Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
stunnel
stunnel.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File stunnel.changes of Package stunnel
------------------------------------------------------------------- Mon Aug 15 11:47:17 UTC 2016 - mkoutny@suse.com - Delay stunnel start after network-online.target (bnc#990797) ------------------------------------------------------------------- Wed May 27 06:08:00 UTC 2015 - drahn@suse.com - stunnel-CVE-2015-3644.patch: Fix authentication bypass when using "redirect" option (CVE-2015-3644, bsc#931517, backport from v5.17) ------------------------------------------------------------------- Thu Mar 6 16:21:11 UTC 2014 - drahn@suse.com - update to final v5.00 code (FATE#315694) - security fix: Added PRNG state update in fork threading (CVE-2014-0016). - Patches: - stunnel-listenqueue-option.patch refreshed. ------------------------------------------------------------------- Wed Feb 5 11:59:29 UTC 2014 - drahn@suse.com - re-add stunnel.cnf openssl cert default config file (bnc#862294) ------------------------------------------------------------------- Fri Jan 31 11:47:46 UTC 2014 - drahn@suse.com - update license information to correct SPDX format - reintroduce stunnel3-binpath.patch - set correct PATH within stunnel3 wrapper ------------------------------------------------------------------- Tue Jan 21 12:22:01 UTC 2014 - drahn@suse.com - Update to version 5.0b1 (FATE#315694) - Default "pid" is now "", i.e. not to create a pid file at startup. - Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to AlFBPPS attack and bad performance of DH ciphersuites. - New service-level option "redirect" to redirect SSL client connections on authentication failures instead of rejecting them. - New global "engineDefault" configuration file option to control which OpenSSL tasks are delegated to the current engine. - New service-level configuration file option "engineId" to select the engine by identifier, e.g. "engineId = capi". - Improved readability of error messages printed when stunnel refuses to start due to a critical error. - Patches: - stunnel-CVE-2013-1762.patch obsoleted. Drpped. - stunnel-default-fips-off.patch obsoleted. Dropped. - stunnel-listenqueue-option.patch refreshed. ------------------------------------------------------------------- Tue Mar 5 08:55:57 UTC 2013 - drahn@suse.com - stunnel-CVE-2013-1762.patch: Fix buffer overflow in NTLM authentication (CVE-2013-1762, bnc#807440) ------------------------------------------------------------------- Thu Jan 3 09:17:18 UTC 2013 - drahn@suse.com - update package to new version 4.54 (FATE#314256) - New features: * "session" option renamed to more readable "sessionCacheTimeout". The old name remains accepted for backward compatibility. * New service-level "sessionCacheSize" option to control session cache size. * New service-level option "reset" to control whether TCP RST flag is used to indicate errors. The default value is "reset = yes". * New service-level option "renegotiation" to disable SSL renegotiation. * Added client-mode "sni" option to directly control the value of TLS Server Name Indication (RFC 3546) extension. * Glibc-specific dynamic allocation tuning was applied to help unused memory deallocation. * Non-blocking OCSP implementation. * New "compression = deflate" global option to enable RFC 2246 compresion. - stunnel-init-openssl-fix.patch obsoleted. Dropped. - stunnel-cipher-handling.patch obsoleted. Dropped. - stunnel-listenqueue-option.patch rebased to new version. - stunnel-default-fips-off.patch rebased to new version. ------------------------------------------------------------------- Wed Aug 22 07:54:52 UTC 2012 - drahn@suse.com - stunnel-cipher-handling.patch: Fix stunnel cipher initialization. Backport from upstream version 4.53 (bnc#776756) ------------------------------------------------------------------- Mon Aug 20 18:44:59 UTC 2012 - drahn@suse.com - stunnel-init-openssl-fix.patch: Fix openSSL library initialization. Backport from upstream version 4.53. (bnc#775262) - stunnel-default-fips-off.patch: Default FIPS mode to off when built against updated openSSL library. (bnc#775262) - correct configure option to enable libwrap support ------------------------------------------------------------------- Thu May 12 08:41:31 CEST 2011 - drahn@suse.de - update package to 4.36 (FATE#311400) - obsoletes SOMAXCONN and libwrap disable patches (bnc#674554) - forward port listenqueue patch (bnc#674554) ------------------------------------------------------------------- Mon Sep 21 05:53:26 UTC 2009 - daniel.rahn@novell.com - checkin package for SLES11 SP1 (FATE#307180) - package source as bz2 - strip off debug package - update to 4.27: Version 4.27, 2009.04.16, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8k. - FIPS support was updated for openssl-fips 1.2. - New priority failover strategy for multiple "connect" targets, controlled with "failover=rr" (default) or "failover=prio". - pgsql protocol negotiation by Marko Kreen <markokr@gmail.com>. - Building instructions were updated in INSTALL.W32 file. * Bugfixes - Libwrap