Author: Steve Beattie
Revision Date: 2015-07-02 19:41:59 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2015-07-02 19:41:59 UTC

fake sync from Debian

Author: Peter Pentchev
Revision Date: 2015-06-14 04:13:02 UTC

* Add the 17-upstream-hangup patch to fix prematurely closed
  connections when there is still data to be written.
  Thanks to Joachim Falk for backporting the patch!
  Closes: #771241
* Add the 18-lsb-startup patch to make the daemons' startup consistent
  with the way things are done in Debian.
  Among other things, Closes: #782030
* Rework the patches a bit:
  - update the description of 01-fix-paths
  - move the tools/script.sh chunk from 01-fix-paths to 02-rename-binary
  - drop 08-client-example: it was actually applied upstream, no need
    to add the same text twice
  - drop 11-no-rle-compression: the OpenSSL bug has been fixed
    somewhere in the 1.x release timeframe
* Add the 19-typos patch to fix some minor documentation typos and
  rework the 02-rename-binary patch to make the change in the manual page
  during the stunnel.pod -> stunnel.8 rebuild
* Add the 20-comparison patch to fix a minor logging bug.
* Remove ${misc:Pre-Depends} as explained in debhelper's #783898.
* Bump the year on my debian/* copyright notice.
* Add --parallel to the debhelper invocation.
* New upstream version:
  - rework the 01-fix-paths and the 10-zlib-compression patches to
    catch up with upstream updates
  - refresh patches
  - drop the 05-logrotate-warning-in-sample-conf patch, applied upstream
  - drop the 15-upstream-systemd-libs, 16-upstream-sslv23-method, and
    17-upstream-hangup patches since they were cherry-picked from
    upstream to begin with
  - remove handling for the dropped French manual page

Author: Peter Pentchev
Revision Date: 2015-06-14 04:13:02 UTC

* Add the 17-upstream-hangup patch to fix prematurely closed
  connections when there is still data to be written.
  Thanks to Joachim Falk for backporting the patch!
  Closes: #771241
* Add the 18-lsb-startup patch to make the daemons' startup consistent
  with the way things are done in Debian.
  Among other things, Closes: #782030
* Rework the patches a bit:
  - update the description of 01-fix-paths
  - move the tools/script.sh chunk from 01-fix-paths to 02-rename-binary
  - drop 08-client-example: it was actually applied upstream, no need
    to add the same text twice
  - drop 11-no-rle-compression: the OpenSSL bug has been fixed
    somewhere in the 1.x release timeframe
* Add the 19-typos patch to fix some minor documentation typos and
  rework the 02-rename-binary patch to make the change in the manual page
  during the stunnel.pod -> stunnel.8 rebuild
* Add the 20-comparison patch to fix a minor logging bug.
* Remove ${misc:Pre-Depends} as explained in debhelper's #783898.
* Bump the year on my debian/* copyright notice.
* Add --parallel to the debhelper invocation.
* New upstream version:
  - rework the 01-fix-paths and the 10-zlib-compression patches to
    catch up with upstream updates
  - refresh patches
  - drop the 05-logrotate-warning-in-sample-conf patch, applied upstream
  - drop the 15-upstream-systemd-libs, 16-upstream-sslv23-method, and
    17-upstream-hangup patches since they were cherry-picked from
    upstream to begin with
  - remove handling for the dropped French manual page

Author: Peter Pentchev
Revision Date: 2014-10-20 11:49:05 UTC

* Limit the systemd build dependency to Linux architectures only,
  so that we actually give Stunnel a chance to build on kFreeBSD
  or the Hurd.
* Add debian/upstream/metadata.

Author: Peter Pentchev
Revision Date: 2014-10-20 11:49:05 UTC

* Limit the systemd build dependency to Linux architectures only,
  so that we actually give Stunnel a chance to build on kFreeBSD
  or the Hurd.
* Add debian/upstream/metadata.

Author: Peter Pentchev
Revision Date: 2014-06-10 17:23:32 UTC

* New upstream version:
  - drop the 04-selective-tunnel-restart, 06-init-script-description,
    and 07-init-script-status patches, applied upstream
  - refresh the 01-fix-paths, 02-rename-binary, 03-runas-user,
    05-logrotate-warning-in-sample-conf, 08-client-example,
    09-init-script-ulimits, and 12-restore-pidfile-default patches
  - augment the 01-fix-paths patch to also move the pidfile to
    /var/run/ and not /usr/var/run/.

