File stunnel.changes of Package stunnel
-------------------------------------------------------------------
Thu Oct 13 11:14:38 UTC 2022 - Michal Kubecek <mkubecek@suse.cz>
- rpmlintrc: more general filters for bogus check errors
-------------------------------------------------------------------
Thu Feb 11 09:17:57 UTC 2021 - Michal Kubecek <mkubecek@suse.cz>
- update stunnel.keyring with new developer key
- upgrade to upstream version 5.57
* new "ticketKeySecret" and "ticketMacSecret" options
* add logging the list of active connections on SIGUSR2
* logging of the assigned bind address instead of the requested
bind address
* terminate service threads before OpenSSL cleanup to prevent
occasional stunnel crashes at shutdown
* support for engines without PRNG seeding methods
* retry unsuccessful port binding on configuration file reload
* terminate clients on exit in the FORK threading model
* fix "redirect" option to properly handle "verifyChain = yes"
* new securityLevel configuration file option
* support for modern PostgreSQL clients
* TLS 1.3 configuration updated for better compatibility
* various fixes
-------------------------------------------------------------------
Thu Feb 11 09:03:34 UTC 2021 - Michal Kubecek <mkubecek@suse.cz>
- add rpmlintrc to suppress bogus build errors in Factory
-------------------------------------------------------------------
Fri Apr 26 06:41:59 UTC 2019 - Michal Kubecek <mkubecek@suse.cz>
- upgrade to upstream version 5.53
* update default cipher list to a safer value
* restore default accept address to INADDR_ANY
* fix requesting client certificate when specified by global
option
* certificate subject checks modified to accept certificates if
at least one of the specified checks matches
* log negotiated or resumed TLS session IDs
* check whether "output" is not a relative file name
* add sslVersion, sslVersionMin and sslVersionMax for OpenSSL
1.1.0 and later
* automatically convert hex PSK keys to binary
* SMTP HELO before authentication
* new "curves" option to control the list of elliptic curves in
openssl >= 1.1.0
* new "ciphersuites" option to control the list of permitted TLS
1.3 ciphersuites
* include file name and line number in OpenSSL errors
* compatibility with the current OpenSSL 3.0.0-dev branch
* various performance improvements
* error message improvements
-------------------------------------------------------------------
Sun May 27 18:36:27 UTC 2018 - mkubecek@suse.cz
- upgrade to upstream version 5.45
* delayed deallocation of service sections after configuration file reload
* deprecated the sslVersion option
* the "socket" option is now also available in service sections
* implemented try-restart in the SysV init script
* TLS 1.3 compliant session handling for OpenSSL 1.1.1
* default "failover" value changed from "rr" to "prio"
* new "make check" tests
-------------------------------------------------------------------
Wed Jan 31 10:58:45 UTC 2018 - mkubecek@suse.cz
- Factory build now requires us to use %{_fillupdir} macro but
it's only defined in Factory... so let's jump through some more
hoops to make people with "Factory only" thinking happy
-------------------------------------------------------------------
Wed Jan 31 09:50:17 UTC 2018 - mkubecek@suse.cz
- upgrade to upstream version 5.44
* "sni=" can be used to prevent sending the SNI extension
* the AI_ADDRCONFIG resolver flag is used when available
* fixed a memory allocation bug causing crashes with OpenSSL
1.1.0
* fixed error handling for mixed IPv4/IPv6 destinations
* per-destination TLS session cache added for the client mode
* new "logId" parameter "process" added to log PID values
* added support for the new SSL_set_options() values
* fixed "logId" parameter to also work in inetd mode
* "delay = yes" properly enforces "failover = prio"
* fixed resolving addresses with unconfigured network interfaces
* DH ciphersuites are now disabled by default
* daily server DH parameter regeneration is only performed if DH
ciphersuites are enabled in the configuration file
* "checkHost" and "checkEmail" were modified to require either
"verifyChain" or "verifyPeer"
* fixed setting default ciphers
* default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE
* key file name added into the passphrase console prompt
* performance optimization in memory leak detection
* fixed crashes with the OpenSSL 1.1.0 branch
* fixed certificate verification with "verifyPeer = yes" and
"verifyChain = no" (the default), while the peer only returns a
single certificate
* "redirect" also supports "exec" and not only "connect"
* fixed premature cron thread initialization causing hangs
