PR pkg/51449 Update stunnel to 5.35. - Add patch to provide an explicit chroot option to the default configuration sample (option is documented but not found within the default conf file). While here, enable setuid/setgid as stunnel user/group creations are handled by package. - Rework SUBSTs so that they apply to the correct sample config file. Changelog: Version 5.35, 2016.07.18, urgency: HIGH * Bugfixes - Fixed incorrectly enforced client certificate requests. - Only default to SO_EXCLUSIVEADDRUSE on Vista and later. - Fixed thread safety of the configuration file reopening. Version 5.34, 2016.07.05, urgency: HIGH * Security bugfixes - Fixed malfunctioning "verify = 4". * New features - Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32. - Added three new service-level options: requireCert, verifyChain, and verifyPeer for fine-grained certificate verification control. - Improved compatibility with the current OpenSSL 1.1.0-dev tree. Version 5.33, 2016.06.23, urgency: HIGH * New features - Improved memory leak detection performance and accuracy. - Improved compatibility with the current OpenSSL 1.1.0-dev tree. - SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo Rodriguez Garcia). - Added support for PKCS #12 (.p12/.pfx) certificates (thx to Dmitry Bakshaev). * Bugfixes - Fixed a TLS session caching memory leak (thx to Richard Kraemer). Before stunnel 5.27 this leak only emerged with sessiond enabled. - Yet another WinCE socket fix (thx to Richard Kraemer). - Fixed passphrase/pin dialogs in tstunnel.exe. - Fixed a FORK threading build regression bug. - OPENSSL_NO_DH compilation fix (thx to Brian Lin).diff -r1.103 -r1.104 pkgsrc/security/stunnel/Makefile
(jym)
@@ -1,17 +1,16 @@ | @@ -1,17 +1,16 @@ | |||
1 | # $NetBSD: Makefile,v 1.103 2016/07/09 06:38:57 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.104 2016/08/29 19:21:24 jym Exp $ | |
2 | 2 | |||
3 | DISTNAME= stunnel-5.32 | 3 | DISTNAME= stunnel-5.35 | |
4 | PKGREVISION= 1 | |||
5 | CATEGORIES= security | 4 | CATEGORIES= security | |
6 | MASTER_SITES= http://www.stunnel.org/downloads/ | 5 | MASTER_SITES= http://www.stunnel.org/downloads/ | |
7 | 6 | |||
8 | MAINTAINER= jym@NetBSD.org | 7 | MAINTAINER= jym@NetBSD.org | |
9 | HOMEPAGE= http://www.stunnel.org/ | 8 | HOMEPAGE= http://www.stunnel.org/ | |
10 | COMMENT= Universal SSL tunnel | 9 | COMMENT= Universal SSL tunnel | |
11 | LICENSE= gnu-gpl-v2 | 10 | LICENSE= gnu-gpl-v2 | |
12 | 11 | |||
13 | BUILD_DEFS+= VARBASE | 12 | BUILD_DEFS+= VARBASE | |
14 | USE_LIBTOOL= yes | 13 | USE_LIBTOOL= yes | |
15 | GNU_CONFIGURE= yes | 14 | GNU_CONFIGURE= yes | |
16 | CONFIGURE_ARGS+= --localstatedir=${VARBASE} | 15 | CONFIGURE_ARGS+= --localstatedir=${VARBASE} | |
17 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} | 16 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} | |
@@ -31,32 +30,24 @@ PKG_HOME.${STUNNEL_USER}?= ${VARBASE}/ch | @@ -31,32 +30,24 @@ PKG_HOME.${STUNNEL_USER}?= ${VARBASE}/ch | |||
31 | PKG_SYSCONFSUBDIR= stunnel | 30 | PKG_SYSCONFSUBDIR= stunnel | |
32 | PKG_SYSCONFDIR_PERMS= ${REAL_ROOT_USER} ${STUNNEL_GROUP} 0750 | 31 | PKG_SYSCONFDIR_PERMS= ${REAL_ROOT_USER} ${STUNNEL_GROUP} 0750 | |
33 | 32 | |||
34 | OWN_DIRS= ${PKG_HOME.${STUNNEL_USER}}/certs ${PKG_HOME.${STUNNEL_USER}}/crls | 33 | OWN_DIRS= ${PKG_HOME.${STUNNEL_USER}}/certs ${PKG_HOME.${STUNNEL_USER}}/crls | |
35 | OWN_DIRS_PERMS= ${PKG_HOME.${STUNNEL_USER}}/pid ${USER_GROUP} 0750 | 34 | OWN_DIRS_PERMS= ${PKG_HOME.${STUNNEL_USER}}/pid ${USER_GROUP} 0750 | |
36 | CONF_FILES+= ${PREFIX}/share/examples/stunnel/stunnel.conf-sample \ | 35 | CONF_FILES+= ${PREFIX}/share/examples/stunnel/stunnel.conf-sample \ | |
