Bug 3951

Summary: stunnel needs updating to Version 4.50, 2011.12.03
Product: Mageia Reporter: Bit Twister <bittwister2>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: Normal CC: dan, davidwhodgins, guillomovitch, luigiwalser, mageia
Version: 1   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=4223
Whiteboard:
Source RPM: stunnel-4.34-3.mga1.src.rpm CVE:
Status comment:
Bug Depends on: 4223    
Bug Blocks:    

Description Bit Twister 2011-12-30 17:40:52 CET 
Description of problem:

stunnel needs updating to Version 4.50, 2011.12.03


* Bugfixes
   - Fixed internal memory allocation problem in inetd mode.
   - POP3 server-side protocol negotiation updated to report STLS capability

It would be nice is someone could make the /etc/stunnel/stunnel.conf
and rpm install run in a chroot environment like bind/named. :)

Verizon.net is changing to pop3s connection port 995. 
postfix users will need stunnel to make the outgoing connection.

Guessing Release 1 users would like a /etc/init.d/stunnel script.

Would not hurt to provide a /lib/systemd/system/stunnel.service file.
This is working for me, but should be verified since this is my first systemd service attempt.

[Unit]
Description=SSL tunnel for network daemons
After=syslog.target

[Service]
PIDFile=/var/run/stunnel/stunnel.pid
StandardError=syslog
EnvironmentFile=/etc/stunnel/stunnel.conf
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
Type=forking

[Install]
WantedBy=multi-user.target
Comment 1 Bit Twister 2011-12-31 15:37:44 CET 
(In reply to comment #0)
> 
> It would be nice is someone could make the /etc/stunnel/stunnel.conf
> and rpm install run in a chroot environment like bind/named. :)

Would not hurt to have rpm package create the chroot directory.

I was able to get it to run chroot'ed by moving setuid/uid commands 
below "pid ="
Also changed chroot to /var/run/stunnel and set "client = no" for extra security.

My working conf file has these settings
$ grep -v ';' /etc/stunnel/stunnel.conf | uniq

sslVersion = SSLv3

chroot = /var/run/stunnel/
pid = /stunnel.pid

setuid = nobody
setgid = nogroup

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

client = no

[smtp-tls-wrapper]
accept = 11125
client = yes
connect = outgoing.verizon.net:465
Manuel Hiebel 2011-12-31 16:22:13 CET

CC: (none) => mageia

Comment 2 Bit Twister 2012-01-01 20:09:38 CET 
Only way I was able to get the set uid/gid to work was to chmod 777 /var/run/stunnel.

For the permissions to survive a reboot I created stunnel_prestart.sh and added a call to it in /lib/systemd/system/stunnel.service with
ExecStartPre=/local/bin/stunnel_prestart.sh

$ grep -v \# stunnel_prestart.sh

    mkdir -p /var/run/stunnel
    chmod 777 /var/run/stunnel
Bit Twister 2012-02-22 18:11:46 CET

Source RPM: stunnel => stunnel-4.34-3.mga1.src.rpm

Comment 3 Marja Van Waes 2012-05-26 13:04:02 CEST 
Hi,

This bug was filed against cauldron, but we do not have cauldron at the moment.

Please report whether this bug is still valid for Mageia 2.

Thanks :)

Cheers,
marja

Keywords: (none) => NEEDINFO

Comment 4 Bit Twister 2012-06-12 23:58:42 CEST 
(In reply to comment #3)

> Please report whether this bug is still valid for Mageia 2.

Yes.

Keywords: NEEDINFO => (none)

Manuel Hiebel 2012-06-17 16:14:48 CEST

Keywords: (none) => Junior_job
Whiteboard: (none) => MGA2TOO

Comment 5 David Walser 2012-08-03 22:12:39 CEST 
Thanks for the report.  This package is unmaintained.

Would you be interested in becoming a packager and fixing this package?