* fixed "verifyPeer = yes" on OpenSSL <= 1.0.1
* allow for multiple "accept" ports per section
* self-test framework (make check)
* added config load before OpenSSL init
* openSSL 1.1.1-dev compilation fixes
* fixed round-robin failover in the FORK threading model
* fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown()
* minor fixes of the logging subsystem
* default accept address restored to INADDR_ANY
* fixed removing the pid file after configuration reload
* updated documentation
- adjust to new Factory checks
-------------------------------------------------------------------
Fri Nov 25 18:09:36 UTC 2016 - mkubecek@suse.cz
- upgrade to upstream version 5.38
* the default SNI target (not handled by any slave service) is
handled by the master service rather than rejected
* removed thread synchronization in the FORK threading model
-------------------------------------------------------------------
Mon Sep 26 06:37:16 UTC 2016 - mkubecek@suse.cz
- upgrade to upstream version 5.36
* only reset the watchdog if some data was actually transferred
* fixed logging an incorrect value of the round-robin starting
point
* fixed a TLS session caching memory leak; before stunnel 5.27
this leak only emerged with sessiond enabled
* fixed a FORK threading build regression bug
* OPENSSL_NO_DH compilation fix
* fixed malfunctioning "verify = 4"
* fixed incorrectly enforced client certificate requests
* fixed thread safety of the configuration file reopening
* improved compatibility with the current OpenSSL 1.1.0-dev tree
* added logging the list of client CAs requested by the server
* new "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6
* memory leak detection
* SNI support also enabled on OpenSSL 0.9.8f and later
* added support for PKCS #12 (.p12/.pfx) certificates
* added three new service-level options: requireCert,
verifyChain, and verifyPeer for fine-grained certificate
verification control
* removed direct zlib dependency
- use original gzipped tarball again
- add tarball signature and public key
- specfile cleanup
-------------------------------------------------------------------
Tue Jan 12 09:46:40 UTC 2016 - mkubecek@suse.cz
- upgrade to upstream version 5.29
* fix the "s_poll_wait returned 1, but no descriptor is ready"
internal error
* fix "exec" hangs due to incorrect thread-local storage handling
* fix PRNG initialization
* fix incomplete initialization
* fix exit codes for information requests (as in "stunnel
-version" or "stunnel -help")
* fix configuration file reload for relative stunnel.conf path on
Unix
* fix ignoring CRLfile unless CAfile was also specified
* setting socket options no longer performed on PTYs
* SMTP client protocol negotiation support for
"protocolUsername", "protocolPassword", and
"protocolAuthentication"
* new service-level option "config" to specify configuration
commands introduced in OpenSSL 1.0.2
* improved compatibility with the current OpenSSL 1.1.0-dev tree
* added reading server certificates from hardware engines
* performance improvement: rwlocks used for locking with pthreads
-------------------------------------------------------------------
Thu Oct 22 05:02:46 UTC 2015 - mkubecek@suse.cz
- upgrade to upstream version 5.24
* fixed the FORK and UCONTEXT threading support
* fixed "failover=prio" (broken since stunnel 5.15
* added a retry when sleep(3) was interrupted by a signal in the
cron thread scheduler
* signal names are displayed instead of numbers
* first resolve IPv4 addresses on passive resolver requests
* fixed a number of OCSP bugs. The most severe of those bugs
caused stunnel to treat OCSP responses that failed
OCSP_basic_verify() checks as if they were successful
* "OCSPaia = yes" added to the configuration file templates
* improved double free detection
* client-side support for the SOCKS protocol
* reject SOCKS requests to connect loopback addresses
* new service-level option "OCSPnonce"
* the ca-certs.pem file is now updated on stunnel upgrade
* added IPv6 support to the transparent proxy code
* fixed the RESOLVE [F0] TOR extension support in SOCKS5
* fixed the error code reported on the failed bind() requests
* fixed the sequential log id with the FORK threading
* custom CRL verification was replaced with the internal OpenSSL
functionality
* added a new "protocolDomain" option for the NTLM authentication
* improved compatibility of the NTLM phase 1 message
* "setuid" and "setgid" options are now also available in service
sections. They can be used to set owner and group of the Unix
socket specified with "accept"
* added support for the new OpenSSL 1.0.2 SSL options
* added OPENSSL_NO_EGD support