37 | ${PKG_SYSCONFDIR}/stunnel.conf | 36 | ${PKG_SYSCONFDIR}/stunnel.conf | |
38 | 37 | |||
39 | RCD_SCRIPTS= stunnel | 38 | RCD_SCRIPTS= stunnel | |
40 | 39 | |||
41 | REPLACE_PERL+= src/stunnel3.in | 40 | REPLACE_PERL+= src/stunnel3.in | |
42 | USE_TOOLS+= perl:run | 41 | USE_TOOLS+= perl:run | |
43 | 42 | |||
44 | SUBST_CLASSES+= chroot | |||
45 | SUBST_MESSAGE.chroot= Fix chroot path | |||
46 | SUBST_STAGE.chroot= pre-configure | |||
47 | SUBST_FILES.chroot= tools/stunnel.conf-sample.in | |||
48 | SUBST_SED.chroot+= -e 's|@prefix@/var/lib|@localstatedir@/chroot|' | |||
49 | ||||
50 | SUBST_CLASSES+= stunnel | 43 | SUBST_CLASSES+= stunnel | |
51 | SUBST_MESSAGE.stunnel= Fix user, group and pid | 44 | SUBST_MESSAGE.stunnel= Fix user and group | |
52 | SUBST_STAGE.stunnel= post-configure | 45 | SUBST_STAGE.stunnel= pre-configure | |
53 | SUBST_FILES.stunnel= tools/stunnel.conf-sample | 46 | SUBST_FILES.stunnel= tools/stunnel.conf-sample.in | |
54 | SUBST_SED.stunnel= -e 's|setuid = nobody|setuid = ${STUNNEL_USER}|' | 47 | SUBST_VARS.stunnel= STUNNEL_USER STUNNEL_GROUP | |
55 | SUBST_SED.stunnel+= -e 's|setgid = nogroup|setgid = ${STUNNEL_GROUP}|' | |||
56 | SUBST_SED.stunnel+= -e 's|pid = /stunnel.pid|pid = /pid/stunnel.pid|' | |||
57 | 48 | |||
58 | .include "options.mk" | 49 | .include "options.mk" | |
59 | 50 | |||
60 | .include "../../devel/zlib/buildlink3.mk" | 51 | .include "../../devel/zlib/buildlink3.mk" | |
61 | .include "../../security/openssl/buildlink3.mk" | 52 | .include "../../security/openssl/buildlink3.mk" | |
62 | .include "../../mk/bsd.pkg.mk" | 53 | .include "../../mk/bsd.pkg.mk" |
@@ -1,8 +1,9 @@ | @@ -1,8 +1,9 @@ | |||
1 | $NetBSD: distinfo,v 1.50 2016/06/03 23:12:06 jym Exp $ | 1 | $NetBSD: distinfo,v 1.51 2016/08/29 19:21:24 jym Exp $ | |
2 | 2 | |||
3 | SHA1 (stunnel-5.32.tar.gz) = 44f64ee0f9c7235a00d33b8338d439dbc519c594 | 3 | SHA1 (stunnel-5.35.tar.gz) = 90cafc2208aa3acefb503856482e163e9af463c4 | |
4 | RMD160 (stunnel-5.32.tar.gz) = 13157bd6b1b32ca87465ff11dcd9bceed424c480 | 4 | RMD160 (stunnel-5.35.tar.gz) = 92f7c680e9de49740094a531c5b466aa5ac9d453 | |
5 | SHA512 (stunnel-5.32.tar.gz) = aad3b718a727ae23bc88bda027017a5e4e19d2d08c1d4e95087dae20d4ed994d0ce29e9ae4b4d40456a7d7aaeb10c30a4283c6be2965d7183982204a347781bc | 5 | SHA512 (stunnel-5.35.tar.gz) = cdec7ddafbfac4a1d420704baec72fedbd655871137ec8283c066203c0859019c6e11ce00647e5b471a019409e4eb5e9525166eddd7ddffa25055b95c0cacd9e | |
6 | Size (stunnel-5.32.tar.gz) = 641907 bytes | 6 | Size (stunnel-5.35.tar.gz) = 645148 bytes | |
7 | SHA1 (patch-aa) = b247aca629197887fb720f7a02d9b73d60bb0d37 | 7 | SHA1 (patch-aa) = b247aca629197887fb720f7a02d9b73d60bb0d37 | |
8 | SHA1 (patch-ac) = 91b09d39fb968ad76952acdff250150d3e372c36 | 8 | SHA1 (patch-ac) = 91b09d39fb968ad76952acdff250150d3e372c36 | |
9 | SHA1 (patch-stunnel.conf-sample.in) = 86d195963e5ad2db381ac89ae0fca13a7f641fa5 |
$NetBSD: patch-stunnel.conf-sample.in,v 1.1 2016/08/29 19:21:24 jym Exp $
--- tools/stunnel.conf-sample.in.orig 2016-07-05 21:27:57.000000000 +0000
+++ tools/stunnel.conf-sample.in
@@ -8,11 +8,14 @@
; **************************************************************************
; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+setuid = @STUNNEL_USER@
+setgid = @STUNNEL_GROUP@
+
+; Default chroot path
+chroot = @localstatedir@/chroot/stunnel/
; PID file is created inside the chroot jail (if enabled)
-;pid = @localstatedir@/run/stunnel.pid
+pid = /pid/stunnel.pid
; Debugging stuff (may be useful for troubleshooting)
;foreground = yes