Author: Peter Pentchev
Revision Date: 2014-06-10 17:23:32 UTC

* New upstream version:
  - drop the 04-selective-tunnel-restart, 06-init-script-description,
    and 07-init-script-status patches, applied upstream
  - refresh the 01-fix-paths, 02-rename-binary, 03-runas-user,
    05-logrotate-warning-in-sample-conf, 08-client-example,
    09-init-script-ulimits, and 12-restore-pidfile-default patches
  - augment the 01-fix-paths patch to also move the pidfile to
    /var/run/ and not /usr/var/run/.

Author: Marc Deslauriers
Revision Date: 2014-01-28 07:47:59 UTC

* SECURITY UPDATE: arbitrary code execution via NTLM auth (LP: #1150150)
  - debian/patches/CVE-2013-1762.patch: properly handle length in
    src/protocol.c.
  - CVE-2013-1762

Author: Marc Deslauriers
Revision Date: 2014-01-28 07:42:48 UTC

* SECURITY UPDATE: arbitrary code execution via NTLM auth (LP: #1150150)
  - debian/patches/CVE-2013-1762.patch: properly handle length in
    src/protocol.c.
  - CVE-2013-1762

Author: Marc Deslauriers
Revision Date: 2014-01-28 07:47:59 UTC

* SECURITY UPDATE: arbitrary code execution via NTLM auth (LP: #1150150)
  - debian/patches/CVE-2013-1762.patch: properly handle length in
    src/protocol.c.
  - CVE-2013-1762

Author: Marc Deslauriers
Revision Date: 2014-01-28 07:42:48 UTC

* SECURITY UPDATE: arbitrary code execution via NTLM auth (LP: #1150150)
  - debian/patches/CVE-2013-1762.patch: properly handle length in
    src/protocol.c.
  - CVE-2013-1762

Author: Adam Conrad
Revision Date: 2013-11-14 15:28:10 UTC

Use dh_autotools-dev to update config.{sub,guess} for new ports.

Author: Adam Conrad
Revision Date: 2013-11-14 15:28:10 UTC

Use dh_autotools-dev to update config.{sub,guess} for new ports.

Author: Seth Arnold
Revision Date: 2013-06-10 16:05:27 UTC

fake sync from Debian

Author: Seth Arnold
Revision Date: 2013-06-10 16:05:27 UTC

fake sync from Debian

Author: Salvatore Bonaccorso
Revision Date: 2013-04-22 19:47:34 UTC

* Non-maintainer upload.
* Add CVE-2013-1762.patch patch.
  CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT
  protocol negotiation. (Closes: #702267)

Author: Salvatore Bonaccorso
Revision Date: 2013-04-22 19:47:34 UTC

* Non-maintainer upload.
* Add CVE-2013-1762.patch patch.
  CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT
  protocol negotiation. (Closes: #702267)

Author: Rodrigo Gallardo
Revision Date: 2012-06-03 11:34:36 UTC

* New upstream version 4.53.
  - Added client-mode "sni" option to directly control the value of
    TLS Server Name Indication (RFC 3546) extension (Closes: #668041).
  - Added support for IP_FREEBIND socket option with a pached Linux kernel.
  - Glibc-specific dynamic allocation tuning was applied to help unused memory
    deallocation.
  - Non-blocking OCSP implementation.
  - Various other bugfixes, see upstream changelog for details.

* Enabled hardening compile flags. There were NO compile time warning messages
  or errors triggered because of this.

* Updated to Standards-Version 3.9.3. No changes required.
  - Migrating to /run from /var/run will be a hard problem, because we expect
    user written config files to refer to the directory. We'll punt on making
    this change for now.
* Updated copyright years to 2012.
* Added Description: LSB header to init script.

Author: Rodrigo Gallardo
Revision Date: 2012-06-03 11:34:36 UTC

* New upstream version 4.53.
  - Added client-mode "sni" option to directly control the value of
    TLS Server Name Indication (RFC 3546) extension (Closes: #668041).
  - Added support for IP_FREEBIND socket option with a pached Linux kernel.
  - Glibc-specific dynamic allocation tuning was applied to help unused memory
    deallocation.
  - Non-blocking OCSP implementation.
  - Various other bugfixes, see upstream changelog for details.

* Enabled hardening compile flags. There were NO compile time warning messages
  or errors triggered because of this.

* Updated to Standards-Version 3.9.3. No changes required.
  - Migrating to /run from /var/run will be a hard problem, because we expect
    user written config files to refer to the directory. We'll punt on making
    this change for now.
* Updated copyright years to 2012.
* Added Description: LSB header to init script.

