diff options
author | Peter Pentchev <roam@ringlet.net> | 2014-10-16 14:34:53 +0300 |
---|---|---|
committer | Peter Pentchev <roam@ringlet.net> | 2014-10-16 14:34:53 +0300 |
commit | f037ae7866c4ac0032d79a2a73fea3897a752873 (patch) | |
tree | 19001043fcc8a1490174616a06c65fe2c581422f /debian/patches | |
parent | cab863ff50d7298874a58ab377276ec1ccbfd957 (diff) |
Update the Debian package to stunnel4-3:5.06-1.
This version disables SSLv2 and SSLv3 support by default, so
add a news blurb on re-enabling them.
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/01-fix-paths.patch | 6 | ||||
-rw-r--r-- | debian/patches/02-rename-binary.patch | 12 | ||||
-rw-r--r-- | debian/patches/08-client-example.patch | 2 | ||||
-rw-r--r-- | debian/patches/10-no-zlib-compression.patch | 2 | ||||
-rw-r--r-- | debian/patches/11-no-rle-compression.patch | 2 | ||||
-rw-r--r-- | debian/patches/12-restore-pidfile-default.patch | 4 | ||||
-rw-r--r-- | debian/patches/16-upstream-sslv23-method.patch | 34 | ||||
-rw-r--r-- | debian/patches/series | 1 |
8 files changed, 49 insertions, 14 deletions
diff --git a/debian/patches/01-fix-paths.patch b/debian/patches/01-fix-paths.patch index 390b47d..25761c7 100644 --- a/debian/patches/01-fix-paths.patch +++ b/debian/patches/01-fix-paths.patch @@ -5,7 +5,7 @@ Forwarded: not-needed Author: Paolo Molaro <lupus@debian.org> Author: Julien Lemoine <speedblue@debian.org> Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> -Last-Update: 2014-06-10 +Last-Update: 2014-10-16 --- a/tools/stunnel.conf-sample.in +++ b/tools/stunnel.conf-sample.in @@ -53,8 +53,8 @@ Last-Update: 2014-06-10 -;CRLfile = @prefix@/etc/stunnel/crls.pem +;CRLfile = @sysconfdir@/stunnel/crls.pem - ; Disable support for insecure SSLv2 protocol - options = NO_SSLv2 + ; Enable support for the insecure SSLv2 protocol + ;options = -NO_SSLv2 --- a/tools/script.sh +++ b/tools/script.sh @@ -2,7 +2,7 @@ diff --git a/debian/patches/02-rename-binary.patch b/debian/patches/02-rename-binary.patch index a105a58..5bef3b8 100644 --- a/debian/patches/02-rename-binary.patch +++ b/debian/patches/02-rename-binary.patch @@ -17,14 +17,14 @@ Last-Update: 2014-10-16 ($read_fd, $write_fd)=POSIX::pipe(); --- a/doc/stunnel.8 +++ b/doc/stunnel.8 -@@ -61,8 +61,8 @@ - .\} +@@ -70,8 +70,8 @@ + .rr rF .\" ======================================================================== .\" -.IX Title "STUNNEL 8" --.TH STUNNEL 8 "2014.10.06" "5.05" "stunnel" +-.TH STUNNEL 8 "2014.10.15" "5.06" "stunnel" +.IX Title "STUNNEL4 8" -+.TH STUNNEL 8 "2014.10.06" "5.05" "stunnel4" ++.TH STUNNEL 8 "2014.10.15" "5.06" "stunnel4" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -58,9 +58,9 @@ Last-Update: 2014-10-16 .\" ======================================================================== .\" -.IX Title "STUNNEL.PL 8" --.TH STUNNEL.PL 8 "2014.10.06" "5.05" "stunnel" +-.TH STUNNEL.PL 8 "2014.10.15" "5.06" "stunnel" +.IX Title "STUNNEL4.PL 8" -+.TH STUNNEL.PL 8 "2014.10.06" "5.05" "stunnel4" ++.TH STUNNEL.PL 8 "2014.10.15" "5.06" "stunnel4" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/debian/patches/08-client-example.patch b/debian/patches/08-client-example.patch index 4bf2d99..7e2e9ce 100644 --- a/debian/patches/08-client-example.patch +++ b/debian/patches/08-client-example.patch @@ -6,7 +6,7 @@ Last-Update: 2014-10-16 --- a/doc/stunnel.8 +++ b/doc/stunnel.8 -@@ -917,6 +917,17 @@ +@@ -929,6 +929,17 @@ \& connect = servername:993 .Ve .PP diff --git