Update the Debian patches for stunnel-5.15.

author: Peter Pentchev <roam@ringlet.net> 2015-06-13 19:17:55 +0300
committer: Peter Pentchev <roam@ringlet.net> 2015-06-13 19:17:55 +0300
commit: ed1f89568c2ace62464787ce32755d96b76de920 (patch)
tree: 9c92388961058ca586723bd6d56ecc738f089f6f /debian/patches
parent: 4bf54ef2608bddfab1839571f6c7af84a6a5eb89 (diff)
6 files changed, 135 insertions, 125 deletions
diff --git a/debian/patches/01-fix-paths.patch b/debian/patches/01-fix-paths.patch
index fdff723..ec82e7a 100644
--- a/debian/patches/01-fix-paths.patch
+++ b/debian/patches/01-fix-paths.patch
@@ -5,18 +5,11 @@ Forwarded: not-needed
 Author: Paolo Molaro <lupus@debian.org>
 Author: Julien Lemoine <speedblue@debian.org>
 Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
-Last-Update: 2015-06-04
+Last-Update: 2015-06-13
 
 --- a/tools/stunnel.conf-sample.in
 +++ b/tools/stunnel.conf-sample.in
-@@ -10,25 +10,25 @@
- ; A copy of some devices and system files is needed within the chroot jail
- ; Chroot conflicts with configuration file reload and many other features
- ; Remember also to update the logrotate configuration.
--;chroot = @prefix@/var/lib/stunnel/
-+;chroot = @localstatedir@/lib/stunnel/
- ; Chroot jail can be escaped if setuid option is not used
- ;setuid = nobody
+@@ -12,12 +12,12 @@
  ;setgid = @DEFAULT_GROUP@
  
  ; PID file is created inside the chroot jail (if enabled)
@@ -24,34 +17,78 @@ Last-Update: 2015-06-04
 +;pid = @localstatedir@/run/stunnel.pid
  
  ; Debugging stuff (may be useful for troubleshooting)
- ;debug = 7
+ ;foreground = yes
+ ;debug = info
 -;output = stunnel.log
 +;output = @localstatedir@/log/stunnel/stunnel.log
  
- ; **************************************************************************
- ; * Service defaults may also be specified in individual service sections  *
- ; **************************************************************************
- 
- ; Certificate/key is needed in server mode and optional in client mode
--cert = @prefix@/etc/stunnel/mail.pem
--;key = @prefix@/etc/stunnel/mail.pem
-+cert = @sysconfdir@/stunnel/mail.pem
-+;key = @sysconfdir@/stunnel/mail.pem
- 
- ; Authentication stuff needs to be configured to prevent MITM attacks
- ; It is not enabled by default!
-@@ -37,12 +37,12 @@
- ; CApath is located inside chroot jail
- ;CApath = /certs
- ; It's often easier to use CAfile
--;CAfile = @prefix@/etc/stunnel/certs.pem
-+;CAfile = @sysconfdir@/stunnel/certs.pem
- ; Don't forget to c_rehash CRLpath
- ; CRLpath is located inside chroot jail
- ;CRLpath = /crls
- ; Alternatively CRLfile can be used
--;CRLfile = @prefix@/etc/stunnel/crls.pem
-+;CRLfile = @sysconfdir@/stunnel/crls.pem
- 
- ; Enable support for the insecure SSLv2 protocol
- ;options = -NO_SSLv2
+ ; Enable FIPS 140-2 mode if needed for compliance
+ ;fips = yes
+@@ -44,7 +44,7 @@
+ accept = 127.0.0.1:110
+ connect = pop.gmail.com:995
+ verify = 2
+-CApath = /etc/ssl/certs
++CApath = @sysconfdir/ssl/certs
+ checkHost = pop.gmail.com
+ 
+ [gmail-imap]
+@@ -52,7 +52,7 @@
+ accept = 127.0.0.1:143
+ connect = imap.gmail.com:993
+ verify = 2
+-CApath = /etc/ssl/certs
++CApath = @sysconfdir/ssl/certs
+ checkHost = imap.gmail.com
+ 
+ [gmail-smtp]
+@@ -60,7 +60,7 @@
+ accept = 127.0.0.1:25
+ connect = smtp.gmail.com:465
+ verify = 2
+-CApath = /etc/ssl/certs
++CApath = @sysconfdir/ssl/certs
+ checkHost = smtp.gmail.com
+ 
+ ; ***************************************** Example TLS server mode services
+@@ -68,34 +68,34 @@
+ ;[pop3s]
+ ;accept  = 995
+ ;connect = 110
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+ 
+ ;[imaps]
+ ;accept  = 993
+ ;connect = 143
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+ 
+ ;[ssmtp]
+ ;accept  = 465
+ ;connect = 25
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+ 
+ ; TLS front-end to a web server
+ ;[https]
+ ;accept  = 443
+ ;connect = 80
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+ ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
+ ; Microsoft implementations do not use TLS close-notify alert and thus they
+ ; are vulnerable to truncation attacks
+ ;TIMEOUTclose = 0
+ 
+ ; Remote shell protected with PSK-authenticated TLS
+-; Create "@prefix@/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
++; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
+ ;[shell]
+ ;accept = 1337
+ ;exec = /bin/sh
+ ;execArgs = sh -i
+-;PSKsecrets = @prefix@/etc/stunnel/secrets.txt
++;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
+ 
+ ; vim:ft=dosini
diff --git a/debian/patches/02-rename-binary.patch b/debian/patches/02-rename-binary.patch
index c989799..767a979 100644
--- a/debian/patches/02-rename-binary.patch
+++ b/debian/patches/02-rename-binary.patch
@@ -15,29 +15,6 @@ Last-Update: 2015-06-13
  
