NetBSD Problem Report #51449
From mm_lists@pulsar-zone.net Mon Aug 29 10:38:47 2016
Return-Path: <mm_lists@pulsar-zone.net>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id D71957A26E
for <gnats-bugs@gnats.NetBSD.org>; Mon, 29 Aug 2016 10:38:47 +0000 (UTC)
Message-Id: <201608291038.u7TAchfe006222@ginseng.pulsar-zone.net>
Date: Mon, 29 Aug 2016 06:38:43 -0400
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Subject: patch for stunnel security update to 5.35
>Number: 51449
>Category: pkg
>Synopsis: patch for stunnel security update to 5.35
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: jym
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Mon Aug 29 10:40:01 +0000 2016
>Closed-Date: Sat Sep 03 18:44:53 +0000 2016
>Last-Modified: Sat Sep 03 18:44:53 +0000 2016
>Originator: Matthew Mondor
>Release: NetBSD 7.0_STABLE
>Organization:
>Environment:
System: NetBSD ninja.xisop 7.0_STABLE NetBSD 7.0_STABLE (GENERIC_MM) #0: Thu Jul 28 22:49:47 EDT 2016 root@ninja.xisop:/usr/obj/sys/arch/amd64/compile/GENERIC_MM amd64
Architecture: x86_64
Machine: amd64
>Description:
pkgsrc-2016Q2 and pkgsrc-current both still had 5.32 which comported
serious memory leaks. A security vulnerability was also fixed for
5.35. The dependency on zlib was also dropped.
>How-To-Repeat:
>Fix:
A patch is attached.
--MP_/xoKGXXFbj+30dtsl9BbMBdn
Content-Type: text/text-plain
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=pkgsrc-security-stunnel.diff
Index: Makefile
===================================================================
RCS file: /data/rsync/netbsd-cvs/pkgsrc/security/stunnel/Makefile,v
retrieving revision 1.103
diff -u -r1.103 Makefile
--- Makefile 9 Jul 2016 06:38:57 -0000 1.103
+++ Makefile 29 Aug 2016 10:30:11 -0000
@@ -1,7 +1,7 @@
# $NetBSD: Makefile,v 1.103 2016/07/09 06:38:57 wiz Exp $
-DISTNAME= stunnel-5.32
-PKGREVISION= 1
+DISTNAME= stunnel-5.35
+#PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= http://www.stunnel.org/downloads/
@@ -57,6 +57,5 @@
.include "options.mk"
-.include "../../devel/zlib/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
Index: distinfo
===================================================================
RCS file: /data/rsync/netbsd-cvs/pkgsrc/security/stunnel/distinfo,v
retrieving revision 1.50
diff -u -r1.50 distinfo
--- distinfo 3 Jun 2016 23:12:06 -0000 1.50
+++ distinfo 29 Aug 2016 10:22:42 -0000
@@ -1,8 +1,8 @@
$NetBSD: distinfo,v 1.50 2016/06/03 23:12:06 jym Exp $
-SHA1 (stunnel-5.32.tar.gz) = 44f64ee0f9c7235a00d33b8338d439dbc519c594
-RMD160 (stunnel-5.32.tar.gz) = 13157bd6b1b32ca87465ff11dcd9bceed424c480
-SHA512 (stunnel-5.32.tar.gz) = aad3b718a727ae23bc88bda027017a5e4e19d2d08c1d4e95087dae20d4ed994d0ce29e9ae4b4d40456a7d7aaeb10c30a4283c6be2965d7183982204a347781bc
-Size (stunnel-5.32.tar.gz) = 641907 bytes
+SHA1 (stunnel-5.35.tar.gz) = 90cafc2208aa3acefb503856482e163e9af463c4
+RMD160 (stunnel-5.35.tar.gz) = 92f7c680e9de49740094a531c5b466aa5ac9d453
+SHA512 (stunnel-5.35.tar.gz) = cdec7ddafbfac4a1d420704baec72fedbd655871137ec8283c066203c0859019c6e11ce00647e5b471a019409e4eb5e9525166eddd7ddffa25055b95c0cacd9e
+Size (stunnel-5.35.tar.gz) = 645148 bytes
SHA1 (patch-aa) = b247aca629197887fb720f7a02d9b73d60bb0d37
SHA1 (patch-ac) = 91b09d39fb968ad76952acdff250150d3e372c36
--MP_/xoKGXXFbj+30dtsl9BbMBdn--
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->jym
Responsible-Changed-By: leot@NetBSD.org
Responsible-Changed-When: Mon, 29 Aug 2016 11:43:07 +0000
Responsible-Changed-Why:
Jean-Yves, can you please give a look? (over to MAINTAINER)
From: Jean-Yves Migeon <jym@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/51449 (patch for stunnel security update to 5.35)
Date: Mon, 29 Aug 2016 13:48:07 +0200
Le 2016-08-29 13:43, leot@NetBSD.org a écrit :
> Synopsis: patch for stunnel security update to 5.35
>
> Responsible-Changed-From-To: pkg-manager->jym
> Responsible-Changed-By: leot@NetBSD.org
> Responsible-Changed-When: Mon, 29 Aug 2016 11:43:07 +0000
> Responsible-Changed-Why:
> Jean-Yves, can you please give a look? (over to MAINTAINER)
Yup, thanks for the ping
--
Jean-Yves Migeon
From: "Jean-Yves Migeon" <jym@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51449 CVS commit: pkgsrc/security/stunnel
Date: Mon, 29 Aug 2016 19:21:25 +0000
Module Name: pkgsrc
Committed By: jym
Date: Mon Aug 29 19:21:25 UTC 2016
Modified Files:
pkgsrc/security/stunnel: Makefile distinfo
Added Files:
pkgsrc/security/stunnel/patches: patch-stunnel.conf-sample.in
Log Message:
PR pkg/51449
Update stunnel to 5.35.