-------------------------------------------------------------------
Mon Jul 27 07:14:19 UTC 2015 - mkubecek@suse.cz
- upgrade to upstream version 5.20
* The SSL library detection algorithm was made a bit smarter
* warnings about insecure authentication were modified to include
the name of the affected service section
* a warning was added to stunnel.init if no pid file was
specified in the configuration file
* signal pipe reinitialization added to prevent turning the main
accepting thread into a busy wait loop when an external
condition breaks the signal pipe
* generated temporary DH parameters are used for configuration
reload instead of the static defaults
* LSB compatibility fixes added to the stunnel.init script
-------------------------------------------------------------------
Mon Jun 29 12:30:37 UTC 2015 - mkubecek@suse.cz
- upgrade to upstream version 5.19
* add SOCKS 4/5 protocol support
* fixed improper hangup condition handling
* fixed missing -pic linker option
* added PSK authentication with two new service-level
configuration file options "PSKsecrets" and "PSKidentity"
* added additional security checks to the OpenSSL memory
management functions
* added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
OpenSSL configuration flags
* added compatibility with the current OpenSSL 1.1.0-dev tree
* removed defective s_poll_error() code occasionally causing
connections to be prematurely closed (truncated)
* fix OpenSSL compatibility
* OCSP AIA (Authority Information Access) support
* additional security features of the linker are enabled:
"-z relro", "-z now", "-z noexecstack"
* removed dereferences of internal OpenSSL data structures
* PSK key lookup algorithm performance improved from O(N)
(linear) to O(log N) (logarithmic)
* new service-level option "logId" to specify the connection
identifier type
* new service-level option "debug" to individually control
logging verbosity of defined services
* the "service" option was modified to also control the syslog
service name
* the "redirect" option now also redirects clients on SSL session
reuse
* fixed a memory allocation error during Unix daemon shutdown
* fixed handling multiple connect/redirect destinations
* added new service-level options "checkHost", "checkEmail" and
"checkIP" for additional checks of the peer certificate subject
* added session persistence based on negotiated TLS sessions
* MEDIUM ciphers (currently SEED and RC4) are removed from the
default cipher list
* the "redirect" option was improved to not only redirect
sessions established with an untrusted certificate, but also
sessions established without a client certificate
* OpenSSL version checking modified to distinguish FIPS and
non-FIPS builds
* randomize the initial value of the round-robin counter
* new stunnel.conf templates are provided
* fixed memory leaks in certificate verification
* fixed a NULL pointer dereference causing the service to crash
* added "include" configuration file option to include all
configuration file parts located in a specified directory
* log file is reopened every 24 hours. With "log = overwrite"
this feature can be used to prevent filling up disk space
* temporary DH parameters are refreshed every 24 hours, unless
static DH parameters were provided in the certificate file
* unique initial DH parameters are distributed with each release
* warnings are logged on potentially insecure authentication
* added a runtime check whether COMP_zlib() method is implemented
in order to improve compatibility with the Debian OpenSSL build
* improved socket error handling
* fixed some typos in docs and scripts
* fixed a log level check condition
- fix build on SLE11
-------------------------------------------------------------------
Tue Nov 4 13:22:10 UTC 2014 - mkubecek@suse.cz
- add missing tarball
-------------------------------------------------------------------
Tue Nov 4 12:44:34 UTC 2014 - mkubecek@suse.cz
- upgrade to upstream version 5.07
* support for UTF-8 config file and log file
* missing REMOTE_PORT environmental variable is provided to
processes spawned with "exec" on Unix platforms
* The parameter of "options" can now be prefixed with "-" to
clear an SSL option, for example:
"options = -LEGACY_SERVER_CONNECT"
* fixed POLLIN|POLLHUP condition handling error resulting in
prematurely closed (truncated) connection
* fixed a null pointer dereference regression bug in the
"transparent = destination" functionality
* fixed erroneously closed stdin/stdout/stderr if specified as
the -fd commandline option parameter
* the insecure SSLv2 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv2".
* the insecure SSLv3 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv3".
* default sslVersion changed to "all" (also in FIPS mode) to
autonegotiate the highest supported TLS version.
* added missing SSL options to match OpenSSL 1.0.1j
* new "-options" commandline option to display the list of
supported SSL options
* fixed FORK threading build regression bug
* several SMTP server protocol negotiation improvements
* DH parameters are no longer generated by "make cert"
* new --disable-systemd ./configure option
* setuid/setgid commented out in stunnel.conf-sample
* compilation fix for OpenSSL with disabled SSLv2 or SSLv3
* non-blocking mode set on inetd and systemd descriptors
-------------------------------------------------------------------
Thu Sep 4 12:27:18 UTC 2014 - mkubecek@suse.cz
- upgrade to upstream version 5.03
* it is now possible to add protocol negotiations at multiple
connection phases
* protocols can individually decide whether the remote connection
will be established before or after SSL/TLS is negotiated
* heap memory blocks are wiped before release
* safe_memcmp() function implemented with execution time not
dependent on the compared data
* fixed "failover = rr" broken since version 5.00
* fixed "taskbar = no" broken since version 5.00
* FIPS autoconfiguration cleanup
* FIPS canister updated to version 2.0.6
* improved SNI diagnostic logging
* fixed whitespace handling in the stunnel.init script
-------------------------------------------------------------------
Wed May 28 07:27:17 UTC 2014 - mkubecek@suse.cz
- upgrade to upstream version 5.01
* Added PRNG state update in fork threading (CVE-2014-0016)
* Default "fips" option value is now "no"
* Default "pid" is now "", i.e. not to create a pid file at startup
* Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2"
* Default "libwrap" setting is now "no" to improve performance.
* TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode
* New service-level option "redirect" to redirect SSL client
connections on authentication failures instead of rejecting them
* New global "engineDefault" configuration file option to control
which OpenSSL tasks are delegated to the current engine
* New service-level configuration file option "engineId" to
select the engine by identifier
* New global configuration file option "log" to control whether
to append (the default), or to overwrite log file while
(re)opening
* Improved readability of error messages printed when stunnel
refuses to start due to a critical error.
* Search all certificates with the same subject name for a
matching public key rather than only the first one
- stunnel-4.53-dont-generate-certificate.patch:
deleted (no longer needed)
-------------------------------------------------------------------
Wed Apr 3 13:12:33 UTC 2013 - mkubecek@suse.cz
- upgrade to upstream version 4.56
* Fixed a regression bug introduced in version 4.55 causing
random crashes on several platforms
* Fixed incorrect "stunnel -exit" process synchronisation
* Fixed FIPS detection with new versions of the OpenSSL library
* Failure to open the log file at startup is no longer ignored
-------------------------------------------------------------------
Mon Mar 18 19:35:34 UTC 2013 - mkubecek@suse.cz
- upgrade to upstream version 4.55
* Buffer overflow vulnerability fixed in the NTLM authentication
of the CONNECT protocol negotiation (CVE-2013-1762)
* Fixed write half-close handling in the transfer() function
* Fixed EAGAIN error handling in the transfer() function
* Restored default signal handlers before execvp()
* Fixed memory leaks in protocol negotiation
* Fixed a file descriptor leak during configuration file reload
* Closed SSL sockets were removed from the the transfer() c->fds
poll
* Minor fix in handling exotic inetd-mode configurations
* IPv6 compilation fix in protocol.c
* Feature: SNI wildcard matching in server mode
-------------------------------------------------------------------
Tue Oct 16 12:45:36 UTC 2012 - mkubecek@suse.cz
- upgrade to upstream version 4.54
* fixed "Application Failed to Initialize Properly (0xc0150002)"
error
* fixed missing SSL state debug log entries
* fixed a race condition in libwrap code resulting in random
stalls
* session cache purged at configuration file reload to reduce
memory leak
* fixed bug in "transparent = destination" functionality
(regression introduced in 4.51)
* "transparent = destination" is now a valid endpoint in inetd
mode
* multiple "connect" targets fixed to also work with delayed
resolver
* the number of resolver retries of EAI_AGAIN error has been
limited to 3 in order to prevent infinite loops
* new service level options sessionCacheSize, reset and
renegotiation
* new parameters to configure TLS v1.1/v1.2 with OpenSSL version
1.0.1 or higher
- really use more CPU's for build (fix typo in _smp_mflags)
-------------------------------------------------------------------
Wed Mar 28 06:59:17 UTC 2012 - mkubecek@suse.cz
- upgrade to upstream version 4.53
* Usage of uninitialized variables fixed in exec+connect services
* Occasional logging subsystem crash with exec+connect services
* Session id context initialized with session name rather than a
constant
* Fixed handling of a rare inetd mode use case, where either
stdin or stdout is a socket, but not both of them at the same
time
* Fixed crash on termination with FORK threading model
* Fixed dead canary after configuration reload with open
connections
* Fixed missing file descriptors passed to local mode processes
* Fixed required jmp_buf alignment on Itanium platform
* Added client-mode "sni" option to directly control the value of
TLS Server Name Indication (RFC 3546) extension
* Added support for IP_FREEBIND socket option with a pached Linux
kernel
* Glibc-specific dynamic allocation tuning was applied to help
unused memory deallocation
* Non-blocking OCSP implementation
- stunnel-4.53-dont-generate-certificate.patch refreshed
-------------------------------------------------------------------
Thu Feb 2 09:59:57 UTC 2012 - mkubecek@suse.cz
- upgrade to upstream version 4.52
* Fixed exec+connect sections
* Fixed write closure notification for non-socket file descriptors
* Removed a line logged to stderr in inetd mode
* Removed direct access to the fields of the X509_STORE_CTX data
structure
* New "compression = deflate" global option to enable RFC 2246
compresion
* Separate default ciphers and sslVersion for "fips = yes" and
"fips = no"
-------------------------------------------------------------------
Fri Dec 16 13:02:33 UTC 2011 - mkubecek@suse.cz
- upgrade to upstream version 4.50
* POP3 server-side protocol negotiation updated to report STLS
capability
* Fixed internal memory allocation problem in inetd mode
- don't generate a default key/certificate
- corrected license in the specfile
-------------------------------------------------------------------
Fri Nov 25 08:50:54 UTC 2011 - mkubecek@suse.cz
- upgrade to upstream version 4.47
- move to BuildService
- specfile cleanup
* removed obsolete branching
* build stunnel-doc as noarch for 11.2 and newer
* include sample config file in the package
* replace Prereq by Requires(x)
- doc package cleanup
-------------------------------------------------------------------
Fri Jun 24 2011 - mike@mk-sys.cz
- update to version 4.37
- specfile cleanup
- separate doc subpackage
- enable IPv6
- create /var/run/stunnel in init script
-------------------------------------------------------------------
Thu May 05 2011 - mike@mk-sys.cz
- update to version 4.36
-------------------------------------------------------------------
Sun Aug 01 2010 - mike@mk-sys.cz
- update to version 4.33
-------------------------------------------------------------------
Sat Mar 20 2010 - mike@mk-sys.cz
- update to version 4.31
- create /var/run/stunnel directory
-------------------------------------------------------------------
Sun Oct 11 2009 - mike@mk-sys.cz
- update to version 4.27
-------------------------------------------------------------------
Wed Jan 14 2009 - mike@mk-sys.cz
- fixed init script
- use more jobs for make
-------------------------------------------------------------------
Wed Dec 17 2008 - mike@mk-sys.cz
- update to 4.26
-------------------------------------------------------------------
Mon Jan 28 2008 - poeml@suse.de
- make the filelist own /usr/lib*/stunnel
-------------------------------------------------------------------
Fri Jan 25 2008 - poeml@suse.de
- fix build (re-diff stunnel-4.21-write_pid_as_root.diff)
- fix filelist (make sure that the binaries stay in /usr/sbin)
-------------------------------------------------------------------
Mon Oct 29 2007 - poeml@suse.de
- update to 4.21: Changes:
Initial FIPS 140-2 support was added. Non-MT-safe libwrap (TCP
Wrappers) library support was rewritten. It's currently based on
pre-forked processes and should be much faster. Some bugfixes
were also added.
-------------------------------------------------------------------
Thu Aug 16 2007 - poeml@suse.de
- update to 4.20. Changes (edited):
Version 4.20, 2006.11.30, urgency: MEDIUM:
* Release notes
- There are a lot of new features in this version.
* New features
- New service-level option to specify OCSP server flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
- NTLM support to be enabled with the new service-level option:
protocolAuthentication = NTLM
- imap protocol negotiation support added.
- Passphrase cache was added so the user does not need to reenter
the same passphrase for each defined service any more.
- New service-level option to retry connect+exec section:
retry = yes|no
- Local IP and port is logged for each established connection.
* Bugfixes
- Serious problem with SSL_WANT_* retries fixed.
The new code requires extensive testing!
- Problem with detecting getaddrinfo() in ./configure fixed.
- Compilation problem due to misplaced #endif in ssl.c fixed.
- Duplicate 220 in smtp_server() function in protocol.c fixed.
- Minor update of safestring()/safename() macros.
-------------------------------------------------------------------
Fri May 11 2007 - ro@suse.de
- added openssl to buildrequires
-------------------------------------------------------------------
Mon Apr 02 2007 - rguenther@suse.de
- add zlib-devel BuildRequires
-------------------------------------------------------------------
Tue Oct 17 2006 - poeml@suse.de
- there is no SuSEconfig.syslog script anymore, thus remove the
YaST hint from the sysconfig template
-------------------------------------------------------------------
Wed Sep 27 2006 - poeml@suse.de
- upstream 4.16
* New features sponsored by Hewlett-Packard
- A new global option to control engine: engineCtrl = <command>[:<parameter>]
- A new service-level option to select engine to read private key: engineNum = <engine number>
- OCSP support: ocsp = <URL>
* New features
- A new option to select version of SSL protocol: sslVersion = all|SSLv2|SSLv3|TLSv1
- Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
- OS2 support by Paul Smedley (http://smedley.info)
* Bugfixes
- An ordinary user can install stunnel again.
- Compilation problem with --enable-dh fixed.
- Some minor compilation warnings fixed.
- Service-level CRL cert store implemented.
- GPF on protocol negotiations fixed.
- Problem detecting addrinfo() on Tru64 fixed.
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- RFC 2487 autdetection improved (thx to Hans Werner Strube). High
resolution s_poll_wait() not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad
Muquit).
* Other changes
- Maximum number of services increased from 64 to 256 when poll() is used.
