SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for stunnel-doc-5.37-1.1.noarch.rpm :
Fri Nov 25 13:00:00 2016 mkubecekAATTsuse.cz
- upgrade to upstream version 5.38

* the default SNI target (not handled by any slave service) is
handled by the master service rather than rejected

* removed thread synchronization in the FORK threading model

Mon Sep 26 14:00:00 2016 mkubecekAATTsuse.cz
- upgrade to upstream version 5.36

* only reset the watchdog if some data was actually transferred

* fixed logging an incorrect value of the round-robin starting
point

* fixed a TLS session caching memory leak; before stunnel 5.27
this leak only emerged with sessiond enabled

* fixed a FORK threading build regression bug

* OPENSSL_NO_DH compilation fix

* fixed malfunctioning \"verify = 4\"

* fixed incorrectly enforced client certificate requests

* fixed thread safety of the configuration file reopening

* improved compatibility with the current OpenSSL 1.1.0-dev tree

* added logging the list of client CAs requested by the server

* new \"socket = a:IPV6_V6ONLY=yes\" option to only bind IPv6

* memory leak detection

* SNI support also enabled on OpenSSL 0.9.8f and later

* added support for PKCS #12 (.p12/.pfx) certificates

* added three new service-level options: requireCert,
verifyChain, and verifyPeer for fine-grained certificate
verification control

* removed direct zlib dependency
- use original gzipped tarball again
- add tarball signature and public key
- specfile cleanup

Tue Jan 12 13:00:00 2016 mkubecekAATTsuse.cz
- upgrade to upstream version 5.29

* fix the \"s_poll_wait returned 1, but no descriptor is ready\"
internal error

* fix \"exec\" hangs due to incorrect thread-local storage handling

* fix PRNG initialization

* fix incomplete initialization

* fix exit codes for information requests (as in \"stunnel
- version\" or \"stunnel -help\")

* fix configuration file reload for relative stunnel.conf path on
Unix

* fix ignoring CRLfile unless CAfile was also specified

* setting socket options no longer performed on PTYs

* SMTP client protocol negotiation support for
\"protocolUsername\", \"protocolPassword\", and
\"protocolAuthentication\"

* new service-level option \"config\" to specify configuration
commands introduced in OpenSSL 1.0.2

* improved compatibility with the current OpenSSL 1.1.0-dev tree

* added reading server certificates from hardware engines

* performance improvement: rwlocks used for locking with pthreads

Thu Oct 22 14:00:00 2015 mkubecekAATTsuse.cz
- upgrade to upstream version 5.24

* fixed the FORK and UCONTEXT threading support

* fixed \"failover=prio\" (broken since stunnel 5.15

* added a retry when sleep(3) was interrupted by a signal in the
cron thread scheduler

* signal names are displayed instead of numbers

* first resolve IPv4 addresses on passive resolver requests

* fixed a number of OCSP bugs. The most severe of those bugs
caused stunnel to treat OCSP responses that failed
OCSP_basic_verify() checks as if they were successful

* \"OCSPaia = yes\" added to the configuration file templates

* improved double free detection

* client-side support for the SOCKS protocol

* reject SOCKS requests to connect loopback addresses

* new service-level option \"OCSPnonce\"

* the ca-certs.pem file is now updated on stunnel upgrade

* added IPv6 support to the transparent proxy code

* fixed the RESOLVE [F0] TOR extension support in SOCKS5

* fixed the error code reported on the failed bind() requests

* fixed the sequential log id with the FORK threading

* custom CRL verification was replaced with the internal OpenSSL
functionality

* added a new \"protocolDomain\" option for the NTLM authentication

* improved compatibility of the NTLM phase 1 message

* \"setuid\" and \"setgid\" options are now also available in service
sections. They can be used to set owner and group of the Unix
socket specified with \"accept\"

* added support for the new OpenSSL 1.0.2 SSL options

* added OPENSSL_NO_EGD support

Mon Jul 27 14:00:00 2015 mkubecekAATTsuse.cz
- upgrade to upstream version 5.20

* The SSL library detection algorithm was made a bit smarter

* warnings about insecure authentication were modified to include
the name of the affected service section

* a warning was added to stunnel.init if no pid file was
specified in the configuration file

* signal pipe reinitialization added to prevent turning the main
accepting thread into a busy wait loop when an external
condition breaks the signal pipe

* generated temporary DH parameters are used for configuration
reload instead of the static defaults

* LSB compatibility fixes added to the stunnel.init script

Mon Jun 29 14:00:00 2015 mkubecekAATTsuse.cz
- upgrade to upstream version 5.19

* add SOCKS 4/5 protocol support

* fixed improper hangup condition handling

* fixed missing -pic linker option

* added PSK authentication with two new service-level
configuration file options \"PSKsecrets\" and \"PSKidentity\"

* added additional security checks to the OpenSSL memory
management functions

* added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
OpenSSL configuration flags

* added compatibility with the current OpenSSL 1.1.0-dev tree

* removed defective s_poll_error() code occasionally causing
connections to be prematurely closed (truncated)

