Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

stunnel-5.57-3.11.1 RPM for ppc64le

From OpenSuSE Leap 15.3 for ppc64le

Name: stunnel Distribution: SUSE Linux Enterprise 15
Version: 5.57 Vendor: SUSE LLC <https://www.suse.com/>
Release: 3.11.1 Build date: Thu Mar 11 16:35:40 2021
Group: Productivity/Networking/Security Build host: cabernet
Size: 377257 Source RPM: stunnel-5.57-3.11.1.src.rpm
Packager: https://www.suse.com/
Url: http://www.stunnel.org/
Summary: Universal TLS Tunnel
Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without
any changes in the programs' code. Its architecture is optimized for security, portability, and
scalability (including load-balancing), making it suitable for large deployments.

Provides

Requires

License

GPL-2.0-or-later

Changelog

* Tue Mar 09 2021 pmonreal@suse.com
  - Security fix: [bsc#1177580, bsc#1182529, CVE-2021-20230]
    * "redirect" option does not properly handle "verifyChain = yes"
  - Add stunnel-CVE-2021-20230.patch
* Tue Jan 26 2021 opensuse@dstoecker.de
  - Do not replace the active config file: boo#1182376
* Mon Nov 30 2020 vetter@physik.uni-wuerzburg.de
  - Remove pidfile from service file fixes start bug: boo#1178533
* Sun Oct 11 2020 michael@stroeder.com
  - update to 5.57:
    * Security bugfixes
    - The "redirect" option was fixed to properly
      handle "verifyChain = yes" boo#1177580
    * New features
    - New securityLevel configuration file option.
    - Support for modern PostgreSQL clients
    - TLS 1.3 configuration updated for better compatibility.
    * Bugfixes
    - Fixed a transfer() loop bug.
    - Fixed memory leaks on configuration reloading errors.
    - DH/ECDH initialization restored for client sections.
    - Delay startup with systemd until network is online.
    - A number of testing framework fixes and improvements.
* Mon Aug 24 2020 dmueller@suse.com
  - update to 5.56:
    - Various text files converted to Markdown format.
    - Support for realpath(3) implementations incompatible
      with POSIX.1-2008, such as 4.4BSD or Solaris.
    - Support for engines without PRNG seeding methods (thx to
      Petr Mikhalitsyn).
    - Retry unsuccessful port binding on configuration
      file reload.
    - Thread safety fixes in SSL_SESSION object handling.
    - Terminate clients on exit in the FORK threading model.
* Tue Mar 10 2020 vetter@physik.uni-wuerzburg.de
  - Fixup stunnel.conf handling:
    * Remove old static openSUSE provided stunnel.conf.
    * Use upstream stunnel.conf and tailor it for openSUSE using sed.
    * Don't show README.openSUSE when installing.
* Thu Feb 27 2020 vetter@physik.uni-wuerzburg.de
  - enable /etc/stunnel/conf.d
  - re-enable openssl.cnf
* Mon Feb 03 2020 dimstar@opensuse.org
  - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
    shortcut through the -mini flavors.
* Fri Sep 13 2019 vcizek@suse.com
  - Install the correct file as README.openSUSE (bsc#1150730)
    * stunnel.keyring was accidentally installed instead
* Fri Sep 13 2019 vcizek@suse.com
  - update to version 5.55
    New features
      New "ticketKeySecret" and "ticketMacSecret" options to control confidentiality
      and integrity protection of the issued session tickets. These options allow for
      session resumption on other nodes in a cluster.
      Logging of the assigned bind address instead of the requested bind address.
      Check whether "output" is not a relative file name.
      Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.
      Hexadecimal PSK keys are automatically converted to binary.
      Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address
      persistence is currently unsupported with session tickets.
      SMTP HELO before authentication (thx to Jacopo Giudici).
      New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
      New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites.
      Include file name and line number in OpenSSL errors.
      Compatibility with the current OpenSSL 3.0.0-dev branch.
      Better performance with SSL_set_read_ahead()/SSL_pending().
    Bugfixes
      A number of testing framework fixes and improvements.
      Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown.
      Fixed data transfer stalls introduced in stunnel 5.51.
      Fixed a transfer() loop bug introduced in stunnel 5.51.
