If we need to make an exception we can do it and properly document the
reason but by default we should just use the default login class.
rc.d uses daemon or the login class provided in login.conf.d so this has
no impact there.
discussed with sthen@, tb@ and robert@
praying that my grep/sed skills did not break anything and still
believing in portbump :-)
OK sthen
### Version 5.63, 2022.03.15, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.2.
* New features
- Updated stunnel.spec to support bash completion.
* Bugfixes
- Fixed a PRNG initialization crash (thx to Gleydson Soares).
... further changelogs
https://www.stunnel.org/NEWS.html
or provided functions that are now available in libcrypto.
ok gsoares, sthen (for a more aggressive earlier version)
I'll revisit the other bits at p2k18.
- switch threading model to pthread since that it is the default process model in stunnel;
- fix stunnel.pem path in pkg/MESSAGE;
- add patches to make it build with libressl;
- fix some hardcoding paths in tools/stunnel.conf-sample.in.
Tweaks and Feedback:
jca@ yasuoka@ jasper@ brad@ and Markus Lude, thanks !
tested by yasuoka@ and Markus Lude on @sparc64(markus's tests against 3.18 version, but no many changes to 3.19, assuming that should work too...)...
full changelog at:
https://www.stunnel.org/sdf_ChangeLog.html
Security bugfixes
OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
The insecure SSLv2 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv2".
The insecure SSLv3 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv3".
Default sslVersion changed to "all" (also in FIPS mode) to
autonegotiate the highest supported TLS version.
New features
Added missing SSL options to match OpenSSL 1.0.1j.
New "-options" commandline option to display the list of supported
SSL options.
Bugfixes
Fixed FORK threading build regression bug.
OK gsoares@ (maintainer) OK schwarze@
postgresql where a forked child process doesn't correctly reset RNG state.
See CVE-2014-0016, http://www.openwall.com/lists/oss-security/2014/03/05/1
ok gsoares@
Note from upstream release notes:
"stunnel 5.00 disables some features previously enabled by default.
Users should review whether the new defaults are appropriate for their
particular deployments."
These changes include: FIPS mode, pid file generation and
libwrap disabled by default, and the default cipher list has
been updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2".
PLIST and delete everything under the @sample'd directory instead of the
directory itself to prevent a warning from pkg_delete(1) trying to
remove a non existing directory and to help preventing left-over files
and directories.