- Add patch to provide an explicit chroot option to the default
configuration sample (option is documented but not found within
the default conf file). While here, enable setuid/setgid as
stunnel user/group creations are handled by package.
- Rework SUBSTs so that they apply to the correct sample
config file.
Changelog:
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
- Fixed incorrectly enforced client certificate requests.
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
- Fixed thread safety of the configuration file reopening.
Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
- Fixed malfunctioning "verify = 4".
* New features
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
- Added three new service-level options: requireCert, verifyChain,
and verifyPeer for fine-grained certificate verification control.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
Version 5.33, 2016.06.23, urgency: HIGH
* New features
- Improved memory leak detection performance and accuracy.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
Guillermo Rodriguez Garcia).
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
Dmitry Bakshaev).
* Bugfixes
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
Before stunnel 5.27 this leak only emerged with sessiond enabled.
- Yet another WinCE socket fix (thx to Richard Kraemer).
- Fixed passphrase/pin dialogs in tstunnel.exe.
- Fixed a FORK threading build regression bug.
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
To generate a diff of this commit:
cvs rdiff -u -r1.103 -r1.104 pkgsrc/security/stunnel/Makefile
cvs rdiff -u -r1.50 -r1.51 pkgsrc/security/stunnel/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/security/stunnel/patches/patch-stunnel.conf-sample.in
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: PR/51449 CVS commit: pkgsrc/security/stunnel
Date: Wed, 31 Aug 2016 17:27:34 -0400
On Mon, 29 Aug 2016 19:25:00 +0000 (UTC)
"Jean-Yves Migeon" <jym@netbsd.org> wrote:
> Module Name: pkgsrc
> Committed By: jym
> Date: Mon Aug 29 19:21:25 UTC 2016
>
> Modified Files:
> pkgsrc/security/stunnel: Makefile distinfo
> Added Files:
> pkgsrc/security/stunnel/patches: patch-stunnel.conf-sample.in
>
> Log Message:
> PR pkg/51449
>
> Update stunnel to 5.35.
Thanks for the update;
This PR can be closed, unless a pullup is needed on 2016Q2 (is it
required considering it's a security fix)?
--
Matt
From: Jean-Yves Migeon <jym@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: PR/51449 CVS commit: pkgsrc/security/stunnel
Date: Thu, 1 Sep 2016 00:54:57 +0200
Le 31/08/2016 à 23:30, Matthew Mondor a écrit :
> On Mon, 29 Aug 2016 19:25:00 +0000 (UTC)
> "Jean-Yves Migeon" <jym@netbsd.org> wrote:
>
> > Module Name: pkgsrc
> > Committed By: jym
> > Date: Mon Aug 29 19:21:25 UTC 2016
> >
> > Modified Files:
> > pkgsrc/security/stunnel: Makefile distinfo
> > Added Files:
> > pkgsrc/security/stunnel/patches: patch-stunnel.conf-sample.in
> >
> > Log Message:
> > PR pkg/51449
> >
> > Update stunnel to 5.35.
>
> Thanks for the update;
> This PR can be closed, unless a pullup is needed on 2016Q2 (is it
> required considering it's a security fix)?
I would say yes, forgot to file one... The most important stuff is
probably the OpenSSL update.
I'll file the pull-up for 2016 tomorrow, or later tonight.