      Fixed PSKsecrets as a global option (thx to Teodor Robas).
      Fixed a memory allocation bug (thx to matanfih).
      Fixed PSK session resumption with TLS 1.3.
      Fixed a memory leak in the WIN32 logging subsystem.
      Allow for zero value (ignored) TLS options.
      Partially refactored configuration file parsing and logging subsystems for clearer code and minor bugfixes.
    Caveats
      We removed FIPS support from our standard builds. FIPS will still be available with custom builds.
  - drop stunnel-listenqueue-option.patch
    Its original purpose (from bsc#674554) was to allow setting a higher
    backlog value for listen(). As that value was raised to SOMAXCONN
    years ago (in 4.36), we don't need it anymore
* Fri Feb 22 2019 fbui@suse.com
  - Drop use of $FIRST_ARG in .spec
    The use of $FIRST_ARG was probably required because of the
    %service_* rpm macros were playing tricks with the shell positional
    parameters. This is bad practice and error prones so let's assume
    that no macros should do that anymore and hence it's safe to assume
    that positional parameters remains unchanged after any rpm macro
    call.
* Sun Nov 11 2018 obs@botter.cc
  - disabled checks; checks depend on ncat and network accessibility
* Sun Nov 11 2018 obs@botter.cc
  - update to version 5.49
    * Logging of negotiated or resumed TLS session IDs (thx to ANSSI - National Cybersecurity Agency of France).
    * Merged Debian 10-enabled.patch and 11-killproc.patch (thx to Peter Pentchev).
    * OpenSSL DLLs updated to version 1.0.2p.
    * PKCS#11 engine DLL updated to version 0.4.9.
    * Fixed a crash in the session persistence implementation.
    * Fixed syslog identifier after configuration file reload.
    * Fixed non-interactive "make check" invocations.
    * Fixed reloading syslog configuration.
    * stunnel.pem created with SHA-256 instead of SHA-1.
    * SHA-256 "make check" certificates.
  - includes new version 5.48
    * Fixed requesting client certificate when specified as a global option.
    * Certificate subject checks modified to accept certificates if at least one of the specified checks matches.
  - includes new version 5.47
    * Fast add_lock_callback for OpenSSL < 1.1.0. This largely improves performance on heavy load.
    * Automatic detection of Homebrew OpenSSL.
    * Clarified port binding error logs.
    * Various "make test" improvements.
    * Fixed a crash on switching to SNI slave sections.
  - includes new version 5.46
    * The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
    * Default accept address restored to INADDR_ANY.
  - includes new version 5.45
    * Implemented delayed deallocation of service sections after configuration file reload.
    * OpenSSL DLLs updated to version 1.0.2o.
    * Deprecated the sslVersion option.
    * The "socket" option is now also available in service sections.
    * Implemented try-restart in the SysV init script (thx to Peter Pentchev).
    * TLS 1.3 compliant session handling for OpenSSL 1.1.1.
    * Default "failover" value changed from "rr" to "prio".
    * New "make check" tests.
    * A service no longer refuses to start if binding fails for some (but not all) addresses:ports.
    * Fixed compression handling with OpenSSL 1.1.0 and later.
    * _beginthread() replaced with safer _beginthreadex().
    * Fixed exception handling in libwrap.
    * Fixed exec+connect services.
    * Fixed automatic resolver delaying.
    * Fixed a Gentoo cross-compilation bug (thx to Joe Harvell).
    * A number of "make check" framework fixes.
    * Fixed false postive memory leak logs.
    * Build fixes for OpenSSL versions down to 0.9.7.
    * Fixed (again) round-robin failover in the FORK threading model.
* Tue Feb 06 2018 vetter@physik.uni-wuerzburg.de
  - Revamp SLE11 builds
* Thu Feb 01 2018 jengelh@inai.de
  - Do not ignore errors from useradd. Ensure nogroup exists
    beforehand.
  - Replace old $RPM_ variables. Combine two nested ifs.
* Wed Jan 24 2018 avindra@opensuse.org
  - update to version 5.44
    * Default accept address restored to INADDR_ANY
    * Fix race condition in "make check"
    * Fix removing the pid file after configuration reload
  - includes 5.43
    * Allow for multiple "accept" ports per section
    * Self-test framework (make check)
