Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_147292641955270"
MIME-Version: 1.0
Date: Sat, 3 Sep 2016 18:13:39 +0000
From: "Benny Siegert" <bsiegert@netbsd.org>
Subject: CVS commit: [pkgsrc-2016Q2] pkgsrc/security/stunnel
To: pkgsrc-changes@NetBSD.org
Reply-To: bsiegert@netbsd.org
Message-Id: <20160903181339.88C58FBC3@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_147292641955270
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	bsiegert
Date:		Sat Sep  3 18:13:39 UTC 2016

Modified Files:
	pkgsrc/security/stunnel [pkgsrc-2016Q2]: Makefile distinfo
Added Files:
	pkgsrc/security/stunnel/patches [pkgsrc-2016Q2]:
	    patch-stunnel.conf-sample.in

Log Message:
Pullup ticket #5089 - requested by jym
security/stunnel: security fix

Revisions pulled up:
- security/stunnel/Makefile                                     1.104
- security/stunnel/distinfo                                     1.51
- security/stunnel/patches/patch-stunnel.conf-sample.in         1.1

---
   Module Name:    pkgsrc
   Committed By:   jym
   Date:           Mon Aug 29 19:21:25 UTC 2016

   Modified Files:
           pkgsrc/security/stunnel: Makefile distinfo
   Added Files:
           pkgsrc/security/stunnel/patches: patch-stunnel.conf-sample.in

   Log Message:
   PR pkg/51449

   Update stunnel to 5.35.

   - Add patch to provide an explicit chroot option to the default
     configuration sample (option is documented but not found within
     the default conf file). While here, enable setuid/setgid as
     stunnel user/group creations are handled by package.
   - Rework SUBSTs so that they apply to the correct sample
     config file.

   Changelog:

   Version 5.35, 2016.07.18, urgency: HIGH
   * Bugfixes
     - Fixed incorrectly enforced client certificate requests.
     - Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
     - Fixed thread safety of the configuration file reopening.

   Version 5.34, 2016.07.05, urgency: HIGH
   * Security bugfixes
     - Fixed malfunctioning "verify = 4".
   * New features
     - Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
     - Added three new service-level options: requireCert, verifyChain,
       and verifyPeer for fine-grained certificate verification control.
     - Improved compatibility with the current OpenSSL 1.1.0-dev tree.

   Version 5.33, 2016.06.23, urgency: HIGH
   * New features
     - Improved memory leak detection performance and accuracy.
     - Improved compatibility with the current OpenSSL 1.1.0-dev tree.
     - SNI support also enabled on OpenSSL 0.9.8f and later (thx to
       Guillermo Rodriguez Garcia).
     - Added support for PKCS #12 (.p12/.pfx) certificates (thx to
       Dmitry Bakshaev).
   * Bugfixes
     - Fixed a TLS session caching memory leak (thx to Richard Kraemer).
       Before stunnel 5.27 this leak only emerged with sessiond enabled.
     - Yet another WinCE socket fix (thx to Richard Kraemer).
     - Fixed passphrase/pin dialogs in tstunnel.exe.
     - Fixed a FORK threading build regression bug.
     - OPENSSL_NO_DH compilation fix (thx to Brian Lin).
     - Fixed a TLS session caching memory leak (thx to Richard Kraemer).
       Before stunnel 5.27 this leak only emerged with sessiond enabled.
     - Yet another WinCE socket fix (thx to Richard Kraemer).
     - Fixed passphrase/pin dialogs in tstunnel.exe.
     - Fixed a FORK threading build regression bug.
     - OPENSSL_NO_DH compilation fix (thx to Brian Lin).


To generate a diff of this commit:
cvs rdiff -u -r1.102 -r1.102.2.1 pkgsrc/security/stunnel/Makefile
cvs rdiff -u -r1.50 -r1.50.2.1 pkgsrc/security/stunnel/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/security/stunnel/patches/patch-stunnel.conf-sample.in

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_147292641955270
Content-Disposition: inline
Content-Length: 3802
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/stunnel/Makefile
diff -u pkgsrc/security/stunnel/Makefile:1.102 pkgsrc/security/stunnel/Makefile:1.102.2.1
--- pkgsrc/security/stunnel/Makefile:1.102	Fri Jun  3 23:12:06 2016
+++ pkgsrc/security/stunnel/Makefile	Sat Sep  3 18:13:39 2016
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.102 2016/06/03 23:12:06 jym Exp $
+# $NetBSD: Makefile,v 1.102.2.1 2016/09/03 18:13:39 bsiegert Exp $
 
-DISTNAME=		stunnel-5.32
+DISTNAME=		stunnel-5.35
 CATEGORIES=		security
 MASTER_SITES=		http://www.stunnel.org/downloads/
 
@@ -40,19 +40,11 @@ RCD_SCRIPTS=		stunnel
 REPLACE_PERL+=		src/stunnel3.in
 USE_TOOLS+=		perl:run
 