Author: Rodrigo Gallardo
Revision Date: 2011-08-27 08:34:43 UTC

* New Upstream Release.
 - Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may
   possibly be leveraged to perform DoS or remote code execution attacks.
   (Closes: #638758)
 - New verify level 0 to request and ignore peer certificate.

Author: Colin Watson
Revision Date: 2011-05-17 11:22:12 UTC

Rebuild for OpenSSL 1.0.0.

Author: Rodrigo Gallardo
Revision Date: 2009-12-08 19:34:21 UTC

* New upstream version (Closes: #559270).
 - sessiond, a high performance SSL session cache was built for stunnel.
   A new service-level "sessiond" option was added. sessiond is
   available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
   stunnel clusters will be a lot faster, now!
 - Transparent proxy support on Linux kernels >=2.6.28.
   See the manual for details.
   The old transproxy.txt file is no longer provided.
 - New socket options to control TCP keepalive on Linux:
   TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
 - SSL options updated for the recent version of OpenSSL library.
 - Bugfixes
  + Missing "fips" option was added to the manual.
  + A serious bug in asynchronous shutdown code fixed.
  + Data alignment updated in libwrap.c.
  + Polish manual encoding fixed. Debian's patch for this removed.
  + Notes on compression implementation in OpenSSL added to the manual.

* Use correct owner:group for logs after rotation. (Closes: #529481).
  Thanks Brian 'morlenxus' Miculcy <morlenxus@gmx.net>
* Use copytruncate in logrotate file, instead of restarting the
  daemon (Closes: #535915).
  Thanks Andrew Buckeridge <andrewb@bgc.com.au>
* Bump Standards-Version to 3.8.3. No changes required.
* Do not specify path to true in postinst script.

Author: Rodrigo Gallardo
Revision Date: 2009-12-08 19:34:21 UTC

* New upstream version (Closes: #559270).
 - sessiond, a high performance SSL session cache was built for stunnel.
   A new service-level "sessiond" option was added. sessiond is
   available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
   stunnel clusters will be a lot faster, now!
 - Transparent proxy support on Linux kernels >=2.6.28.
   See the manual for details.
   The old transproxy.txt file is no longer provided.
 - New socket options to control TCP keepalive on Linux:
   TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
 - SSL options updated for the recent version of OpenSSL library.
 - Bugfixes
  + Missing "fips" option was added to the manual.
  + A serious bug in asynchronous shutdown code fixed.
  + Data alignment updated in libwrap.c.
  + Polish manual encoding fixed. Debian's patch for this removed.
  + Notes on compression implementation in OpenSSL added to the manual.

* Use correct owner:group for logs after rotation. (Closes: #529481).
  Thanks Brian 'morlenxus' Miculcy <morlenxus@gmx.net>
* Use copytruncate in logrotate file, instead of restarting the
  daemon (Closes: #535915).
  Thanks Andrew Buckeridge <andrewb@bgc.com.au>
* Bump Standards-Version to 3.8.3. No changes required.
* Do not specify path to true in postinst script.

Author: Rodrigo Gallardo
Revision Date: 2009-12-08 19:34:21 UTC

* New upstream version (Closes: #559270).
 - sessiond, a high performance SSL session cache was built for stunnel.
   A new service-level "sessiond" option was added. sessiond is
   available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
   stunnel clusters will be a lot faster, now!
 - Transparent proxy support on Linux kernels >=2.6.28.
   See the manual for details.
   The old transproxy.txt file is no longer provided.
 - New socket options to control TCP keepalive on Linux:
   TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
 - SSL options updated for the recent version of OpenSSL library.
 - Bugfixes
  + Missing "fips" option was added to the manual.
  + A serious bug in asynchronous shutdown code fixed.
  + Data alignment updated in libwrap.c.
  + Polish manual encoding fixed. Debian's patch for this removed.
  + Notes on compression implementation in OpenSSL added to the manual.

* Use correct owner:group for logs after rotation. (Closes: #529481).
  Thanks Brian 'morlenxus' Miculcy <morlenxus@gmx.net>
* Use copytruncate in logrotate file, instead of restarting the
  daemon (Closes: #535915).
  Thanks Andrew Buckeridge <andrewb@bgc.com.au>
* Bump Standards-Version to 3.8.3. No changes required.
* Do not specify path to true in postinst script.

Author: Rodrigo Gallardo
Revision Date: 2008-11-18 13:52:42 UTC

Check if a daemon is already running before trying to start it with the
same configuration file. Thanks Peter Palfrader <weasel@debian.org> for
the report (Closes: #506091).

