Overview

File _patchinfo of Package patchinfo.23239

<patchinfo incident="23239">
  <issue tracker="jsc" id="SLE-20679"/>
  <issue tracker="bnc" id="1182529">VUL-0: stunnel: Security problem in redirect option for unauthenticated requests</issue>
  <issue tracker="bnc" id="1181400">AUDIT-TASK: Evaluate systemd hardenings and get more services to use them</issue>
  <packager>pmonrealgonzalez</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for stunnel</summary>
  <description>This update for stunnel fixes the following issues:

Update to 5.62 including new features and bugfixes:

  * Security bugfixes
    - The "redirect" option was fixed to properly handle unauthenticated requests (bsc#1182529).
    - Fixed a double free with OpenSSL older than 1.1.0.
    - Added hardening to systemd service (bsc#1181400).
  * New features
    - Added new "protocol = capwin" and "protocol = capwinctrl" configuration file options.
    - Added support for the new SSL_set_options() values.
    - Added a bash completion script.
    - New 'sessionResume' service-level option to allow or disallow session resumption
    - Download fresh ca-certs.pem for each new release.
    - New 'protocolHeader' service-level option to insert custom 'connect' protocol negotiation headers.
      This feature can be used to impersonate other software (e.g. web browsers).
    - 'protocolHost' can also be used to control the client SMTP protocol negotiation HELO/EHLO value.
    - Initial FIPS 3.0 support.
    - Client-side "protocol = ldap" support
  * Bugfixes
    - Fixed a transfer() loop bug.
    - Fixed reloading configuration with "systemctl reload stunnel.service".
    - Fixed incorrect messages logged for OpenSSL errors.
    - Fixed 'redirect' with 'protocol'.  This combination is not supported by 'smtp', 'pop3' and 'imap' protocols.
    - X.509v3 extensions required by modern versions of OpenSSL are added to generated self-signed test certificates.
    - Fixed a tiny memory leak in configuration file reload error handling.
    - Fixed engine initialization.
    - FIPS TLS feature is reported when a provider or container is available, and not when FIPS control API is available.
    - Fix configuration reload when compression is used
    - Fix test suite fixed not to require external connectivity
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places