  # stunnel3 script body begins here
  ($read_fd, $write_fd)=POSIX::pipe();
---- a/tools/stunnel.conf-sample.in
-+++ b/tools/stunnel.conf-sample.in
-@@ -10,17 +10,17 @@
- ; A copy of some devices and system files is needed within the chroot jail
- ; Chroot conflicts with configuration file reload and many other features
- ; Remember also to update the logrotate configuration.
--;chroot = @localstatedir@/lib/stunnel/
-+;chroot = @localstatedir@/lib/stunnel4/
- ; Chroot jail can be escaped if setuid option is not used
- ;setuid = nobody
- ;setgid = @DEFAULT_GROUP@
- 
- ; PID file is created inside the chroot jail (if enabled)
--;pid = @localstatedir@/run/stunnel.pid
-+;pid = @localstatedir@/run/stunnel4.pid
- 
- ; Debugging stuff (may be useful for troubleshooting)
- ;debug = 7
--;output = @localstatedir@/log/stunnel/stunnel.log
-+;output = @localstatedir@/log/stunnel4/stunnel.log
- 
- ; **************************************************************************
- ; * Service defaults may also be specified in individual service sections  *
 --- a/doc/stunnel.pl.8
 +++ b/doc/stunnel.pl.8
 @@ -70,8 +70,8 @@
@@ -45,9 +22,9 @@ Last-Update: 2015-06-13
  .\" ========================================================================
  .\"
 -.IX Title "STUNNEL.PL 8"
--.TH STUNNEL.PL 8 "2015.03.20" "5.13" "stunnel"
+-.TH STUNNEL.PL 8 "2015.04.13" "5.15" "stunnel"
 +.IX Title "STUNNEL4.PL 8"
-+.TH STUNNEL.PL 8 "2015.03.20" "5.13" "stunnel4"
++.TH STUNNEL.PL 8 "2015.04.13" "5.15" "stunnel4"
  .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
  .\" way too many mistakes in technical documents.
  .if n .ad l
diff --git a/debian/patches/03-runas-user.patch b/debian/patches/03-runas-user.patch
index 7af5d0c..e493fc8 100644
--- a/debian/patches/03-runas-user.patch
+++ b/debian/patches/03-runas-user.patch
@@ -2,18 +2,18 @@ Description: Change the default user the binary will run as to stunnel4
 Forwarded: not-needed
 Author: Julien Lemoine <speedblue@debian.org>
 Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
-Last-Update: 2015-06-04
+Last-Update: 2015-06-13
 
 --- a/tools/stunnel.conf-sample.in
 +++ b/tools/stunnel.conf-sample.in
-@@ -12,8 +12,8 @@
- ; Remember also to update the logrotate configuration.
- ;chroot = @localstatedir@/lib/stunnel4/
- ; Chroot jail can be escaped if setuid option is not used
+@@ -8,8 +8,8 @@
+ ; **************************************************************************
+ 
+ ; It is recommended to drop root privileges if stunnel is started by root
 -;setuid = nobody
 -;setgid = @DEFAULT_GROUP@
 +;setuid = stunnel4
 +;setgid = stunnel4
  
