Changelog for
stunnel-4.49-1.31.i586.rpm :
Tue Nov 29 13:00:00 2011 darixAATTnordisch.org
- update to version 4.49
- A bug was fixed causing crashes on MacOS X and some other
platforms.
- additional changes from 4.48
- FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs
based on FIPS 1.2.3 canister are included with this version of
stunnel. FIPS mode can be disabled with \"fips = no\"
configuration file option.
- Fixed canary initialization problem on Win32 platform.
Thu Nov 24 13:00:00 2011 darixAATTnordisch.org
- refreshed stunnel-listenqueue-option.patch to apply cleanly again
- pass the path to the config file to the binary in the init
script: without this the init script does not work for me.
Thu Nov 24 13:00:00 2011 darixAATTnordisch.org
- update to version 4.47
* Internal improvements
- CVE-2010-3864 workaround improved to check runtime version of
OpenSSL rather than compiled version, and to allow OpenSSL
0.x.x >= 0.9.8p.
- Encoding of man page sources changed to UTF-8.
* Bugfixes
- Handling of socket/SSL close in transfer() function was
fixed.
- Logging was modified to save and restore system error codes.
- Option \"service\" was restricted to Unix, as since stunnel
4.42 it wasn\'t doing anything useful on Windows platform.
- additional changes from version 4.46
* New features
- Added Unix socket support (e.g. \"connect =
/var/run/stunnel/socket\").
- Added \"verify = 4\" mode to ignore CA chain and only verify
peer certificate.
- Removed the limit of 16 IP addresses for a single \'connect\'
option.
- Removed the limit of 256 stunnel.conf sections in PTHREAD
threading model. It is still not possible have more than 63
sections on WIN32 platform.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx
* Optimizations
- Reduced per-connection memory usage.
- Performed a major refactoring of internal data structures. Extensive
internal testing was performed, but some regression bugs are expected.
* Bugfixes
- Fixed WIN32 compilation with Mingw32.
- Fixed non-blocking API emulation layer in UCONTEXT threading model.
- Fixed signal handling in UCONTEXT threading model.
- additional changes from version 4.45
* New features
- \"protocol = proxy\" support to send original client IP address to haproxy:
http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
This requires accept-proxy bind option of haproxy 1.5-dev3 or later.
- Added Win32 configuration reload without a valid configuration loaded.
- Added compatibility with LTS OpenSSL versions 0.9.6 and 0.9.7.
Some features are only available in OpenSSL 1.0.0 and later.
* Performance optimizations
- Use SSL_MODE_RELEASE_BUFFERS if supported by the OpenSSL library.
- Libwrap helper processes are no longer started if libwrap is disabled
in all sections of the configuration file.
* Internal improvements
- Protocol negotiation framework was rewritten to support
additional code to be executed after
SSL_accept()/SSL_connect().
- Handling of memory allocation errors was rewritten to
gracefully
terminate the process (thx to regenrecht for the idea).
* Bugfixes
- Fixed -l option handling in stunnel3 script
(thx to Kai Gülzau).
- Script to build default stunnel.pem was fixed
(thx to Sebastian Kayser).
- MinGW compilation script (mingw.mak) was fixed
(thx to Jose Alf).
- MSVC compilation script (vc.mak) was fixed.
- A number of problems in WINSOCK error handling were fixed.
- additional changes from version 4.44
* New features
- Major automake/autoconf cleanup.
- Heap buffer overflow protection with canaries.
- Stack buffer overflow protection with -fstack-protector.
* Bugfixes
- Fixed garbled error messages on errors with setuid/setgid
options.
- SNI fixes (thx to Alexey Drozdov).
- Use after free in fdprintf() (thx to Alexey Drozdov). This
issue might cause GPF with \"protocol\" or \"ident\" options.
Fri Sep 9 14:00:00 2011 drahnAATTsuse.com
- update to version 4.43
* New features:
- Major optimization of the logging subsystem.
* Bugfixes
- Fixed FORK and UCONTEXT threading models.
Fri Sep 2 14:00:00 2011 drahnAATTsuse.com
- update to version 4.42
* New features
- New verify level 0 to request and ignore peer certificate.
- Manual page has been updated.
* Bugfixes
- Fixed a heap corruption vulnerability in versions 4.40 and 4.41.
It may possibly be leveraged to perform DoS or remote code
execution attacks (CVE-2011-2940).
Sun Aug 7 14:00:00 2011 drahnAATTsuse.com
- correct path in stunnel3 (bnc#710879)
Mon Jul 25 14:00:00 2011 drahnAATTsuse.com
- update package to 4.40
* New features:
- Hardcoded 2048-bit DH parameters are used as a fallback if DH
parameters are not provided in stunnel.pem.
- Default \"ciphers\" value updated to prefer ECDH:
\"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH\".
- Default ECDH curve updated to \"prime256v1\".
- Removed support for temporary RSA keys (used in obsolete
export ciphers).
- refresh stunnel-listenqueue-option.patch
Wed Jun 29 14:00:00 2011 daniel.rahnAATTnovell.com
- split off doc package
Wed Jun 29 14:00:00 2011 daniel.rahnAATTnovell.com
- update package to 4.38
* New features:
- Server-side SNI implemented (RFC 3546 section 3.1) with a new
service-level option \"nsi\".
- \"socket\" option also accepts \"yes\" and \"no\" for flags.
- Nagle\'s algorithm is now disabled by default for improved
interactivity.
* Bugfixes:
- A compilation fix was added for OpenSSL version < 1.0.0.