-SUBST_CLASSES+=		chroot
-SUBST_MESSAGE.chroot=	Fix chroot path
-SUBST_STAGE.chroot=	pre-configure
-SUBST_FILES.chroot=	tools/stunnel.conf-sample.in
-SUBST_SED.chroot+=	-e 's|@prefix@/var/lib|@localstatedir@/chroot|'
-
 SUBST_CLASSES+=		stunnel
-SUBST_MESSAGE.stunnel=	Fix user, group and pid
-SUBST_STAGE.stunnel=	post-configure
-SUBST_FILES.stunnel=	tools/stunnel.conf-sample
-SUBST_SED.stunnel=	-e 's|setuid = nobody|setuid = ${STUNNEL_USER}|'
-SUBST_SED.stunnel+=	-e 's|setgid = nogroup|setgid = ${STUNNEL_GROUP}|'
-SUBST_SED.stunnel+=	-e 's|pid = /stunnel.pid|pid = /pid/stunnel.pid|'
+SUBST_MESSAGE.stunnel=	Fix user and group
+SUBST_STAGE.stunnel=	pre-configure
+SUBST_FILES.stunnel=	tools/stunnel.conf-sample.in
+SUBST_VARS.stunnel=	STUNNEL_USER STUNNEL_GROUP
 
 .include "options.mk"
 

Index: pkgsrc/security/stunnel/distinfo
diff -u pkgsrc/security/stunnel/distinfo:1.50 pkgsrc/security/stunnel/distinfo:1.50.2.1
--- pkgsrc/security/stunnel/distinfo:1.50	Fri Jun  3 23:12:06 2016
+++ pkgsrc/security/stunnel/distinfo	Sat Sep  3 18:13:39 2016
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.50 2016/06/03 23:12:06 jym Exp $
+$NetBSD: distinfo,v 1.50.2.1 2016/09/03 18:13:39 bsiegert Exp $
 
-SHA1 (stunnel-5.32.tar.gz) = 44f64ee0f9c7235a00d33b8338d439dbc519c594
-RMD160 (stunnel-5.32.tar.gz) = 13157bd6b1b32ca87465ff11dcd9bceed424c480
-SHA512 (stunnel-5.32.tar.gz) = aad3b718a727ae23bc88bda027017a5e4e19d2d08c1d4e95087dae20d4ed994d0ce29e9ae4b4d40456a7d7aaeb10c30a4283c6be2965d7183982204a347781bc
-Size (stunnel-5.32.tar.gz) = 641907 bytes
+SHA1 (stunnel-5.35.tar.gz) = 90cafc2208aa3acefb503856482e163e9af463c4
+RMD160 (stunnel-5.35.tar.gz) = 92f7c680e9de49740094a531c5b466aa5ac9d453
+SHA512 (stunnel-5.35.tar.gz) = cdec7ddafbfac4a1d420704baec72fedbd655871137ec8283c066203c0859019c6e11ce00647e5b471a019409e4eb5e9525166eddd7ddffa25055b95c0cacd9e
+Size (stunnel-5.35.tar.gz) = 645148 bytes
 SHA1 (patch-aa) = b247aca629197887fb720f7a02d9b73d60bb0d37
 SHA1 (patch-ac) = 91b09d39fb968ad76952acdff250150d3e372c36
+SHA1 (patch-stunnel.conf-sample.in) = 86d195963e5ad2db381ac89ae0fca13a7f641fa5

Added files:

Index: pkgsrc/security/stunnel/patches/patch-stunnel.conf-sample.in
diff -u /dev/null pkgsrc/security/stunnel/patches/patch-stunnel.conf-sample.in:1.1.2.2
--- /dev/null	Sat Sep  3 18:13:39 2016
+++ pkgsrc/security/stunnel/patches/patch-stunnel.conf-sample.in	Sat Sep  3 18:13:39 2016
@@ -0,0 +1,22 @@
+$NetBSD: patch-stunnel.conf-sample.in,v 1.1.2.2 2016/09/03 18:13:39 bsiegert Exp $
+
+--- tools/stunnel.conf-sample.in.orig	2016-07-05 21:27:57.000000000 +0000
++++ tools/stunnel.conf-sample.in
+@@ -8,11 +8,14 @@
+ ; **************************************************************************
+ 
+ ; It is recommended to drop root privileges if stunnel is started by root
+-;setuid = nobody
+-;setgid = @DEFAULT_GROUP@
++setuid = @STUNNEL_USER@
++setgid = @STUNNEL_GROUP@
++
++; Default chroot path
++chroot = @localstatedir@/chroot/stunnel/
+ 
+ ; PID file is created inside the chroot jail (if enabled)
+-;pid = @localstatedir@/run/stunnel.pid
++pid = /pid/stunnel.pid
+ 
+ ; Debugging stuff (may be useful for troubleshooting)
+ ;foreground = yes


--_----------=_147292641955270--