  ; PID file is created inside the chroot jail (if enabled)
- ;pid = @localstatedir@/run/stunnel4.pid
+ ;pid = @localstatedir@/run/stunnel.pid
diff --git a/debian/patches/19-typos.patch b/debian/patches/19-typos.patch
index 296804c..9653b49 100644
--- a/debian/patches/19-typos.patch
+++ b/debian/patches/19-typos.patch
@@ -102,7 +102,21 @@ Last-Update: 2015-06-13
  }
 --- a/doc/stunnel.pod
 +++ b/doc/stunnel.pod
-@@ -143,11 +143,11 @@
+@@ -85,11 +85,11 @@
+ 
+ =item B<-reload> (Windows NT and later only)
+ 
+-Reload configuration file of the running NT Service
++Reload the configuration file of the running NT Service
+ 
+ =item B<-reopen> (Windows NT and later only)
+ 
+-Reopen log file of the running NT Service
++Reopen the log file of the running NT Service
+ 
+ =item B<-exit> (Win32 only)
+ 
+@@ -152,11 +152,11 @@
  
  directory to chroot B<stunnel> process
  
@@ -116,7 +130,7 @@ Last-Update: 2015-06-13
  
  =over 4
  
-@@ -182,7 +182,7 @@
+@@ -191,7 +191,7 @@
  
  debugging level
  
@@ -125,7 +139,7 @@ Last-Update: 2015-06-13
  emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
  info (6), or debug (7).  All logs for the specified level and
  all levels numerically less than it will be shown.  Use I<debug = debug> or
-@@ -197,7 +197,7 @@
+@@ -206,7 +206,7 @@
  
  path to Entropy Gathering Daemon socket
  
@@ -134,7 +148,7 @@ Last-Update: 2015-06-13
  generator.  (Available only if compiled with B<OpenSSL 0.9.5a> or higher)
  
  =item B<engine> = auto | ENGINE_ID
-@@ -206,7 +206,7 @@
+@@ -215,7 +215,7 @@
  
  default: software-only cryptography
  
@@ -143,7 +157,7 @@ Last-Update: 2015-06-13
  OpenSC engine
  
      engine=dynamic
-@@ -242,7 +242,7 @@
+@@ -251,7 +251,7 @@
  
  Enable or disable FIPS 140-2 mode.
  
@@ -152,7 +166,7 @@ Last-Update: 2015-06-13
  with FIPS 140-2 support.
  
  default: no (since version 5.00)
-@@ -281,7 +281,7 @@
+@@ -290,7 +290,7 @@
  
  log file handling
  
@@ -161,7 +175,7 @@ Last-Update: 2015-06-13
  option) is appended or overwritten when opened or re-opened.
  
  default: append
-@@ -299,7 +299,7 @@
+@@ -308,7 +308,7 @@
  
  If the argument is empty, then no pid file will be created.
  
@@ -170,7 +184,7 @@ Last-Update: 2015-06-13
  
  =item B<RNDbytes> = BYTES
  
-@@ -343,10 +343,10 @@
+@@ -352,10 +352,10 @@
  
  =item B<socket> = a|l|r:OPTION=VALUE[:VALUE]
  
@@ -184,7 +198,7 @@ Last-Update: 2015-06-13
  
  Examples:
  
-@@ -377,7 +377,7 @@
+@@ -386,7 +386,7 @@
  
  =head2 SERVICE-LEVEL OPTIONS
  
@@ -193,7 +207,7 @@ Last-Update: 2015-06-13
  The service name is used for libwrap (TCP Wrappers) access control and lets
  you distinguish B<stunnel> services in your log files.
  
-@@ -404,20 +404,20 @@
+@@ -413,20 +413,20 @@
  Certificate Authority directory
  
  This is the directory in which B<stunnel> will look for certificates when using
@@ -217,7 +231,7 @@ Last-Update: 2015-06-13
  
  =item B<cert> = PEM_FILE
  
-@@ -432,7 +432,7 @@
+@@ -468,7 +468,7 @@
  
  Select permitted SSL ciphers
  
@@ -226,7 +240,7 @@ Last-Update: 2015-06-13
  for example DES-CBC3-SHA:IDEA-CBC-MD5.
  
  =item B<client> = yes | no
-@@ -458,25 +458,25 @@
+@@ -494,25 +494,25 @@
  Certificate Revocation Lists directory
  
  This is the directory in which B<stunnel> will look for CRLs when
@@ -256,7 +270,7 @@ Last-Update: 2015-06-13
  
      openssl ecparam -list_curves
  
-@@ -486,7 +486,7 @@
+@@ -522,7 +522,7 @@
  
  connection identifier type
  
@@ -265,7 +279,7 @@ Last-Update: 2015-06-13
  connections.
  