- Signal pipe set to non-blocking mode. This bug caused hangs
of stunnel features based on signals, e.g. local mode, FORK
threading, or configuration file reload on Unix.
Mon Jun 20 14:00:00 2011 daniel.rahnAATTnovell.com
- disable the previous two patches for the time being
- create debug packages
Sat Jun 18 14:00:00 2011 daniel.rahnAATTnovell.com
- fix ucontext handling (backport from v4.37)
Sat Jun 18 14:00:00 2011 daniel.rahnAATTnovell.com
- fix non-blocking socket handling (backport from v4.37)
Thu Jun 16 14:00:00 2011 daniel.rahnAATTnovell.com
- update package to 4.36
- obsoletes SOMAXCONN and libwrap disable patches (bnc#674554)
- forward port listenqueue patch (bnc#674554)
- explicitly enable libwrap in configure call
* New features
- Dynamic memory management for strings manipulation: no more static
STRLEN limit, lower stack footprint.
- Strict public key comparison added for \"verify = 3\" certificate checking
mode (thx to Philipp Hartwig).
- Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved
behavior on heavy load.
Old behavior can be restored with \"listenqueue = 5\" in stunnel.conf
* Bugfixes
- Missing pthread_attr_destroy() added to fix memory leak (thx to Paul
Allex and Peter Pentchev).
- Fixed the incorrect way of setting FD_CLOEXEC flag.
- Fixed --enable-libwrap option of ./configure script.
- Retry implemented on EAI_AGAIN error returned by resolver calls.
Mon Feb 7 13:00:00 2011 asvetterAATTcip.physik.uni-wuerzburg.de
- update to 4.35:
* New features
- Updated Win32 DLLs for OpenSSL 1.0.0c.
- Transparent source (non-local bind) added for FreeBSD 8.x.
- Transparent destination (\"transparent = destination\") added for Linux.
* Bugfixes
- Fixed reload of FIPS-enabled stunnel.
- Compiler options are now auto-detected by ./configure script
in order to support obsolete versions of gcc.
- Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
- CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10.
Irreparable race condition leaks remain on other Unix platforms.
This issue may have security implications on some deployments.
- Directory lib64 included in the OpenSSL library search path.
- Windows CE compilation fixes (thx to Pierre Delaage).
- Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
* Domain name changes (courtesy of Bri Hatch)
- http://stunnel.mirt.net/ --> http://www.stunnel.org/
- ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/
- stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel
- stunnel-usersAATTmirt.net --> stunnel-usersAATTstunnel.org
- stunnel-announceAATTmirt.net --> stunnel-announceAATTstunnel.org
Tue Sep 28 14:00:00 2010 dmuellerAATTsuse.de
- update to 4.34:
- Added ECC support with a new service-level \"curve\" option.
- DH support is now enabled by default.
- Added support for OpenSSL builds with some algorithms disabled.
- ./configure modified to support cross-compilation.
- Implemented fixes in user interface to enter engine PIN.
- Fixed a transfer() loop issue on socket errors.
- Fixed missing WIN32 taskbar icon while displaying a global option error.
- Inetd mode fixed.
- New service-level \"libwrap\" option for run-time control whether
/etc/hosts.allow and /etc/hosts.deny are used for access control.
Disabling libwrap significantly increases performance of stunnel.
- Win32 DLLs for OpenSSL 0.9.8m.
- Fixed a transfer() loop issue with SSLv2 connections.
- Fixed a \"setsockopt IP_TRANSPARENT\" warning with \"local\" option.
- Logging subsystem bugfixes and cleanup.
- Installer bugfixes for Vista and later versions of Windows.
- FIPS mode can be enabled/disabled at runtime.
- Log file reopen on USR1 signal was added.
- Some regression issues introduced in 4.30 were fixed.
- Graceful configuration reload with HUP signal on Unix
and with GUI on Windows.
- A serious bug in asynchronous shutdown code fixed.
- Data alignment updated in libwrap.c.
- Polish manual encoding fixed.
- Notes on compression implementation in OpenSSL added to the manual.
Fri Nov 27 13:00:00 2009 vetterAATTphysik.uni-wuerzburg.de
- fix compile problems with openssl 0.9.7d
Fri Nov 27 13:00:00 2009 vetterAATTphysik.uni-wuerzburg.de
- bugfixes for 4.28
* Bugfixes
o \"execargs\" defaults to the \"exec\" parameter (thx to Peter Pentchev).
o no_ticket.patch
- update to 4.27:
* New features
o Win32 DLLs for OpenSSL 0.9.8l.
o Transparent proxy support on Linux kernels >=2.6.28. See the manual for details.
o New socket options to control TCP keepalive on Linux: TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
o SSL options updated for the recent version of OpenSSL library.
* Bugfixes
o A serious bug in asynchronous shutdown code fixed.
o Data alignment updated in libwrap.c.
o Polish manual encoding fixed.
o Notes on compression implementation in OpenSSL added to the manual.
Fri Apr 17 14:00:00 2009 vetterAATTphysik.uni-wuerzburg.de
- update to 4.27:
* New features
- Win32 DLLs for OpenSSL 0.9.8k.
- FIPS support was updated for openssl-fips 1.2.
- New priority failover strategy for multiple \"connect\" targets,
controlled with \"failover=rr\" (default) or \"failover=prio\".
- pgsql protocol negotiation by Marko Kreen
.
- Building instructions were updated in INSTALL.W32 file.
* Bugfixes
- Libwrap helper processes fixed to close standard
input/output/error file descriptors.
- OS2 compilation fixes.
- WCE fixes by Pierre Delaage .