helper processes fixed to close standard input/output/error file descriptors. - OS2 compilation fixes. - WCE fixes by Pierre Delaage <delaage.pierre@free.fr>. ------------------------------------------------------------------- Wed Feb 18 20:15:22 CEST 2009 - vetter@physik.uni-wuerzburg.de - set ownership of /var/lib/stunnel/var/run to stunnel for pid file - update to 4.26: Version 4.26, 2008.09.20, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8i. - /etc/hosts.allow and /etc/hosts.deny no longer need to be copied to the chrooted directory, as the libwrap processes are no longer chrooted. - A more informative error messages for invalid port number specified in stunnel.conf file. - Support for Microsoft Visual C++ 9.0 Express Edition. * Bugfixes - Killing all libwrap processes at stunnel shutdown fixed. - A minor bug in stunnel.init sample SysV startup file fixed. ------------------------------------------------------------------- Tue Sep 16 00:10:22 CEST 2008 - poeml@suse.de - update to 4.25. Changelog excerpt, only platform relevant changes shown here: * SECURITY FIX: - OCSP code was fixed to properly reject revocated certificates. * New features - Makefile was updated to use standard autoconf variables: sysconfdir, localstatedir and pkglibdir. - A new global option to control logging to syslog: syslog = yes|no Simultaneous logging to a file and the syslog is now possible. - A new service level option to control stack size: stack = <number of bytes> * Bugfixes - Spawning libwrap processes delayed until privileges are dropped. - Compilation fix for systems without struct msghdr.msg_control. - Restored chroot() to be executed after decoding numerical userid and groupid values in drop_privileges(). - A few bugs fixed the in the new libwrap support code. - TLSv1 method used by default in FIPS mode instead of SSLv3 client and SSLv23 server methods. - OpenSSL GPL license exception update based on http://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs - dropped stunnel-4.21-write_pid_as_root.diff, and instead fix the init script to add chroot prefix when dealing with the pid file ------------------------------------------------------------------- Mon Sep 15 11:44:47 CEST 2008 - poeml@suse.de - fix init script's LSB headers ------------------------------------------------------------------- Tue Feb 5 15:42:28 CET 2008 - poeml@suse.de - create $chroot_dir/var/run for the new pidfile location ------------------------------------------------------------------- Mon Jan 28 11:56:41 CET 2008 - poeml@suse.de - make the filelist own /usr/lib*/stunnel ------------------------------------------------------------------- Fri Jan 25 11:23:01 CET 2008 - poeml@suse.de - fix build (re-diff stunnel-4.21-write_pid_as_root.diff) - fix filelist (make sure that the binaries stay in /usr/sbin) ------------------------------------------------------------------- Mon Oct 29 17:54:21 CET 2007 - poeml@suse.de - update to 4.21: Changes: Initial FIPS 140-2 support was added. Non-MT-safe libwrap (TCP Wrappers) library support was rewritten. It's currently based on pre-forked processes and should be much faster. Some bugfixes were also added. ------------------------------------------------------------------- Thu Aug 16 09:21:23 CEST 2007 - poeml@suse.de - update to 4.20. Changes (edited): Version 4.20, 2006.11.30, urgency: MEDIUM: * Release notes - There are a lot of new features in this version. * New features - New service-level option to specify OCSP server flag: OCSPflag = <flag> - "protocolCredentials" option changed to "protocolUsername" and "protocolPassword" - NTLM support to be enabled with the new service-level option: protocolAuthentication = NTLM - imap protocol negotiation support added. - Passphrase cache was added so the user does not need to reenter the same passphrase for each defined service any more. - New service-level option to retry connect+exec section: retry = yes|no - Local IP and port is logged for each established connection. * Bugfixes - Serious problem with SSL_WANT_* retries fixed. The new code requires extensive testing! - Problem with detecting getaddrinfo() in ./configure fixed. - Compilation problem due to misplaced #endif in ssl.c fixed. - Duplicate 220 in smtp_server() function in protocol.c fixed. - Minor update of safestring()/safename() macros. ------------------------------------------------------------------- Thu May 10 23:52:22 CEST 2007 - ro@suse.de - added openssl to buildrequires ------------------------------------------------------------------- Mon Apr 2 16:18:41 CEST 2007 - rguenther@suse.de - add zlib-devel BuildRequires ------------------------------------------------------------------- Tue Oct 17 20:31:20 CEST 2006 - poeml@suse.de - there is no SuSEconfig.syslog script anymore, thus remove the YaST hint from the sysconfig template ------------------------------------------------------------------- Wed Sep 27 15:09:23 CEST 2006 - poeml@suse.de - upstream 4.16 * New features sponsored by Hewlett-Packard - A new global option to control engine: engineCtrl = <command>[:<parameter>] - A new service-level option to select engine to read private key: engineNum = <engine number> - OCSP support: ocsp = <URL> * New features - A new option to select version of SSL protocol: sslVersion = all|SSLv2|SSLv3|TLSv1 - Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>. - OS2 support by Paul Smedley (http://smedley.info) * Bugfixes - An ordinary user can install stunnel again. - Compilation problem with --enable-dh fixed. - Some minor compilation warnings fixed. - Service-level CRL cert store implemented. - GPF on protocol negotiations fixed. - Problem detecting addrinfo() on Tru64 fixed. - Default group is now detected by configure script. - Check for maximum number of defined services added. - OpenSSL_add_all_algorithms() added to SSL initialization. - configure script sections reordered to detect pthread library funcions. - RFC 2487 autdetection improved (thx to Hans Werner Strube). High resolution s_poll_wait() not currently supported by UCONTEXT threading. - More precise description of cert directory file names (thx to Muhammad Muquit). * Other changes - Maximum number of services increased from 64 to 256 when poll() is used. - add BuildRequires: tcp_wrappers gcc-c++ for building on Fedora - remove doc files installed by make install, which are picked up by %doc ------------------------------------------------------------------- Fri Jun 23 15:11:22 CEST 2006 - poeml@suse.de - build as non-root - build with fPIE/pie on SUSE 10.0 or newer, or on any other platform - fix BuildRequires for Fedora Core, and wrap suse_version macros - upstream 4.15 * Release notes - There are a lot of new features in this version. I recommend to test it well before upgrading your mission-critical systems. [note by packager: out since 3 months, without major problems] * Bugfixes - Default threading model changed to pthread for better portability. - DH parameters are not included in the certificate by default. * New features sponsored by Software House http://www.swhouse.com/ - Most SSL-related options (including client, cert, key) are now available on service level, so it is possible to have an SSL client and an SSL server in a single stunnel process. * New features - Client mode CONNECT protocol support (RFC 2817 section 5.2). http://www.ietf.org/rfc/rfc2817.txt - Retrying exec+connect services added. - make install now tries to create /var/lib/stunnel chmoded 1770 and group nogroup, which we don't do. ------------------------------------------------------------------- Wed Jan 25 21:41:50 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Sun Nov 27 18:05:05 CET 2005 - lmuelle@suse.de - update to 4.14 ------------------------------------------------------------------- Thu Oct 6 14:16:25 CEST 2005 - poeml@suse.de - fix hang/segfault upon connect. Use pthreads by removing configure check for ucontext.h [#119650] ------------------------------------------------------------------- Tue Aug 30 15:54:37 CEST 2005 - poeml@suse.de - fix parsing of ldd output when setting up the chroot jail [#114090] ------------------------------------------------------------------- Tue Jun 21 14:39:34 CEST 2005 - poeml@suse.de - update to 4.10 - Some bugfixes and code cleanup were done. - A new user-level non-preemptive thread model was added for even greater scalability. - The stunnel3 script was improved to be more compatible with getopt. - add post-4.10 stunnel-4.10-inetd.patch - compile with tcp wrappers - compile as PIE and link with -z relro ------------------------------------------------------------------- Tue Jan 4 10:46:20 CET 2005 - poeml@suse.de - update to 4.07 * Bugfixes - Problem with infinite poll() timeout negative, but not equal to -1 fixed. - Problem with a file descriptor ready to be read just after a non-blocking connect call fixed. - Compile error with EAI_NODATA not defined or equal to EAI_NONAME fixed. - IP address and TCP port textual representation length (IPLEN) increased to 128 bytes. - OpenSSL engine support is only used if engine.h header file exists. - Broken NT Service mode on WIN32 platform fixed. - Support for IPv4-only WIN32 machines restored. ------------------------------------------------------------------- Tue Dec 28 15:28:18 CET 2004 - poeml@suse.de - update to 4.06 In this version, IPv6 support, compression support, hardware engine selection and many other features were added. A new stunnel3 Perl script to emulate version 3.x command line options was added. poll() is used instead of select() where available, so FD_SETSIZE no longer limits the number of concurrent connections. - add stunnel-4.06-nfds.dif stunnel-4.06-poll_timeout.patch stunnel-4.06-race_condition.patch ------------------------------------------------------------------- Thu Nov 11 12:57:47 CET 2004 - poeml@suse.de - fix filelist for /usr/lib ------------------------------------------------------------------- Fri Mar 5 17:20:21 CET 2004 - poeml@suse.de - update to 4.05. new features (excerpt): * New feature sponsored by SURFnet http://www.surfnet.nl/ - Support for CIFS aka SMB protocol SSL negotiation. * New features - CRL support with new CApath and CAfile global options. - New -fd command line parameter to read configuration from a specified file descriptor instead of a file. - accept is reported as error with [section] defined (in stunnel 4.04 it was silently ignored causing problems for lusers that did not read the fine manual). - Use fcntl() instead of ioctlsocket() to set socket nonblocking when it is supported. - Basic support for hardware engines with OpenSSL >= 0.9.7. - French manual by Bernard Choppy <choppy@imaginet.fr>. - Thread stack size reduced to 64KB for maximum scalability. - Added optional code to debug thread stack usage. - Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>). * Bugfixes - TCP wrappers code moved to CRIT_NTOA critical section since it uses static inet_ntoa() result buffer. - SSL_ERROR_SYSCALL handling problems fixed. - added code to retry nonblocking SSL_shutdown() calls. - Use FD_SETSIZE instead of 16 file descriptors in inetd mode. - fdscanf groks lowercase protocol negotiation commands. - Libwrap detection bug in ./configure script fixed. - Some other minor updates. - show readme only at first installation ------------------------------------------------------------------- Tue Aug 26 18:15:22 CEST 2003 - poeml@suse.de - add Config: syslog-ng to sysconfig.syslog-stunnel ------------------------------------------------------------------- Thu Aug 14 21:10:14 CEST 2003 - poeml@suse.de - add activation metadata to sysconfig template [#28954] - rename README.SuSE to README.{SuSE,UnitedLinux} - don't show blurb in %post if a certificate exists ------------------------------------------------------------------- Tue Aug 12 15:50:51 CEST 2003 - poeml@suse.de - implement 'try-restart' in rcstunnel correctly [#28636] ------------------------------------------------------------------- Wed Jul 30 18:06:49 CEST 2003 - poeml@suse.de - add an example configuration for tunneling MySQL - make stunnel3_wrapper compatible to more shells, and merge it with stunnel3_convert (which becomes a symlink) - new macros for stop/restart of services on rpm update/removal ------------------------------------------------------------------- Tue May 13 12:00:38 CEST 2003 - poeml@suse.de - delete (from the build root) files not to be packaged - package the libtool library file - add a commented option to the sample configuration ------------------------------------------------------------------- Thu Mar 13 14:10:53 CET 2003 - poeml@suse.de - rc.stunnel: do not write the startup log to a world writable directory [cf. #25239] ------------------------------------------------------------------- Mon Feb 17 18:22:36 CET 2003 - poeml@suse.de - Version 4.04, 2003.01.12, urgency: MEDIUM: * New features [excerpt] - New 'options' configuration option to setup OpenSSL library hacks with SSL_CTX_set_options(). - 'service' option also changes the name for TCP Wrappers access control in inetd mode. - SSL is negotiated before connecting remote host or spawning local process whenever possible. - REMOTE_HOST variable is always placed in the enrivonment of a process spawned with 'exec'. - Whole SSL error stack is dumped on errors. - 'make cert' rule is back (was missing since 4.00). - Manual page updated (special thanks to Brian Hatch). * Bugfixes - Major code cleanup (thx to Steve Grubb <linux_4ever@yahoo.com>). - Unsafe functions are removed from SIGCHLD handler. - Several bugs in auth_user() fixed. - Incorrect port when using 'local' option fixed. - OpenSSL tools '-rand' option is no longer directly used with a device (like '/dev/urandom'). Temporary random file is created with 'dd' instead. - fix typo in conf file example ------------------------------------------------------------------- Wed Feb 12 15:33:39 CET 2003 - mmj@suse.de - Add sysconfig metadata [#22699] ------------------------------------------------------------------- Thu Oct 31 21:38:10 CET 2002 - poeml@suse.de - update to 4.03 - add stunnel3_wrapper that translates the cmdline arguments into a configuration file - fix default path of pidfile - more examples ------------------------------------------------------------------- Fri Oct 25 22:27:10 CEST 2002 - poeml@suse.de - write the pid file before dropping the privileges ------------------------------------------------------------------- Fri Oct 25 20:22:23 CEST 2002 - poeml@suse.de - major version upgrade to 4.02 - better permissions for /etc/stunnel and keys [#18557] - run as "stunnel" user in chroot jail - add sysconfig.syslog-stunnel template and /var/lib/stunnel/dev for an additional syslog socket - added init script and example configuration ------------------------------------------------------------------- Sat Jul 27 14:20:01 CEST 2002 - adrian@suse.de - use %run_ldconfig ------------------------------------------------------------------- Thu Mar 8 11:50:46 CET 2001 - bk@suse.de - update to 3.14 and fix localstatedir (/var/run/stunnel) ------------------------------------------------------------------- Mon Feb 5 16:11:33 CET 2001 - bk@suse.de - fixed neededforbuild ------------------------------------------------------------------- Sun Feb 4 23:55:48 CET 2001 - bk@suse.de - new package
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor