Package: stunnel4 / 3:5.06-2+deb8u1

Metadata

Package Version Patches format
stunnel4 3:5.06-2+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01 fix paths.patch | (download)

tools/script.sh | 2 1 + 1 - 0 !
tools/stunnel.conf-sample.in | 14 7 + 7 - 0 !
2 files changed, 8 insertions(+), 8 deletions(-)

 update the installation directories.
  Do several path fixups, removing unneeded @prefix@s and changing
  binaries install location from sbin to bin, to comply with the FHS
02 rename binary.patch | (download)

doc/stunnel.8 | 4 2 + 2 - 0 !
doc/stunnel.fr.8 | 4 2 + 2 - 0 !
doc/stunnel.pl.8 | 4 2 + 2 - 0 !
src/stunnel3.in | 2 1 + 1 - 0 !
tools/stunnel.conf-sample.in | 6 3 + 3 - 0 !
tools/stunnel.init.in | 16 8 + 8 - 0 !
6 files changed, 18 insertions(+), 18 deletions(-)

 change references to the binary from stunnel to stunnel4
03 runas user.patch | (download)

tools/stunnel.conf-sample.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 change the default user the binary will run as to stunnel4
05 logrotate warning in sample conf.patch | (download)

tools/stunnel.conf-sample.in | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 disable the setuid/setgid configuration by default.
  Disable the set user/group ID setting from the chroot section of
  the default sample config.  Changing stunnel's chroot, setuid or
  setgid settings requires more thought from the user, including
  the logrotate configuration, and so it is misleading to have it on
  by default.
  .
  This does not affect any current instalation, as this is only shipped as a
  sample for users.
08 client example.patch | (download)

doc/stunnel.8 | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 add a client config example to stunnel4(8).
10 no zlib compression.patch | (download)

configure.ac | 3 1 + 2 - 0 !
src/options.c | 4 2 + 2 - 0 !
src/ssl.c | 17 10 + 7 - 0 !
3 files changed, 13 insertions(+), 11 deletions(-)

 do not depend on zlib compression being available.
 The Debian OpenSSL package is built without support for zlib
 compression since version 1.0.1e-5.
11 no rle compression.patch | (download)

src/options.c | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

 disable rle compression.
 It is not really implemented in OpenSSL (there is no code that actually
 compresses any data, just code that copies it unmodified), and it has
 bit-rotted ever since OpenSSL 0.9.6d - it does not handle the empty
 fragments introduced to mitigate some attacks against CBC mode.
12 restore pidfile default.patch | (download)

src/Makefile.am | 1 1 + 0 - 0 !
src/options.c | 5 3 + 2 - 0 !
tools/stunnel.init.in | 11 8 + 3 - 0 !
3 files changed, 12 insertions(+), 5 deletions(-)

 temporarily restore the pid file creation by default.
 The init script will not be able to monitor the automatically-started
 instances of stunnel if there is no pid file.  For the present for the
 upgrade from 4.53 the "create the pid file by default" behavior is
 restored and the init script warns about configuration files that have
 no "pid" setting.  The intention is that in a future version the init
 script will refuse to start stunnel for these configurations.
14 lsb init functions.patch | (download)

tools/stunnel.init.in | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 source /lib/lsb/init-functions, don't use it yet
15 upstream systemd libs.patch | (download)

configure.ac | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 look for the systemd functions in the new libraries.
16 upstream sslv23 method.patch | (download)

src/options.c | 21 12 + 9 - 0 !
1 file changed, 12 insertions(+), 9 deletions(-)

 fix the build for openssl with disabled sslv2/3.
17 CVE 2015 3644.patch | (download)

src/client.c | 119 65 + 54 - 0 !
src/ctx.c | 3 2 + 1 - 0 !
src/options.c | 48 27 + 21 - 0 !
src/protocol.c | 5 1 + 4 - 0 !
src/prototypes.h | 23 17 + 6 - 0 !
src/resolver.c | 123 82 + 41 - 0 !
src/ssl.c | 14 10 + 4 - 0 !
src/verify.c | 11 2 + 9 - 0 !
8 files changed, 206 insertions(+), 140 deletions(-)

 cve-2015-3644: authentication bypass with the "redirect" option.