diff mbox series

stunnel: Update to version 5.78

Message ID 20260630111523.1271203-11-adolf.belka@ipfire.org
State New
Headers
Series stunnel: Update to version 5.78 |

Commit Message

Adolf Belka 30 Jun 2026, 11:15 a.m. UTC 
- Update from version 5.72 to 5.78
- No change to rootfile
- Changelog
5.78
* Security bugfixes
  - OpenSSL DLLs updated to version 3.5.6.
* Bugfixes
  - Fixed WIN32 transfer() loop errors with OOB TCP.
  - Fixed a memory leak introduced in version 5.73.
  - Build fix for systems without timegm()
    (thanks to Jose A. Diaz and Shubham Gupta).
  - Fixed a startup crash when both global (default)
    and service-level lists of values are configured
    for an option.
* Features
  - Support for zstd and brotli compression with OpenSSL 3.2
    and TLS 1.2 or older.
  - WIN32 OpenSSL build with zlib and zstd support.
  - Support for new "options" parameter values.
  - Less bloated errors on an invalid configuration file.
  - Documentation updated from Pod to Pandoc Markdown.
  - Removed support for OpenSSL versions older than 0.9.8.
    The final update for the OpenSSL 0.9.7 branch
    (0.9.7m) was issed on 23 Feb 2007.
5.77
* Security bugfixes
  - OpenSSL DLLs updated to version 3.5.5.
* Bugfixes
  - Avoid attempting to fetch OCSP stapling for PSK-only
    configuration sections.
* Features
  - Merged applicable patches from Fedora and Debian:
    - Use SOURCE_DATE_EPOCH for reproducible builds.
    - Skip the OpenSSL version check when AUTOPKGTEST_TMP is set.
    - Enable PrivateTmp in the stunnel.service template.
    - Clarify the manual page for the "curves" option.
  - Log client IP addresses on TLS errors.
5.76
* Security bugfixes
  - OpenSSL DLLs updated to version 3.5.4.
  - Service-level multivalued options now override (rather than
    append to) global defaults, preventing unintended configurations.
* Bugfixes
  - Fixed enabling/disabling of the default fips=yes property.
  - Missing OCSP stapling is no longer logged as an error.
  - Fixed a crash when a PIN was required due to the PKCS#11
    CKA_ALWAYS_AUTHENTICATE attribute.
* Features
  - Quantum-resistant hybrid key agreement X25519+ML-KEM-768
    (X25519MLKEM768) used by default with OpenSSL 3.5+ and TLS 1.3.
  - Multiple cert sources are supported, allowing a certificate to
    be fetched from a provider while loading the chain from a file.
  - Android build switched to a 16 KB page size.
5.75
* Security bugfixes
  - OpenSSL DLLs updated to version 3.4.1.
  - OpenSSL FIPS Provider updated to version 3.1.2.
* Bugfixes
  - Fixed infinite loop triggered by OCSP URL parsing errors
    (thanks to Richard Könning for reporting).
  - Fixed OPENSSL_NO_OCSP build issues
    (thanks to Dmitry Mostovoy for reporting).
  - Fixed default curve selection in FIPS mode with OpenSSL 3.4+.
  - Fixed tests with modern Python versions.
  - Fixed tests with multiple OpenSSL versions installed.
* Features
  - Added provider URI support for "cert" and "key" options.
  - Added new "CAstore" service-level option (OpenSSL 3.0+).
  - Added "provider" (OpenSSL 3.0+), "providerParameter"
    (OpenSSL 3.5+), and "setEnv" global options.
  - Key file/URI path added to passphrase prompt on Unix.
  - PKCS#11 provider installed on Windows.
5.74
* Bugfixes
  - Fixed a stapling cache deallocation crash.
  - Fixed "redirect" with protocol negotiation.
* Features
  - "protocolHost" support for "socks" protocol clients.
  - More detailed logs in OpenSSL 3.0 or later.
5.73
* Security bugfixes
  - OpenSSL DLLs updated to version 3.3.2.
  - OpenSSL FIPS Provider updated to version 3.0.9.
* Bugfixes
  - Fixed a memory leak while reloading stunnel.conf
    sections with "client=yes" and "delay=no".
  - Fixed TIMEOUTocsp with values greater than 4.
  - Fix the IPv6 test on a non-IPv6 machine.
* Features
  - HELO replaced with EHLO in the post-STARTTLS SMTP
    protocol negotiation (thanks to Peter Pentchev).
  - OCSP stapling fetches moved away from server threads.
  - Improved client-side session resumption.
  - Added support for the mimalloc allocator.
  - Check for protocolHost moved to configuration file
    processing for the client-side CONNECT protocol.
  - Clarified some confusing OpenSSL's certificate
    verification error messages.
  - stunnel.nsi updated for Debian 13 and Fedora.
  - Improved NetBSD compatibility.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/stunnel | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/lfs/stunnel b/lfs/stunnel
index 977b1ae71..c69af2873 100644
--- a/lfs/stunnel
+++ b/lfs/stunnel
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 5.72
+VER        = 5.78
 SUMMARY    = Universal TLS Tunnel
 
 THISAPP    = stunnel-$(VER)
@@ -33,7 +33,7 @@  DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = stunnel
-PAK_VER    = 13
+PAK_VER    = 14
 
 DEPS       =
 
@@ -47,7 +47,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 2b4c6400cf25522592e237f35700f81c0092a827526155cb02f503a9b3af50242aea63c3b5389a62d002d6a2ec9e852f80cc9c48318f23d3f9d12ff42cbe5978
+$(DL_FILE)_BLAKE2 = 44538336d9f7075ebead1ae85c8c8609b54041565d076370b988b1c157a0a44533c03e1602cf3b055fab6a5ef0ce223a20a8fc0d7d1a59942bfde098db422442
 
 install : $(TARGET)