    * Added config load before OpenSSL init
    * OpenSSL 1.1.1-dev compilation fixes
    * Fixed round-robin failover in the FORK threading model
    * Fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown()
    * Minor fixes of the logging subsystem
    * OpenSSL DLLs updated to version 1.0.2m
  - add new checking to build
  - rebase stunnel-listenqueue-option.patch
  - Cleanup with spec-cleaner
* Thu Nov 23 2017 rbrown@suse.com
  - Replace references to /var/adm/fillup-templates with new
    %_fillupdir macro (boo#1069468)
* Thu Aug 17 2017 vetter@physik.uni-wuerzburg.de
  - add more verbose change log:
    Version 5.42, 2017.07.16, urgency: HIGH
  - New features
    * "redirect" also supports "exec" and not only "connect".
    * PKCS#11 engine DLL updated to version 0.4.7.
  - Bugfixes
    * Fixed premature cron thread initialization causing hangs.
    * Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1.
    * Fixed pthreads support on OpenSolaris.
* Wed Jul 19 2017 michael@stroeder.com
  - update to version 5.42
* Thu Apr 06 2017 werner@suse.de
  - Require package config for libsystemd to help the configure script
    to detect and enable systemd socket activation (boo#1032557)
  - Refresh patch stunnel-listenqueue-option.patch
* Sat Apr 01 2017 michael@stroeder.com
  - update to version 5.41
* Fri Feb 10 2017 kukuk@suse.de
  - Don't require insserv if we don't use it
* Sat Jan 28 2017 michael@stroeder.com
  - update to version 5.40
* Mon Jan 02 2017 michael@stroeder.com
  - update to version 5.39
* Thu Dec 08 2016 michael@stroeder.com
  - update to version 5.38
* Sun Oct 16 2016 jengelh@inai.de
  - Update rpm group and description and make -doc noarch
  - Do not suppress errors from useradd
  - Remove redundant %clean section
* Fri Oct 14 2016 drahn@suse.com
  - update to version 5.36
  - Removed direct zlib dependency.
* Wed Sep 21 2016 drahn@suse.com
  - update to version 5.35
  - repackage source as bz2
  - adjust systemd unit file to start after network-online.target
  - bugixes:
    * Fixed incorrectly enforced client certificate requests.
    * Fixed thread safety of the configuration file reopening.
    * Fixed malfunctioning "verify = 4".
    * Only reset the watchdog if some data was actually transferred.
    * Fixed logging an incorrect value of the round-robin starting point (thx to
    Jose Alf.).
  - new features:
    * Added three new service-level options: requireCert, verifyChain, and
    verifyPeer for fine-grained certificate verification control.
    * SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo
    Rodriguez Garcia).
    * Added support for PKCS #12 (.p12/.pfx) certificates (thx to Dmitry
    Bakshaev).
    * New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
    * Added logging the list of client CAs requested by the server.
* Wed Feb 03 2016 michael@stroeder.com
  - update to 5.30
    New features
      Improved compatibility with the current OpenSSL 1.1.0-dev tree.
      Added OpenSSL autodetection for the recent versions of Xcode.
    Bugfixes
      Fixed references to /etc removed from stunnel.init.in.
      Stopped even trying -fstack-protector on unsupported platforms
      (thx to Rob Lockhart).
* Wed Jan 20 2016 opensuse@dstoecker.de
  - update to 5.29
  - system script restarts stunnel after a crash
  - readd rcstunnel macro for systemd systems
  - drop stunnel-ocsp-host.patch (included upstream)
* Thu Aug 06 2015 drahn@suse.com
  - stunnel-ocsp-host.patch: Fix compatibility issues with older OpenSSL
    versions. Replaces stunnel-5.22-code11-openssl-compat.diff.
* Fri Jul 31 2015 drahn@suse.com
  - update to version 5.22
    New features
    - "OCSPaia = yes" added to the configuration file templates.
    - Improved double free detection.
    Bugfixes
    - Fixed a number of OCSP bugs. The most severe of those bugs caused stunnel to
    treat OCSP responses that failed OCSP_basic_verify() checks as if they were
    successful.
    - Fixed the passive IPv6 resolver (broken in stunnel 5.21).
  - Remove executable bit from sample scripts
  - stunnel-5.22-code11-openssl-compat.diff: Compatibility for openssl on CODE11
* Tue Jul 28 2015 drahn@suse.com
  - update to version 5.21
    New features
    - Signal names are displayed instead of numbers.
