src/prototypes.h.orig
 +++ src/prototypes.h
-@@ -165,6 +165,7 @@
+@@ -170,6 +170,7 @@ typedef struct service_options_struct {
     int timeout_close;                          /* maximum close_notify time */
     int timeout_connect;                           /* maximum connect() time */
     int timeout_idle;                        /* maximum idle connection time */
@ -36,12 +40,14 @@
     enum {FAILOVER_RR, FAILOVER_PRIO} failover;         /* failover strategy */
 
         /* service-specific data for protocol.c */
--- src/stunnel.c
+Index: src/stunnel.c
+===================================================================
+--- src/stunnel.c.orig
 +++ src/stunnel.c
-@@ -248,7 +248,7 @@
-             }
+@@ -330,7 +330,7 @@ int bind_ports(void) {
             s_log(LOG_DEBUG, "Service %s bound to %s",
                 opt->servname, local_address);
+             str_free(local_address);
 -            if(listen(opt->fd, SOMAXCONN)) {
 +            if(listen(opt->fd, opt->listenqueue)) {
                 sockerror("listen");
--- a/stunnel.changes
+++ b/stunnel.changes
@ -1,3 +1,85 @@
+-------------------------------------------------------------------
+Thu Nov 24 16:39:23 UTC 2011 - darix@nordisch.org
+
+- refreshed stunnel-listenqueue-option.patch to apply cleanly again
+- pass the path to the config file to the binary in the init
+  script: without this the init script does not work for me.
+
+-------------------------------------------------------------------
+Thu Nov 24 16:19:39 UTC 2011 - darix@nordisch.org
+
+- update to version 4.47
+  * Internal improvements
+    - CVE-2010-3864 workaround improved to check runtime version of
+      OpenSSL rather than compiled version, and to allow OpenSSL
+      0.x.x >= 0.9.8p.
+    - Encoding of man page sources changed to UTF-8.
+  * Bugfixes
+    - Handling of socket/SSL close in transfer() function was
+      fixed.
+    - Logging was modified to save and restore system error codes.
+    - Option "service" was restricted to Unix, as since stunnel
+      4.42 it wasn't doing anything useful on Windows platform.
+- additional changes from version 4.46
+  * New features
+    - Added Unix socket support (e.g. "connect =
+      /var/run/stunnel/socket").
+    - Added "verify = 4" mode to ignore CA chain and only verify
+      peer certificate.
+    - Removed the limit of 16 IP addresses for a single 'connect'
+      option.
+    - Removed the limit of 256 stunnel.conf sections in PTHREAD
+      threading model. It is still not possible have more than 63
+      sections on WIN32 platform.
+      http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx
+  * Optimizations
+    - Reduced per-connection memory usage.
+    - Performed a major refactoring of internal data structures.  Extensive
+      internal testing was performed, but some regression bugs are expected.
+  * Bugfixes
+    - Fixed WIN32 compilation with Mingw32.
+    - Fixed non-blocking API emulation layer in UCONTEXT threading model.
+    - Fixed signal handling in UCONTEXT threading model.
+- additional changes from version 4.45
+  * New features
+    - "protocol = proxy" support to send original client IP address to haproxy:
+      http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+      This requires accept-proxy bind option of haproxy 1.5-dev3 or later.
+    - Added Win32 configuration reload without a valid configuration loaded.
+    - Added compatibility with LTS OpenSSL versions 0.9.6 and 0.9.7.
+      Some features are only available in OpenSSL 1.0.0 and later.
+  * Performance optimizations
+    - Use SSL_MODE_RELEASE_BUFFERS if supported by the OpenSSL library.
+    - Libwrap helper processes are no longer started if libwrap is disabled
+      in all sections of the configuration file.
+  * Internal improvements
+    - Protocol negotiation framework was rewritten to support
+      additional code to be executed after
+      SSL_accept()/SSL_connect().
+    - Handling of memory allocation errors was rewritten to
+      gracefully
+      terminate the process (thx to regenrecht for the idea).
+  * Bugfixes
+    - Fixed -l option handling in stunnel3 script
+      (thx to Kai Gülzau).
+    - Script to build default stunnel.pem was fixed
+      (thx to Sebastian Kayser).
+    - MinGW compilation script (mingw.mak) was fixed
+      (thx to Jose Alf).
+    - MSVC compilation script (vc.mak) was fixed.
+    - A number of problems in WINSOCK error handling were fixed.
+- additional changes from version 4.44
+  * New features
+    - Major automake/autoconf cleanup.
+    - Heap buffer overflow protection with canaries.
+    - Stack buffer overflow protection with -fstack-protector.
+  * Bugfixes
+    - Fixed garbled error messages on errors with setuid/setgid
+      options.
+    - SNI fixes (thx to Alexey Drozdov).
+    - Use after free in fdprintf() (thx to Alexey Drozdov).  This
+      issue might cause GPF with "protocol" or "ident" options.
+
 -------------------------------------------------------------------
 Fri Sep  9 13:45:49 UTC 2011 - drahn@suse.com

--- a/stunnel.rc
+++ b/stunnel.rc
@ -129,7 +129,7 @@ case "$1" in

 	test "$2" = "-v" && echo -en \
 		"\nrunnning '$DAEMON_BIN '"
-	startproc -l $STARTPROC_LOGFILE $DAEMON_BIN 			|| error=1 
+	startproc -l $STARTPROC_LOGFILE $DAEMON_BIN ${STUNNEL_CONF}			|| error=1 
 	
 	if [ $error -eq 1 ]; then 
 		echo -e -n "  please see $STARTPROC_LOGFILE for details ";
--- a/stunnel.spec
+++ b/stunnel.spec
@ -19,8 +19,8 @@ BuildRequires:  gcc-c++ tcp_wrappers
 %endif
 Summary:        Universal SSL Tunnel
 License:        GNU Library General Public License v. 2.0 and 2.1 (LGPL)
-Version:        4.43
-Release:        0.<RELEASE6> 
+Version:        4.47
+Release:        0
 Group:          Productivity/Networking/Security
 URL:            http://www.stunnel.org/
 Autoreqprov:    on