Cheers,
--
Jean-Yves Migeon
State-Changed-From-To: open->needs-pullups
State-Changed-By: leot@NetBSD.org
State-Changed-When: Thu, 01 Sep 2016 16:32:31 +0000
State-Changed-Why:
jym fixed it for pkgsrc-current
From: Jean-Yves Migeon <jym@NetBSD.org>
To: gnats-bugs@NetBSD.org, pkgsrc-bugs@netbsd.org, gnats-admin@netbsd.org,
leot@NetBSD.org, Matthew Mondor <mm_lists@pulsar-zone.net>
Cc:
Subject: Re: pkg/51449 (patch for stunnel security update to 5.35)
Date: Thu, 1 Sep 2016 23:34:05 +0200
Le 01/09/2016 à 18:32, leot@NetBSD.org a écrit :
> Synopsis: patch for stunnel security update to 5.35
>
> State-Changed-From-To: open->needs-pullups
> State-Changed-By: leot@NetBSD.org
> State-Changed-When: Thu, 01 Sep 2016 16:32:31 +0000
> State-Changed-Why:
> jym fixed it for pkgsrc-current
The pullup for 2016Q2 has just been submitted. PR can be closed when
releng@ approves it.
Cheers everyone,
--
Jean-Yves Migeon
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: leot@NetBSD.org
State-Changed-When: Fri, 02 Sep 2016 08:33:33 +0000
State-Changed-Why:
jym requested a pullup, ticket #5089
From: "Benny Siegert" <bsiegert@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51449 CVS commit: [pkgsrc-2016Q2] pkgsrc/security/stunnel
Date: Sat, 3 Sep 2016 18:13:39 +0000
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Sep 3 18:13:39 UTC 2016
Modified Files:
pkgsrc/security/stunnel [pkgsrc-2016Q2]: Makefile distinfo
Added Files:
pkgsrc/security/stunnel/patches [pkgsrc-2016Q2]:
patch-stunnel.conf-sample.in
Log Message:
Pullup ticket #5089 - requested by jym
security/stunnel: security fix
Revisions pulled up:
- security/stunnel/Makefile 1.104
- security/stunnel/distinfo 1.51
- security/stunnel/patches/patch-stunnel.conf-sample.in 1.1
---
Module Name: pkgsrc
Committed By: jym
Date: Mon Aug 29 19:21:25 UTC 2016
Modified Files:
pkgsrc/security/stunnel: Makefile distinfo
Added Files:
pkgsrc/security/stunnel/patches: patch-stunnel.conf-sample.in
Log Message:
PR pkg/51449
Update stunnel to 5.35.
- Add patch to provide an explicit chroot option to the default
configuration sample (option is documented but not found within
the default conf file). While here, enable setuid/setgid as
stunnel user/group creations are handled by package.
- Rework SUBSTs so that they apply to the correct sample
config file.
Changelog:
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
- Fixed incorrectly enforced client certificate requests.
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
- Fixed thread safety of the configuration file reopening.
Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
- Fixed malfunctioning "verify = 4".
* New features
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
- Added three new service-level options: requireCert, verifyChain,
and verifyPeer for fine-grained certificate verification control.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
Version 5.33, 2016.06.23, urgency: HIGH
* New features
- Improved memory leak detection performance and accuracy.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
Guillermo Rodriguez Garcia).
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
Dmitry Bakshaev).
* Bugfixes
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
Before stunnel 5.27 this leak only emerged with sessiond enabled.
- Yet another WinCE socket fix (thx to Richard Kraemer).
- Fixed passphrase/pin dialogs in tstunnel.exe.
- Fixed a FORK threading build regression bug.
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
Before stunnel 5.27 this leak only emerged with sessiond enabled.
- Yet another WinCE socket fix (thx to Richard Kraemer).
- Fixed passphrase/pin dialogs in tstunnel.exe.
- Fixed a FORK threading build regression bug.
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
To generate a diff of this commit:
cvs rdiff -u -r1.102 -r1.102.2.1 pkgsrc/security/stunnel/Makefile
cvs rdiff -u -r1.50 -r1.50.2.1 pkgsrc/security/stunnel/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
pkgsrc/security/stunnel/patches/patch-stunnel.conf-sample.in
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: leot@NetBSD.org
State-Changed-When: Sat, 03 Sep 2016 18:44:53 +0000
State-Changed-Why:
Pulled up. Thank you very much Matthew for the PR, and thanks
to jym and bsiegert for handling it!
>Unformatted:
--MP_/xoKGXXFbj+30dtsl9BbMBdn
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.