    - First resolve IPv4 addresses on passive resolver requests.
    - More elaborate descriptions were added to the warning about using
    "verify = 2" without "checkHost" or "checkIP".
    - Performance optimization was performed on the debug code.
    Bugfixes
    - Fixed the FORK and UCONTEXT threading support.
    - Fixed "failover=prio" (broken since stunnel 5.15).
    - Added a retry when sleep(3) was interrupted by a signal in the cron
    thread scheduler.
* Tue Jul 14 2015 drahn@suse.com
  - update to version 5.20
    New features
    - The SSL library detection algorithm was made a bit smarter.
    - Warnings about insecure authentication were modified to include the name of
      the affected service section.
    - Documentation updates (closes Debian bug #781669).
    Bugfixes
    - Signal pipe reinitialization added to prevent turning the main accepting
      thread into a busy wait loop when an external condition breaks the signal pipe.
      This bug was found to surface on Win32, but other platforms may also be
      affected.
    - Generated temporary DH parameters are used for configuration reload instead
      of the static defaults.
    - Fixed the manual page headers (thx to Gleydson Soares).
* Mon Jun 29 2015 drahn@suse.com
  - update to version 5.19
    Bugfixes:
    - Improved socket error handling.
    - Fixed handling of dynamic connect targets.
    - Fixed handling of trailing whitespaces in the Content-Length header of the
      NTLM authentication.
    - Fixed memory leaks in certificate verification.
    New features:
    - The "redirect" option was improved to not only redirect sessions established
      with an untrusted certificate, but also sessions established without a
      client certificate.
    - Randomize the initial value of the round-robin counter.
    - Added "include" configuration file option to include all configuration file
      parts located in a specified directory.
    - Temporary DH parameters are refreshed every 24 hours, unless static DH
      parameters were provided in the certificate file.
    - Warnings are logged on potentially insecure authentication.
  - stunnel-listenqueue-option.patch: Refresh.
  - stunnel3-binpath.patch: Obsolete, dropped.
  - stunnel.service: Modified to start after network.target, not syslog.target.
* Wed Jan 14 2015 michael@stroeder.com
  - Update to version 5.09
    Version 5.09, 2015.01.02, urgency: LOW:
    * New features
    - Added PSK authentication with two new service-level
      configuration file options "PSKsecrets" and "PSKidentity".
    - Added additional security checks to the OpenSSL memory
      management functions.
    - Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
      OpenSSL configuration flags.
    - Added compatibility with the current OpenSSL 1.1.0-dev tree.
    * Bugfixes
    - Removed defective s_poll_error() code occasionally causing
      connections to be prematurely closed (truncated).
      This bug was introduced in stunnel 4.34.
    - Fixed ./configure systemd detection (thx to Kip Walraven).
    - Fixed ./configure sysroot detection (thx to Kip Walraven).
    - Fixed compilation against old versions of OpenSSL.
    - Removed outdated French manual page.
    Version 5.08, 2014.12.09, urgency: MEDIUM:
    * New features
    - Added SOCKS4/SOCKS4a protocol support.
    - Added SOCKS5 protocol support.
    - Added SOCKS RESOLVE [F0] TOR extension support.
    - Updated automake to version 1.14.1.
    - OpenSSL directory searching is now relative to the sysroot.
    * Bugfixes
    - Fixed improper hangup condition handling.
    - Fixed missing -pic linker option.  This is required for
      Android 5.0 and improves security.
    Version 5.07, 2014.11.01, urgency: MEDIUM:
    * New features
    - Several SMTP server protocol negotiation improvements.
    - Added UTF-8 byte order marks to stunnel.conf templates.
    - DH parameters are no longer generated by "make cert".
      The hardcoded DH parameters are sufficiently secure,
      and modern TLS implementations will use ECDH anyway.
    - Updated manual for the "options" configuration file option.
    - Added support for systemd 209 or later.
    - New --disable-systemd ./configure option.
    - setuid/setgid commented out in stunnel.conf-sample.
    * Bugfixes
    - Added support for UTF-8 byte order mark in stunnel.conf.
    - Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
    - Non-blocking mode set on inetd and systemd descriptors.
    - shfolder.h replaced with shlobj.h for compatibility
      with modern Microsoft compilers.
    Version 5.06, 2014.10.15, urgency: HIGH:
    * Security bugfixes
    - OpenSSL DLLs updated to version 1.0.1j.
      https://www.openssl.org/news/secadv_20141015.txt
    - The insecure SSLv2 protocol is now disabled by default.
      It can be enabled with "options = -NO_SSLv2".
    - The insecure SSLv3 protocol is now disabled by default.
      It can be enabled with "options = -NO_SSLv3".
    - Default sslVersion changed to "all" (also in FIPS mode)
      to autonegotiate the highest supported TLS version.
    * New features
    - Added missing SSL options to match OpenSSL 1.0.1j.
    - New "-options" commandline option to display the list
      of supported SSL options.
    * Bugfixes
    - Fixed FORK threading build regression bug.
    - Fixed missing periodic Win32 GUI log updates.
    Version 5.05, 2014.10.10, urgency: MEDIUM:
    * New features
    - Asynchronous communication with the GUI thread for faster
      logging on Win32.
    - systemd socket activation (thx to Mark Theunissen).
    - The parameter of "options" can now be prefixed with "-"
      to clear an SSL option, for example:
      "options = -LEGACY_SERVER_CONNECT".
    - Improved "transparent = destination" manual page (thx to
      Vadim Penzin).
    * Bugfixes
    - Fixed POLLIN|POLLHUP condition handling error resulting
      in prematurely closed (truncated) connection.
    - Fixed a null pointer dereference regression bug in the
      "transparent = destination" functionality (thx to
      Vadim Penzin). This bug was introduced in stunnel 5.00.
    - Fixed startup thread synchronization with Win32 GUI.
    - Fixed erroneously closed stdin/stdout/stderr if specified
      as the -fd commandline option parameter.
    - A number of minor Win32 GUI bugfixes and improvements.
    - Merged most of the Windows CE patches (thx to Pierre Delaage).
    - Fixed incorrect CreateService() error message on Win32.
    - Implemented a workaround for defective Cygwin file
      descriptor passing breaking the libwrap support:
      http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
    Version 5.04, 2014.09.21, urgency: LOW:
    * New features
    - Support for local mode ("exec" option) on Win32.
    - Support for UTF-8 config file and log file.
    - Win32 UTF-16 build (thx to Pierre Delaage for support).
    - Support for Unicode file names on Win32.
    - A more explicit service description provided for the
      Windows SCM (thx to Pierre Delaage).
    - TCP/IP dependency added for NT service in order to prevent
      initialization failure at boot time.
    - FIPS canister updated to version 2.0.8 in the Win32 binary
      build.
    * Bugfixes
    - load_icon_default() modified to return copies of default icons
      instead of the original resources to prevent the resources
      from being destroyed.
    - Partially merged Windows CE patches (thx to Pierre Delaage).
    - Fixed typos in stunnel.init.in and vc.mak.
    - Fixed incorrect memory allocation statistics update in
      str_realloc().
    - Missing REMOTE_PORT environmental variable is provided to
      processes spawned with "exec" on Unix platforms.
    - Taskbar icon is no longer disabled for NT service.
    - Fixed taskbar icon initialization when commandline options are
      specified.
    - Reportedly more compatible values used for the dwDesiredAccess
      parameter of the CreateFile() function (thx to Pierre Delaage).
    - A number of minor Win32 GUI bugfixes and improvements.

Files

/etc/stunnel
/etc/stunnel/conf.d
/etc/stunnel/stunnel.conf
/usr/lib/systemd/system/stunnel.service
/usr/lib64/stunnel
/usr/lib64/stunnel/libstunnel.so
/usr/sbin/rcstunnel
/usr/sbin/stunnel
/usr/sbin/stunnel3
/usr/share/fillup-templates/sysconfig.syslog-stunnel
/usr/share/man/man8/stunnel.8.gz
/usr/share/man/man8/stunnel.pl.8.gz
/var/lib/stunnel
/var/lib/stunnel/bin
/var/lib/stunnel/dev
/var/lib/stunnel/etc
/var/lib/stunnel/lib64
/var/lib/stunnel/sbin
/var/lib/stunnel/var
/var/lib/stunnel/var/run


Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Mar 9 14:38:19 2024