* fix OpenSSL compatibility

* OCSP AIA (Authority Information Access) support

* additional security features of the linker are enabled:
\"-z relro\", \"-z now\", \"-z noexecstack\"

* removed dereferences of internal OpenSSL data structures

* PSK key lookup algorithm performance improved from O(N)
(linear) to O(log N) (logarithmic)

* new service-level option \"logId\" to specify the connection
identifier type

* new service-level option \"debug\" to individually control
logging verbosity of defined services

* the \"service\" option was modified to also control the syslog
service name

* the \"redirect\" option now also redirects clients on SSL session
reuse

* fixed a memory allocation error during Unix daemon shutdown

* fixed handling multiple connect/redirect destinations

* added new service-level options \"checkHost\", \"checkEmail\" and
\"checkIP\" for additional checks of the peer certificate subject

* added session persistence based on negotiated TLS sessions

* MEDIUM ciphers (currently SEED and RC4) are removed from the
default cipher list

* the \"redirect\" option was improved to not only redirect
sessions established with an untrusted certificate, but also
sessions established without a client certificate

* OpenSSL version checking modified to distinguish FIPS and
non-FIPS builds

* randomize the initial value of the round-robin counter

* new stunnel.conf templates are provided

* fixed memory leaks in certificate verification

* fixed a NULL pointer dereference causing the service to crash

* added \"include\" configuration file option to include all
configuration file parts located in a specified directory

* log file is reopened every 24 hours. With \"log = overwrite\"
this feature can be used to prevent filling up disk space

* temporary DH parameters are refreshed every 24 hours, unless
static DH parameters were provided in the certificate file

* unique initial DH parameters are distributed with each release

* warnings are logged on potentially insecure authentication

* added a runtime check whether COMP_zlib() method is implemented
in order to improve compatibility with the Debian OpenSSL build

* improved socket error handling

* fixed some typos in docs and scripts

* fixed a log level check condition
- fix build on SLE11

Tue Nov 4 13:00:00 2014 mkubecekAATTsuse.cz
- add missing tarball

Tue Nov 4 13:00:00 2014 mkubecekAATTsuse.cz
- upgrade to upstream version 5.07

* support for UTF-8 config file and log file

* missing REMOTE_PORT environmental variable is provided to
processes spawned with \"exec\" on Unix platforms

* The parameter of \"options\" can now be prefixed with \"-\" to
clear an SSL option, for example:
\"options = -LEGACY_SERVER_CONNECT\"

* fixed POLLIN|POLLHUP condition handling error resulting in
prematurely closed (truncated) connection

* fixed a null pointer dereference regression bug in the
\"transparent = destination\" functionality

* fixed erroneously closed stdin/stdout/stderr if specified as
the -fd commandline option parameter

* the insecure SSLv2 protocol is now disabled by default.
It can be enabled with \"options = -NO_SSLv2\".

* the insecure SSLv3 protocol is now disabled by default.
It can be enabled with \"options = -NO_SSLv3\".

* default sslVersion changed to \"all\" (also in FIPS mode) to
autonegotiate the highest supported TLS version.

* added missing SSL options to match OpenSSL 1.0.1j

* new \"-options\" commandline option to display the list of
supported SSL options

* fixed FORK threading build regression bug

* several SMTP server protocol negotiation improvements

* DH parameters are no longer generated by \"make cert\"

* new --disable-systemd ./configure option

* setuid/setgid commented out in stunnel.conf-sample

* compilation fix for OpenSSL with disabled SSLv2 or SSLv3

* non-blocking mode set on inetd and systemd descriptors

Thu Sep 4 14:00:00 2014 mkubecekAATTsuse.cz
- upgrade to upstream version 5.03

* it is now possible to add protocol negotiations at multiple
connection phases

* protocols can individually decide whether the remote connection
will be established before or after SSL/TLS is negotiated

* heap memory blocks are wiped before release

* safe_memcmp() function implemented with execution time not
dependent on the compared data

* fixed \"failover = rr\" broken since version 5.00

* fixed \"taskbar = no\" broken since version 5.00

* FIPS autoconfiguration cleanup

* FIPS canister updated to version 2.0.6

* improved SNI diagnostic logging

* fixed whitespace handling in the stunnel.init script

Wed May 28 14:00:00 2014 mkubecekAATTsuse.cz
- upgrade to upstream version 5.01

* Added PRNG state update in fork threading (CVE-2014-0016)

* Default \"fips\" option value is now \"no\"

* Default \"pid\" is now \"\", i.e. not to create a pid file at startup

* Default \"ciphers\" updated to \"HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2\"

* Default \"libwrap\" setting is now \"no\" to improve performance.

* TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode

* New service-level option \"redirect\" to redirect SSL client
connections on authentication failures instead of rejecting them

* New global \"engineDefault\" configuration file option to control
which OpenSSL tasks are delegated to the current engine

* New service-level configuration file option \"engineId\" to
select the engine by identifier

* New global configuration file option \"log\" to control whether
to append (the default), or to overwrite log file while
(re)opening

* Improved readability of error messages printed when stunnel
refuses to start due to a critical error.

* Search all certificates with the same subject name for a
matching public key rather than only the first one
- stunnel-4.53-dont-generate-certificate.patch:
deleted (no longer needed)

Wed Apr 3 14:00:00 2013 mkubecekAATTsuse.cz
- upgrade to upstream version 4.56

* Fixed a regression bug introduced in version 4.55 causing
random crashes on several platforms

* Fixed incorrect \"stunnel -exit\" process synchronisation

* Fixed FIPS detection with new versions of the OpenSSL library

* Failure to open the log file at startup is no longer ignored

Mon Mar 18 13:00:00 2013 mkubecekAATTsuse.cz
- upgrade to upstream version 4.55

* Buffer overflow vulnerability fixed in the NTLM authentication
of the CONNECT protocol negotiation (CVE-2013-1762)

* Fixed write half-close handling in the transfer() function

* Fixed EAGAIN error handling in the transfer() function

* Restored default signal handlers before execvp()

* Fixed memory leaks in protocol negotiation

* Fixed a file descriptor leak during configuration file reload

* Closed SSL sockets were removed from the the transfer() c->fds
poll

* Minor fix in handling exotic inetd-mode configurations

* IPv6 compilation fix in protocol.c

* Feature: SNI wildcard matching in server mode

Tue Oct 16 14:00:00 2012 mkubecekAATTsuse.cz
- upgrade to upstream version 4.54

* fixed \"Application Failed to Initialize Properly (0xc0150002)\"
error

* fixed missing SSL state debug log entries

* fixed a race condition in libwrap code resulting in random
stalls

* session cache purged at configuration file reload to reduce
memory leak

* fixed bug in \"transparent = destination\" functionality
(regression introduced in 4.51)

* \"transparent = destination\" is now a valid endpoint in inetd
mode

* multiple \"connect\" targets fixed to also work with delayed
resolver

* the number of resolver retries of EAI_AGAIN error has been
limited to 3 in order to prevent infinite loops

* new service level options sessionCacheSize, reset and
renegotiation

* new parameters to configure TLS v1.1/v1.2 with OpenSSL version
1.0.1 or higher
- really use more CPU\'s for build (fix typo in _smp_mflags)

Wed Mar 28 14:00:00 2012 mkubecekAATTsuse.cz
- upgrade to upstream version 4.53

* Usage of uninitialized variables fixed in exec+connect services

* Occasional logging subsystem crash with exec+connect services

* Session id context initialized with session name rather than a
constant

* Fixed handling of a rare inetd mode use case, where either
stdin or stdout is a socket, but not both of them at the same
time

* Fixed crash on termination with FORK threading model

* Fixed dead canary after configuration reload with open
connections

* Fixed missing file descriptors passed to local mode processes

* Fixed required jmp_buf alignment on Itanium platform

* Added client-mode \"sni\" option to directly control the value of
TLS Server Name Indication (RFC 3546) extension

* Added support for IP_FREEBIND socket option with a pached Linux
kernel

* Glibc-specific dynamic allocation tuning was applied to help
unused memory deallocation

* Non-blocking OCSP implementation
- stunnel-4.53-dont-generate-certificate.patch refreshed

Thu Feb 2 13:00:00 2012 mkubecekAATTsuse.cz
- upgrade to upstream version 4.52

* Fixed exec+connect sections

* Fixed write closure notification for non-socket file descriptors

* Removed a line logged to stderr in inetd mode

* Removed direct access to the fields of the X509_STORE_CTX data
structure

* New \"compression = deflate\" global option to enable RFC 2246
compresion

* Separate default ciphers and sslVersion for \"fips = yes\" and
\"fips = no\"

Fri Dec 16 13:00:00 2011 mkubecekAATTsuse.cz
- upgrade to upstream version 4.50

* POP3 server-side protocol negotiation updated to report STLS
capability

* Fixed internal memory allocation problem in inetd mode
- don\'t generate a default key/certificate
- corrected license in the specfile

Fri Nov 25 13:00:00 2011 mkubecekAATTsuse.cz
- upgrade to upstream version 4.47
- move to BuildService
- specfile cleanup

* removed obsolete branching

* build stunnel-doc as noarch for 11.2 and newer

* include sample config file in the package

* replace Prereq by Requires(x)
- doc package cleanup

Fri Jun 24 14:00:00 2011 mikeAATTmk-sys.cz
- update to version 4.37
- specfile cleanup
- separate doc subpackage
- enable IPv6
- create /var/run/stunnel in init script

Thu May 5 14:00:00 2011 mikeAATTmk-sys.cz
- update to version 4.36

Sun Aug 1 14:00:00 2010 mikeAATTmk-sys.cz
- update to version 4.33

Sat Mar 20 13:00:00 2010 mikeAATTmk-sys.cz
- update to version 4.31
- create /var/run/stunnel directory

Sun Oct 11 14:00:00 2009 mikeAATTmk-sys.cz
- update to version 4.27


  
ICM