It also has a security vulnerability, CVE-2011-2940:
http://lwn.net/Vulnerabilities/484778/

Component: RPM Packages => Security
Summary: 2_a2: stunnel needs updating to Version 4.50, 2011.12.03 => 2_a2: stunnel needs updating to Version 4.50, 2011.12.03 (also CVE-2011-2940)
URL: (none) => http://lwn.net/Vulnerabilities/484778/
CC: (none) => luigiwalser

David Walser 2012-08-03 22:12:53 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=4223

Comment 6 Guillaume Rousse 2012-08-14 10:04:56 CEST 
I just updated the cauldron package to 4.53, and added your systemd unit file. For the other changes, feel free to apply for a maintainer account, as suggested by David.

CC: (none) => guillomovitch

David Walser 2012-08-14 15:45:33 CEST

Version: Cauldron => 2
Whiteboard: MGA2TOO => MGA1TOO

Comment 7 Dan Fandrich 2012-08-17 21:22:32 CEST 
If you're rebuilding stunnel anyway, you could take a look at the other problems in bug #4223.

CC: (none) => dan

Comment 8 Guillaume Rousse 2012-08-20 21:43:14 CEST 
I just backported 4.53-3.mga2 from cauldron to update_testing.
Comment 9 David Walser 2012-08-20 21:48:50 CEST 
Thanks Guillaume.  Mageia 1 needs the update too.  I'll push this to QA when that's available.
Comment 10 Samuel Verschelde 2012-08-26 15:44:00 CEST 
SRPM for Mageia 2:
stunnel-4.53-3.mga2.src.rpm
Comment 11 Dave Hodgins 2012-08-30 02:07:58 CEST 
Installation failed:    file /usr/lib64/libstunnel.so from install of stunnel-4.53-3.mga2.x86_64 conflicts with file from package lib64stunnel0-4.34-3.mga1.x86_64

CC: (none) => davidwhodgins

Comment 12 David Walser 2012-08-30 02:53:37 CEST 
The files in libstunnel0 were moved back into the main stunnel package, since they aren't used by anything outside of stunnel itself.  I guess the stunnel package needs to Obsolete the old libs.
Comment 13 David Walser 2012-09-05 17:57:25 CEST 
Upon further inspection, the security issue only affects 4.40 and 4.41, so this is just a regular bug.

Component: Security => RPM Packages
Depends on: (none) => 4223
Summary: 2_a2: stunnel needs updating to Version 4.50, 2011.12.03 (also CVE-2011-2940) => 2_a2: stunnel needs updating to Version 4.50, 2011.12.03
Keywords: Junior_job => (none)
URL: http://lwn.net/Vulnerabilities/484778/ => (none)

Comment 14 Manuel Hiebel 2012-09-23 20:32:30 CEST 
(stunnel is in 4.53 in mga2 since the update of today https://bugs.mageia.org/show_bug.cgi?id=4223)

Whiteboard: MGA1TOO => (none)
Summary: 2_a2: stunnel needs updating to Version 4.50, 2011.12.03 => stunnel needs updating to Version 4.50, 2011.12.03
Version: 2 => 1

Comment 15 Manuel Hiebel 2012-11-05 16:53:07 CET 
This message is a reminder that Mageia 1 is nearing its end of life. 
In approximately 25 days from now, Mageia will stop maintaining and issuing 
updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it 
remains open with a Mageia 'version' of '1'.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version prior to Mageia 1's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not 
be able to fix it before Mageia 1 is end of life.  If you would still like to see 
this bug fixed and are able to reproduce it against a later version of Mageia, 
you are encouraged to click on "Version" and change it against that version 
of Mageia.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

--
Mageia Bugsquad
Comment 16 Manuel Hiebel 2012-12-02 14:32:30 CET 
Mageia 1 changed to end-of-life (EOL) status on ''1st December''. Mageia 1 is no 
longer maintained, which means that it will not receive any further security or 
bug fix updates. As a result we are closing this bug. 

If you can reproduce this bug against a currently maintained version of Mageia 
please feel free to click on "Version" change it against that version of Mageia and reopen this bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

--
Mageia Bugsquad

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX