From patchwork Tue Jun 30 11:15:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9985 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4gqLDK0jFDz3wvY for ; Tue, 30 Jun 2026 11:15:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "YE1" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4gqLDD6TY2z6px for ; Tue, 30 Jun 2026 11:15:40 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gqLD967cvz36WZ for ; Tue, 30 Jun 2026 11:15:37 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gqLD61VmHz34K0 for ; Tue, 30 Jun 2026 11:15:34 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gqLD36bmVz6tH; Tue, 30 Jun 2026 11:15:31 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1782818132; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wYXmb0780iTwsYRxN/w6U86pILTUzKVbCTDmpYTkZ9c=; b=5CCi5ilXFzm2nu+G8p2TVhetGHNFHcXuvMGl9V5MPGQGd50qS9WH3SArsO1pnqoQeC2HBA 2M/irJyJ65zkQsCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1782818132; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wYXmb0780iTwsYRxN/w6U86pILTUzKVbCTDmpYTkZ9c=; b=mGGNvfy5PrsPkYNGhH1k18xl2rQyXalI/QnAz3ConyeQYUa00q0XBYev3FyJRIKmYl6vlT RnB70vleJQKHmLKkiCrTaq/OBFAG+4KU3sLYTRPvGPBylGyyVKiDpevTukXCOIo/c1ZDVV H01f3l0GQy7Z/5RissnVyklI0/3ODhVVhGDL4D5wJzWOX8VEI3x8SumVRbeOFoLA9YfPn4 WLekOhm6RqPSS+Rw+74ViqWq2C6MB05a4zjLaGi4J2b79GNQNKE63uMOUqH+7Vk3haZGAQ GGYuQ8Ndh/0tD1ctOlSkVHAjIyuYMZQC2kd34XLT1ZBhM7G/pWjDl3UDUB2jfg== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] stunnel: Update to version 5.78 Date: Tue, 30 Jun 2026 13:15:22 +0200 Message-ID: <20260630111523.1271203-11-adolf.belka@ipfire.org> In-Reply-To: <20260630111523.1271203-1-adolf.belka@ipfire.org> References: <20260630111523.1271203-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 5.72 to 5.78 - No change to rootfile - Changelog 5.78 * Security bugfixes - OpenSSL DLLs updated to version 3.5.6. * Bugfixes - Fixed WIN32 transfer() loop errors with OOB TCP. - Fixed a memory leak introduced in version 5.73. - Build fix for systems without timegm() (thanks to Jose A. Diaz and Shubham Gupta). - Fixed a startup crash when both global (default) and service-level lists of values are configured for an option. * Features - Support for zstd and brotli compression with OpenSSL 3.2 and TLS 1.2 or older. - WIN32 OpenSSL build with zlib and zstd support. - Support for new "options" parameter values. - Less bloated errors on an invalid configuration file. - Documentation updated from Pod to Pandoc Markdown. - Removed support for OpenSSL versions older than 0.9.8. The final update for the OpenSSL 0.9.7 branch (0.9.7m) was issed on 23 Feb 2007. 5.77 * Security bugfixes - OpenSSL DLLs updated to version 3.5.5. * Bugfixes - Avoid attempting to fetch OCSP stapling for PSK-only configuration sections. * Features - Merged applicable patches from Fedora and Debian: - Use SOURCE_DATE_EPOCH for reproducible builds. - Skip the OpenSSL version check when AUTOPKGTEST_TMP is set. - Enable PrivateTmp in the stunnel.service template. - Clarify the manual page for the "curves" option. - Log client IP addresses on TLS errors. 5.76 * Security bugfixes - OpenSSL DLLs updated to version 3.5.4. - Service-level multivalued options now override (rather than append to) global defaults, preventing unintended configurations. * Bugfixes - Fixed enabling/disabling of the default fips=yes property. - Missing OCSP stapling is no longer logged as an error. - Fixed a crash when a PIN was required due to the PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute. * Features - Quantum-resistant hybrid key agreement X25519+ML-KEM-768 (X25519MLKEM768) used by default with OpenSSL 3.5+ and TLS 1.3. - Multiple cert sources are supported, allowing a certificate to be fetched from a provider while loading the chain from a file. - Android build switched to a 16 KB page size. 5.75 * Security bugfixes - OpenSSL DLLs updated to version 3.4.1. - OpenSSL FIPS Provider updated to version 3.1.2. * Bugfixes - Fixed infinite loop triggered by OCSP URL parsing errors (thanks to Richard Könning for reporting). - Fixed OPENSSL_NO_OCSP build issues (thanks to Dmitry Mostovoy for reporting). - Fixed default curve selection in FIPS mode with OpenSSL 3.4+. - Fixed tests with modern Python versions. - Fixed tests with multiple OpenSSL versions installed. * Features - Added provider URI support for "cert" and "key" options. - Added new "CAstore" service-level option (OpenSSL 3.0+). - Added "provider" (OpenSSL 3.0+), "providerParameter" (OpenSSL 3.5+), and "setEnv" global options. - Key file/URI path added to passphrase prompt on Unix. - PKCS#11 provider installed on Windows. 5.74 * Bugfixes - Fixed a stapling cache deallocation crash. - Fixed "redirect" with protocol negotiation. * Features - "protocolHost" support for "socks" protocol clients. - More detailed logs in OpenSSL 3.0 or later. 5.73 * Security bugfixes - OpenSSL DLLs updated to version 3.3.2. - OpenSSL FIPS Provider updated to version 3.0.9. * Bugfixes - Fixed a memory leak while reloading stunnel.conf sections with "client=yes" and "delay=no". - Fixed TIMEOUTocsp with values greater than 4. - Fix the IPv6 test on a non-IPv6 machine. * Features - HELO replaced with EHLO in the post-STARTTLS SMTP protocol negotiation (thanks to Peter Pentchev). - OCSP stapling fetches moved away from server threads. - Improved client-side session resumption. - Added support for the mimalloc allocator. - Check for protocolHost moved to configuration file processing for the client-side CONNECT protocol. - Clarified some confusing OpenSSL's certificate verification error messages. - stunnel.nsi updated for Debian 13 and Fedora. - Improved NetBSD compatibility. Signed-off-by: Adolf Belka --- lfs/stunnel | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/stunnel b/lfs/stunnel index 977b1ae71..c69af2873 100644 --- a/lfs/stunnel +++ b/lfs/stunnel @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 5.72 +VER = 5.78 SUMMARY = Universal TLS Tunnel THISAPP = stunnel-$(VER) @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = stunnel -PAK_VER = 13 +PAK_VER = 14 DEPS = @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 2b4c6400cf25522592e237f35700f81c0092a827526155cb02f503a9b3af50242aea63c3b5389a62d002d6a2ec9e852f80cc9c48318f23d3f9d12ff42cbe5978 +$(DL_FILE)_BLAKE2 = 44538336d9f7075ebead1ae85c8c8609b54041565d076370b988b1c157a0a44533c03e1602cf3b055fab6a5ef0ce223a20a8fc0d7d1a59942bfde098db422442 install : $(TARGET)