  Currently supported types:
-@@ -525,7 +525,7 @@
+@@ -561,7 +561,7 @@
  
  =item B<delay> = yes | no
  
@@ -274,7 +288,7 @@ Last-Update: 2015-06-13
  
  This option is useful for dynamic DNS, or when DNS is not available during
  B<stunnel> startup (road warrior VPN, dial-up configurations).
-@@ -549,19 +549,19 @@
+@@ -585,19 +585,19 @@
  
  =item B<exec> = EXECUTABLE_PATH
  
@@ -288,7 +302,7 @@ Last-Update: 2015-06-13
 +The following environmental variables are set on Unix platforms:
  REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.
  
- =item B<execargs> = $0 $1 $2 ...
+ =item B<execArgs> = $0 $1 $2 ...
  
 -arguments for I<exec> including program name ($0)
 +arguments for I<exec> including the program name ($0)
@@ -299,7 +313,7 @@ Last-Update: 2015-06-13
  
  =item B<failover> = rr | prio
  
-@@ -578,15 +578,15 @@
+@@ -614,15 +614,15 @@
  
  =item B<key> = KEY_FILE
  
@@ -319,7 +333,7 @@ Last-Update: 2015-06-13
  
  =item B<libwrap> = yes | no
  
-@@ -596,8 +596,8 @@
+@@ -632,8 +632,8 @@
  
  =item B<local> = HOST
  
@@ -330,7 +344,7 @@ Last-Update: 2015-06-13
  
  =item B<sni> = SERVICE:SERVER_PATTERN (server mode)
  
-@@ -605,29 +605,29 @@
+@@ -641,29 +641,29 @@
  Name Indication TLS extension (RFC 3546).
  
  I<service_name> specifies the master service that accepts client connections
@@ -369,7 +383,7 @@ Last-Update: 2015-06-13
  
  =item B<OCSP> = URL
  
-@@ -679,7 +679,7 @@
+@@ -715,7 +715,7 @@
  
  This option enables initial, protocol-specific negotiation of the SSL/TLS
  encryption.
@@ -378,7 +392,7 @@ Last-Update: 2015-06-13
  
  Currently supported protocols:
  
-@@ -746,7 +746,7 @@
+@@ -782,7 +782,7 @@
  
  authentication type for protocol negotiations
  
@@ -387,7 +401,7 @@ Last-Update: 2015-06-13
  
  default: basic
  
-@@ -754,11 +754,11 @@
+@@ -790,11 +790,11 @@
  
  destination address for protocol negotiations
  
@@ -401,7 +415,7 @@ Last-Update: 2015-06-13
  
  =item B<protocolPassword> = PASSWORD
  
-@@ -790,7 +790,7 @@
+@@ -826,7 +826,7 @@
  
  =item B<pty> = yes | no (Unix only)
  
@@ -410,7 +424,7 @@ Last-Update: 2015-06-13
  
  =item B<redirect> = [HOST:]PORT
  
-@@ -817,7 +817,7 @@
+@@ -854,7 +854,7 @@
  
  =item B<reset> = yes | no
  
@@ -419,7 +433,7 @@ Last-Update: 2015-06-13
  
  This option is not supported on some platforms.
  
-@@ -837,7 +837,7 @@
+@@ -874,7 +874,7 @@
  entries.
  
  The value of 0 can be used for unlimited size.  It is not recommended
@@ -428,7 +442,7 @@ Last-Update: 2015-06-13
  
  =item B<sessionCacheTimeout> = TIMEOUT
  
-@@ -869,7 +869,7 @@
+@@ -906,7 +906,7 @@
  
  =item B<TIMEOUTconnect> = SECONDS
  
@@ -437,7 +451,7 @@ Last-Update: 2015-06-13
  
  =item B<TIMEOUTidle> = SECONDS
  
-@@ -889,7 +889,7 @@
+@@ -926,7 +926,7 @@
  
  =item I<source>
  
@@ -446,7 +460,7 @@ Last-Update: 2015-06-13
  from the SSL client machine instead of the machine running B<stunnel>.
  
