[pkgsrc/pkgsrc-2016Q2]: pkgsrc/security/stunnel Pullup ticket #5089 - request...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkgsrc-2016Q2]: pkgsrc/security/stunnel Pullup ticket #5089 - request...
From: bsiegert <bsiegert%pkgsrc.org@localhost>
Date: Wed, 15 Jan 2020 12:53:41 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/97441a5ee9e0
branches:  pkgsrc-2016Q2
changeset: 408876:97441a5ee9e0
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat Sep 03 18:13:39 2016 +0000

description:
Pullup ticket #5089 - requested by jym
security/stunnel: security fix

Revisions pulled up:
- security/stunnel/Makefile                                     1.104
- security/stunnel/distinfo                                     1.51
- security/stunnel/patches/patch-stunnel.conf-sample.in         1.1

---
   Module Name:    pkgsrc
   Committed By:   jym
   Date:           Mon Aug 29 19:21:25 UTC 2016

   Modified Files:
           pkgsrc/security/stunnel: Makefile distinfo
   Added Files:
           pkgsrc/security/stunnel/patches: patch-stunnel.conf-sample.in

   Log Message:
   PR pkg/51449

   Update stunnel to 5.35.

   - Add patch to provide an explicit chroot option to the default
     configuration sample (option is documented but not found within
     the default conf file). While here, enable setuid/setgid as
     stunnel user/group creations are handled by package.
   - Rework SUBSTs so that they apply to the correct sample
     config file.

   Changelog:

   Version 5.35, 2016.07.18, urgency: HIGH
   * Bugfixes
     - Fixed incorrectly enforced client certificate requests.
     - Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
     - Fixed thread safety of the configuration file reopening.

   Version 5.34, 2016.07.05, urgency: HIGH
   * Security bugfixes
     - Fixed malfunctioning "verify = 4".
   * New features
     - Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
     - Added three new service-level options: requireCert, verifyChain,
       and verifyPeer for fine-grained certificate verification control.
     - Improved compatibility with the current OpenSSL 1.1.0-dev tree.

   Version 5.33, 2016.06.23, urgency: HIGH
   * New features
     - Improved memory leak detection performance and accuracy.
     - Improved compatibility with the current OpenSSL 1.1.0-dev tree.
     - SNI support also enabled on OpenSSL 0.9.8f and later (thx to
       Guillermo Rodriguez Garcia).
     - Added support for PKCS #12 (.p12/.pfx) certificates (thx to
       Dmitry Bakshaev).
   * Bugfixes
     - Fixed a TLS session caching memory leak (thx to Richard Kraemer).
       Before stunnel 5.27 this leak only emerged with sessiond enabled.
     - Yet another WinCE socket fix (thx to Richard Kraemer).
     - Fixed passphrase/pin dialogs in tstunnel.exe.
     - Fixed a FORK threading build regression bug.
     - OPENSSL_NO_DH compilation fix (thx to Brian Lin).
     - Fixed a TLS session caching memory leak (thx to Richard Kraemer).
       Before stunnel 5.27 this leak only emerged with sessiond enabled.
     - Yet another WinCE socket fix (thx to Richard Kraemer).
     - Fixed passphrase/pin dialogs in tstunnel.exe.
     - Fixed a FORK threading build regression bug.
     - OPENSSL_NO_DH compilation fix (thx to Brian Lin).

diffstat:

 security/stunnel/Makefile                             |  20 +++++------------
 security/stunnel/distinfo                             |  11 +++++----
 security/stunnel/patches/patch-stunnel.conf-sample.in |  22 +++++++++++++++++++
 3 files changed, 34 insertions(+), 19 deletions(-)

diffs (80 lines):

diff -r bfef343fbf62 -r 97441a5ee9e0 security/stunnel/Makefile
--- a/security/stunnel/Makefile Fri Sep 02 06:35:04 2016 +0000
+++ b/security/stunnel/Makefile Sat Sep 03 18:13:39 2016 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.102 2016/06/03 23:12:06 jym Exp $
+# $NetBSD: Makefile,v 1.102.2.1 2016/09/03 18:13:39 bsiegert Exp $
 
-DISTNAME=              stunnel-5.32
+DISTNAME=              stunnel-5.35
 CATEGORIES=            security
 MASTER_SITES=          http://www.stunnel.org/downloads/
 
@@ -40,19 +40,11 @@
 REPLACE_PERL+=         src/stunnel3.in
 USE_TOOLS+=            perl:run
 