- add BuildRequires: tcp_wrappers gcc-c++ for building on Fedora
- remove doc files installed by make install, which are picked up
by %%doc
-------------------------------------------------------------------
Fri Jun 23 2006 - poeml@suse.de
- build as non-root
- build with fPIE/pie on SUSE 10.0 or newer, or on any other
platform
- fix BuildRequires for Fedora Core, and wrap suse_version macros
- upstream 4.15
* Release notes
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
[note by packager: out since 3 months, without major problems]
* Bugfixes
- Default threading model changed to pthread for better portability.
- DH parameters are not included in the certificate by default.
* New features sponsored by Software House http://www.swhouse.com/
- Most SSL-related options (including client, cert, key) are now
available on service level, so it is possible to have an SSL
client and an SSL server in a single stunnel process.
* New features
- Client mode CONNECT protocol support (RFC 2817 section 5.2).
http://www.ietf.org/rfc/rfc2817.txt
- Retrying exec+connect services added.
- make install now tries to create /var/lib/stunnel chmoded 1770
and group nogroup, which we don't do.
-------------------------------------------------------------------
Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Sun Nov 27 2005 - lmuelle@suse.de
- update to 4.14
-------------------------------------------------------------------
Thu Oct 06 2005 - poeml@suse.de
- fix hang/segfault upon connect. Use pthreads by removing
configure check for ucontext.h [#119650]
-------------------------------------------------------------------
Tue Aug 30 2005 - poeml@suse.de
- fix parsing of ldd output when setting up the chroot jail [#114090]
-------------------------------------------------------------------
Tue Jun 21 2005 - poeml@suse.de
- update to 4.10
- Some bugfixes and code cleanup were done.
- A new user-level non-preemptive thread model was added for even
greater scalability.
- The stunnel3 script was improved to be more compatible with
getopt.
- add post-4.10 stunnel-4.10-inetd.patch
- compile with tcp wrappers
- compile as PIE and link with -z relro
-------------------------------------------------------------------
Tue Jan 04 2005 - poeml@suse.de
- update to 4.07
* Bugfixes
- Problem with infinite poll() timeout negative, but not equal
to -1 fixed.
- Problem with a file descriptor ready to be read just after a
non-blocking connect call fixed.
- Compile error with EAI_NODATA not defined or equal to
EAI_NONAME fixed.
- IP address and TCP port textual representation length (IPLEN)
increased to 128 bytes.
- OpenSSL engine support is only used if engine.h header file
exists.
- Broken NT Service mode on WIN32 platform fixed.
- Support for IPv4-only WIN32 machines restored.
-------------------------------------------------------------------
Tue Dec 28 2004 - poeml@suse.de
- update to 4.06
In this version, IPv6 support, compression support, hardware
engine selection and many other features were added. A new
stunnel3 Perl script to emulate version 3.x command line options
was added. poll() is used instead of select() where available,
so FD_SETSIZE no longer limits the number of concurrent
connections.
- add stunnel-4.06-nfds.dif
stunnel-4.06-poll_timeout.patch
stunnel-4.06-race_condition.patch
-------------------------------------------------------------------
Thu Nov 11 2004 - poeml@suse.de
- fix filelist for /usr/lib
-------------------------------------------------------------------
Fri Mar 05 2004 - poeml@suse.de
- update to 4.05. new features (excerpt):
* New feature sponsored by SURFnet http://www.surfnet.nl/
- Support for CIFS aka SMB protocol SSL negotiation.
* New features
- CRL support with new CApath and CAfile global options.
- New -fd command line parameter to read configuration
from a specified file descriptor instead of a file.
- accept is reported as error with [section] defined (in
stunnel 4.04 it was silently ignored causing problems
for lusers that did not read the fine manual).
- Use fcntl() instead of ioctlsocket() to set socket
nonblocking when it is supported.
- Basic support for hardware engines with OpenSSL >= 0.9.7.
- French manual by Bernard Choppy <choppy@imaginet.fr>.
- Thread stack size reduced to 64KB for maximum scalability.
- Added optional code to debug thread stack usage.
- Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
* Bugfixes
- TCP wrappers code moved to CRIT_NTOA critical section
since it uses static inet_ntoa() result buffer.