  This option is currently available in:
-@@ -899,7 +899,7 @@
+@@ -936,7 +936,7 @@
  =item Remote mode (I<connect> option) on I<Linux E<gt>=2.6.28>
  
  This configuration requires B<stunnel> to be executed as root and without
@@ -455,7 +469,7 @@ Last-Update: 2015-06-13
  
  This configuration requires the following setup for iptables and routing
  (possibly in /etc/rc.local or equivalent file):
-@@ -912,25 +912,25 @@
+@@ -949,25 +949,25 @@
      ip route add local 0.0.0.0/0 dev lo table 100
      echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
  
@@ -486,7 +500,7 @@ Last-Update: 2015-06-13
  _RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
  other platforms.
  
-@@ -938,7 +938,7 @@
+@@ -975,7 +975,7 @@
  
  =item I<destination>
  
@@ -495,7 +509,7 @@ Last-Update: 2015-06-13
  
  A service section for transparent destination may look like this:
  
-@@ -962,7 +962,7 @@
+@@ -999,7 +999,7 @@
      /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
          -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
  
@@ -504,7 +518,7 @@ Last-Update: 2015-06-13
  
  =item I<both>
  
-@@ -976,40 +976,40 @@
+@@ -1013,40 +1013,40 @@
  
  =item I<yes>
  
@@ -553,7 +567,7 @@ Last-Update: 2015-06-13
  
  =item default
  
-@@ -1017,7 +1017,7 @@
+@@ -1054,7 +1054,7 @@
  
  =back
  
@@ -562,7 +576,7 @@ Last-Update: 2015-06-13
  control and not for authorization.  Specifically for level 2 every non-revoked
  certificate is accepted regardless of its Common Name.  For this reason a
  dedicated CA should be used with level 2, and not a generic CA commonly used
-@@ -1067,16 +1067,16 @@
+@@ -1104,16 +1104,16 @@
  
  =back
  
@@ -583,7 +597,7 @@ Last-Update: 2015-06-13
  This function can be used for log rotation.
  
  =item SIGTERM, SIGQUIT, SIGINT
-@@ -1191,8 +1191,8 @@
+@@ -1228,8 +1228,8 @@
  
  The order of contents of the I<.pem> file is important.  It should contain the
  unencrypted private key first, then a signed certificate (not certificate
@@ -594,7 +608,7 @@ Last-Update: 2015-06-13
  should be discarded. So the file should look like this:
  
      -----BEGIN RSA PRIVATE KEY-----
-@@ -1206,7 +1206,7 @@
+@@ -1243,7 +1243,7 @@
  
  =head2 RANDOMNESS
  
@@ -603,12 +617,12 @@ Last-Update: 2015-06-13
  order for SSL to use good randomness.  The following sources are loaded
  in order until sufficient random data has been gathered:
  
-@@ -1292,7 +1292,7 @@
+@@ -1329,7 +1329,7 @@
  
  =head1 BUGS
  
--Option I<execargs> and Win32 command line does not support quoting.
-+The I<execargs> option and the Win32 command line do not support quoting.
+-Option I<execArgs> and Win32 command line does not support quoting.
++The I<execArgs> option and the Win32 command line do not support quoting.
  
  
  =head1 SEE ALSO
diff --git a/debian/patches/21-arg-null.patch b/debian/patches/21-arg-null.patch
deleted file mode 100644
index 2108cc9..0000000
--- a/debian/patches/21-arg-null.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Description: Remove a redundant null pointer check.
-Forwarded: not yet
-Author: Peter Pentchev <roam@ringlet.net>
-Last-Update: 2015-06-04
-
---- a/src/sthreads.c
-+++ b/src/sthreads.c
-@@ -438,8 +438,7 @@
-     s_log(LOG_DEBUG, "Creating a new thread");
-     if((long)_beginthread((void(*)(void *))cli, arg->opt->stack_size, arg)==-1) {
-         ioerror("_beginthread");
--        if(arg)
--            str_free(arg);
-+        str_free(arg);
-         if(s>=0)
-             closesocket(s);
-         return -1;
diff --git a/debian/patches/series b/debian/patches/series
index 958f6df..6a17fbc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,4 +7,3 @@
 18-lsb-startup.patch
 19-typos.patch
 20-comparison.patch
-21-arg-null.patch
author	Peter Pentchev <roam@ringlet.net>	2015-06-13 19:17:55 +0300
committer	Peter Pentchev <roam@ringlet.net>	2015-06-13 19:17:55 +0300
commit	ed1f89568c2ace62464787ce32755d96b76de920 (patch)
tree	9c92388961058ca586723bd6d56ecc738f089f6f /debian/patches
parent	4bf54ef2608bddfab1839571f6c7af84a6a5eb89 (diff)