-SUBST_CLASSES+=                chroot
-SUBST_MESSAGE.chroot=  Fix chroot path
-SUBST_STAGE.chroot=    pre-configure
-SUBST_FILES.chroot=    tools/stunnel.conf-sample.in
-SUBST_SED.chroot+=     -e 's|@prefix@/var/lib|@localstatedir@/chroot|'
-
 SUBST_CLASSES+=                stunnel
-SUBST_MESSAGE.stunnel= Fix user, group and pid
-SUBST_STAGE.stunnel=   post-configure
-SUBST_FILES.stunnel=   tools/stunnel.conf-sample
-SUBST_SED.stunnel=     -e 's|setuid = nobody|setuid = ${STUNNEL_USER}|'
-SUBST_SED.stunnel+=    -e 's|setgid = nogroup|setgid = ${STUNNEL_GROUP}|'
-SUBST_SED.stunnel+=    -e 's|pid = /stunnel.pid|pid = /pid/stunnel.pid|'
+SUBST_MESSAGE.stunnel= Fix user and group
+SUBST_STAGE.stunnel=   pre-configure
+SUBST_FILES.stunnel=   tools/stunnel.conf-sample.in
+SUBST_VARS.stunnel=    STUNNEL_USER STUNNEL_GROUP
 
 .include "options.mk"
 
diff -r bfef343fbf62 -r 97441a5ee9e0 security/stunnel/distinfo
--- a/security/stunnel/distinfo Fri Sep 02 06:35:04 2016 +0000
+++ b/security/stunnel/distinfo Sat Sep 03 18:13:39 2016 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.50 2016/06/03 23:12:06 jym Exp $
+$NetBSD: distinfo,v 1.50.2.1 2016/09/03 18:13:39 bsiegert Exp $
 
-SHA1 (stunnel-5.32.tar.gz) = 44f64ee0f9c7235a00d33b8338d439dbc519c594
-RMD160 (stunnel-5.32.tar.gz) = 13157bd6b1b32ca87465ff11dcd9bceed424c480
-SHA512 (stunnel-5.32.tar.gz) = aad3b718a727ae23bc88bda027017a5e4e19d2d08c1d4e95087dae20d4ed994d0ce29e9ae4b4d40456a7d7aaeb10c30a4283c6be2965d7183982204a347781bc
-Size (stunnel-5.32.tar.gz) = 641907 bytes
+SHA1 (stunnel-5.35.tar.gz) = 90cafc2208aa3acefb503856482e163e9af463c4
+RMD160 (stunnel-5.35.tar.gz) = 92f7c680e9de49740094a531c5b466aa5ac9d453
+SHA512 (stunnel-5.35.tar.gz) = cdec7ddafbfac4a1d420704baec72fedbd655871137ec8283c066203c0859019c6e11ce00647e5b471a019409e4eb5e9525166eddd7ddffa25055b95c0cacd9e
+Size (stunnel-5.35.tar.gz) = 645148 bytes
 SHA1 (patch-aa) = b247aca629197887fb720f7a02d9b73d60bb0d37
 SHA1 (patch-ac) = 91b09d39fb968ad76952acdff250150d3e372c36
+SHA1 (patch-stunnel.conf-sample.in) = 86d195963e5ad2db381ac89ae0fca13a7f641fa5
diff -r bfef343fbf62 -r 97441a5ee9e0 security/stunnel/patches/patch-stunnel.conf-sample.in
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/stunnel/patches/patch-stunnel.conf-sample.in     Sat Sep 03 18:13:39 2016 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-stunnel.conf-sample.in,v 1.1.2.2 2016/09/03 18:13:39 bsiegert Exp $
+
+--- tools/stunnel.conf-sample.in.orig  2016-07-05 21:27:57.000000000 +0000
++++ tools/stunnel.conf-sample.in
+@@ -8,11 +8,14 @@
+ ; **************************************************************************
+ 
+ ; It is recommended to drop root privileges if stunnel is started by root
+-;setuid = nobody
+-;setgid = @DEFAULT_GROUP@
++setuid = @STUNNEL_USER@
++setgid = @STUNNEL_GROUP@
++
++; Default chroot path
++chroot = @localstatedir@/chroot/stunnel/
+ 
+ ; PID file is created inside the chroot jail (if enabled)
+-;pid = @localstatedir@/run/stunnel.pid
++pid = /pid/stunnel.pid
+ 
+ ; Debugging stuff (may be useful for troubleshooting)
+ ;foreground = yes

Prev by Date: [pkgsrc/pkgsrc-2016Q2]: pkgsrc/doc Pullup tickets #5090 to #5092.
Next by Date: [pkgsrc/pkgsrc-2016Q2]: pkgsrc/lang/python27 Pullup ticket #5090 - requested ...
Previous by Thread: [pkgsrc/pkgsrc-2016Q2]: pkgsrc/doc Pullup tickets #5090 to #5092.
Next by Thread: [pkgsrc/pkgsrc-2016Q2]: pkgsrc/lang/python27 Pullup ticket #5090 - requested ...
Indexes:

Home | Main Index | Thread Index | Old Index