- SSL_ERROR_SYSCALL handling problems fixed.
- added code to retry nonblocking SSL_shutdown() calls.
- Use FD_SETSIZE instead of 16 file descriptors in inetd
mode.
- fdscanf groks lowercase protocol negotiation commands.
- Libwrap detection bug in ./configure script fixed.
- Some other minor updates.
- show readme only at first installation
-------------------------------------------------------------------
Tue Aug 26 2003 - poeml@suse.de
- add Config: syslog-ng to sysconfig.syslog-stunnel
-------------------------------------------------------------------
Thu Aug 14 2003 - poeml@suse.de
- add activation metadata to sysconfig template [#28954]
- rename README.SuSE to README.{SuSE,UnitedLinux}
- don't show blurb in %%post if a certificate exists
-------------------------------------------------------------------
Tue Aug 12 2003 - poeml@suse.de
- implement 'try-restart' in rcstunnel correctly [#28636]
-------------------------------------------------------------------
Wed Jul 30 2003 - poeml@suse.de
- add an example configuration for tunneling MySQL
- make stunnel3_wrapper compatible to more shells, and merge it
with stunnel3_convert (which becomes a symlink)
- new macros for stop/restart of services on rpm update/removal
-------------------------------------------------------------------
Tue May 13 2003 - poeml@suse.de
- delete (from the build root) files not to be packaged
- package the libtool library file
- add a commented option to the sample configuration
-------------------------------------------------------------------
Thu Mar 13 2003 - poeml@suse.de
- rc.stunnel: do not write the startup log to a world writable
directory [cf. #25239]
-------------------------------------------------------------------
Mon Feb 17 2003 - poeml@suse.de
- Version 4.04, 2003.01.12, urgency: MEDIUM:
* New features [excerpt]
- New 'options' configuration option to setup
OpenSSL library hacks with SSL_CTX_set_options().
- 'service' option also changes the name for
TCP Wrappers access control in inetd mode.
- SSL is negotiated before connecting remote host
or spawning local process whenever possible.
- REMOTE_HOST variable is always placed in the
enrivonment of a process spawned with 'exec'.
- Whole SSL error stack is dumped on errors.
- 'make cert' rule is back (was missing since 4.00).
- Manual page updated (special thanks to Brian Hatch).
* Bugfixes
- Major code cleanup (thx to Steve Grubb <linux_4ever@yahoo.com>).
- Unsafe functions are removed from SIGCHLD handler.
- Several bugs in auth_user() fixed.
- Incorrect port when using 'local' option fixed.
- OpenSSL tools '-rand' option is no longer directly
used with a device (like '/dev/urandom').
Temporary random file is created with 'dd' instead.
- fix typo in conf file example
-------------------------------------------------------------------
Wed Feb 12 2003 - mmj@suse.de
- Add sysconfig metadata [#22699]
-------------------------------------------------------------------
Thu Oct 31 2002 - poeml@suse.de
- update to 4.03
- add stunnel3_wrapper that translates the cmdline arguments into a
configuration file
- fix default path of pidfile
- more examples
-------------------------------------------------------------------
Fri Oct 25 2002 - poeml@suse.de
- write the pid file before dropping the privileges
-------------------------------------------------------------------
Fri Oct 25 2002 - poeml@suse.de
- major version upgrade to 4.02
- better permissions for /etc/stunnel and keys [#18557]
- run as "stunnel" user in chroot jail
- add sysconfig.syslog-stunnel template and /var/lib/stunnel/dev
for an additional syslog socket
- added init script and example configuration
-------------------------------------------------------------------
Sat Jul 27 2002 - adrian@suse.de
- use %%run_ldconfig
-------------------------------------------------------------------
Thu Mar 08 2001 - bk@suse.de
- update to 3.14 and fix localstatedir (/var/run/stunnel)
-------------------------------------------------------------------
Mon Feb 05 2001 - bk@suse.de
- new package
-------------------------------------------------------------------