a/debian/patches/10-no-zlib-compression.patch b/debian/patches/10-no-zlib-compression.patch index 7f8516d..1f8f388 100644 --- a/debian/patches/10-no-zlib-compression.patch +++ b/debian/patches/10-no-zlib-compression.patch @@ -41,7 +41,7 @@ Last-Update: 2014-10-16 if(!comp->method || comp->method->type==NID_undef) { --- a/src/options.c +++ b/src/options.c -@@ -346,9 +346,9 @@ +@@ -425,9 +425,9 @@ if(strcasecmp(opt, "compression")) break; if(SSLeay()>=0x00908051L && !strcasecmp(arg, "deflate")) diff --git a/debian/patches/11-no-rle-compression.patch b/debian/patches/11-no-rle-compression.patch index bd2f029..a309f4d 100644 --- a/debian/patches/11-no-rle-compression.patch +++ b/debian/patches/11-no-rle-compression.patch @@ -10,7 +10,7 @@ Last-Update: 2014-10-16 --- a/src/options.c +++ b/src/options.c -@@ -350,7 +350,16 @@ +@@ -429,7 +429,16 @@ else if(!strcasecmp(arg, "zlib")) return "zlib compression is disabled in the Debian package of OpenSSL"; else if(!strcasecmp(arg, "rle")) diff --git a/debian/patches/12-restore-pidfile-default.patch b/debian/patches/12-restore-pidfile-default.patch index 93f0856..effdd52 100644 --- a/debian/patches/12-restore-pidfile-default.patch +++ b/debian/patches/12-restore-pidfile-default.patch @@ -22,7 +22,7 @@ Last-Update: 2014-10-16 stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto --- a/src/options.c +++ b/src/options.c -@@ -693,7 +693,7 @@ +@@ -772,7 +772,7 @@ #ifndef USE_WIN32 switch(cmd) { case CMD_BEGIN: @@ -31,7 +31,7 @@ Last-Update: 2014-10-16 break; case CMD_EXEC: if(strcasecmp(opt, "pid")) -@@ -708,9 +708,10 @@ +@@ -787,9 +787,10 @@ case CMD_FREE: break; case CMD_DEFAULT: diff --git a/debian/patches/16-upstream-sslv23-method.patch b/debian/patches/16-upstream-sslv23-method.patch new file mode 100644 index 0000000..6edb3c5 --- /dev/null +++ b/debian/patches/16-upstream-sslv23-method.patch @@ -0,0 +1,34 @@ +Description: Fix the build for OpenSSL with disabled SSLv2/3. +Origin: upstream; http://www.stunnel.org/pipermail/stunnel-users/2014-October/004806.html +Last-Update: 2014-10-16 + +--- a/src/options.c ++++ b/src/options.c +@@ -2129,15 +2129,18 @@ + case CMD_END: + #ifdef USE_FIPS + if(new_global_options.option.fips) { +- if(section->option.client) { +- if(section->client_method==(SSL_METHOD *)SSLv2_client_method() || +- section->client_method==(SSL_METHOD *)SSLv3_client_method()) +- return "FIPS mode requires sslVersion to be TLSv1 or later"; +- } else { +- if(section->server_method==(SSL_METHOD *)SSLv2_server_method() || +- section->server_method==(SSL_METHOD *)SSLv3_server_method()) +- return "FIPS mode requires sslVersion to be TLSv1 or later"; +- } ++#ifndef OPENSSL_NO_SSL2 ++ if(section->option.client ? ++ section->client_method==(SSL_METHOD *)SSLv2_client_method() : ++ section->server_method==(SSL_METHOD *)SSLv2_server_method()) ++ return "\"sslVersion = SSLv2\" not supported in FIPS mode"; ++#endif ++#ifndef OPENSSL_NO_SSL3 ++ if(section->option.client ? ++ section->client_method==(SSL_METHOD *)SSLv3_client_method() : ++ section->server_method==(SSL_METHOD *)SSLv3_server_method()) ++ return "\"sslVersion = SSLv3\" not supported in FIPS mode"; ++#endif + } + #endif /* USE_FIPS */ + break; diff --git a/debian/patches/series b/debian/patches/series index a95ef80..d6d5079 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ 12-restore-pidfile-default.patch 14-lsb-init-functions.patch 15-upstream-systemd-libs.patch +16-upstream-sslv23-method.patch |