Author: Steffen Joeris
Revision Date: 2008-05-27 18:28:56 UTC

* Non-maintainer upload by the security team
* Fix security bug in the OCSP functionality that allowed revoked
  certificates to authenticate (Closes: #482644)
  Fixes: CVE-2008-2420

Author: Rodrigo Gallardo
Revision Date: 2007-12-05 08:09:44 UTC

* New upstream release.
 - Binaries moved from /usr/sbin to /usr/bin. Thus, Debian no longer
  diverges in that from upstream.
 - libstunnel.so migrated inside /usr/lib/stunnel.
 - Preliminary FIPS 140-2 support, but this package does not include it,
  as it requires static compilation.
 - Miscelaneous bugfixing.
* debian/patches/no_zlib_link:
 - Rebased. Only line numbering changed.
* debian/patches/libstunnel_is_private_lib:
 - Removed. Included upstream.
* debian/patches/fix-paths:
 - Remove hunks related to moving binaries to /usr/bin. Refresh line numbers
  in the rest.
* debian/patches/rename-binary:
 - Rebased. Minor changes due to changed dates in the manpage and the use of
  @prefix@ in src/stunnel3.in.
* debian/patches/setuid.patch:
 - Patch from upstream to allow using setuid/setgid with /etc/passwd and
  /etc/group not within chrooted directory.
* debian/README.Debian:
 - Add explanation about not turning FIPS mode on.
 - Reword warning about binaries changing place.
* debian/rules, debian/stunnel4.manpages:
 - No longer need to move the binaries.
 - Upstream location for manpages changed. We still install them by hand,
  anyways.
 - Ship fr and pl manpages.
 - Do not pass --host to configure if not cross compiling.
 - Reorder target dependencies. This should avoid problems when doing
  paralell builds.
* debian/control:
 - Remove XS- prefix from Vcs-* fields.
 - Add Homepage: field.
 - Correct minor typo in dummy package's description.
 - Version build dependency on quilt, since we require
  /usr/share/quilt/quilt.make (Closes: #447751).
 - Change my maintainer address.

Author: Marco Rodrigues
Revision Date: 2007-08-02 16:43:00 UTC

Added Provides and Replaces to debian/control to replace obsolete package
crywrap.

Author: Julien Lemoine
Revision Date: 2006-11-07 20:22:04 UTC

* Updated chroot default path in configuration file
* Added LSB section in init script

Author: Julien Lemoine
Revision Date: 2006-08-24 17:19:57 UTC

* Fixed a bug when pid is not given in configuration file :
  init.d script was looking for /var/run/stunnel4/stunnel4.pid but
  stunnel was creating /var/run/stunnel4.pid
  (Closes: #384275)
* Added check during start to encourage users to fill the pid= section
  of configuration file when start failed (for example if you use two
  configuration files without pid= option)

Author: Chuck Short
Revision Date: 2006-04-18 12:29:12 UTC

* debian/stunnel4.init
  - Add check for /var/run/stunnel4 as /var/run is mounted tmpfs.
   (Closes: Malone #29892)

Author: Julien Lemoine
Revision Date: 2005-04-20 21:07:50 UTC

* New upstream release
* include better stunnel3 compability script from upstream, options
  like -cd can now be use instead of -c -d ...
  (closes: #305259)
* Added depends on perl-modules to allow use of stunnel3 compatibilty script

Author: Julien Lemoine
Revision Date: 2004-09-26 18:12:36 UTC

Restart connection instead of stop when ppp is down. It is possible to
use stunnel for eth interfaces. (Closes: 271006)

Author: Julien Lemoine
Revision Date: 2004-06-07 21:23:37 UTC

* By default, store pidfile in /var/run/stunnel4/stunnel.pid with
  /var/run/stunnel4 owned by nobody:nogroup
* Oops, stunnel4 was a debian native package

Author: Rodrigo Gallardo
Revision Date: 2009-04-24 19:56:05 UTC

* New upstream release.
 - Remove debian/patches/security-check_certificate, now included upstream.
   Fixes: CVE-2008-2420
 - Libwrap helper processes fixed to close standard
   input/output/error file descriptors. (Closes: #482379)
* Rebase quilt patches to not require -p0. (Closes: #484966)
* Fix sample configuration file to use ssl cert from /etc/ssl/certs
  (Closes: #460953).
* Warn if automatic startup is disabled in /etc/default/stunnel4
  (Closes: #475599).
* Use invoke-rc.d in ppp start/stop scripts.
* Standards-Version: 3.8.1.
  - Add README.source documenting use of quilt.
* Bump to debhelper 7
  - Remove unused old option from dh_mkshlibs call
* Declare the polish pod's encoding and use unicode when converting it
  to a manpage.
* Dummy upgrade package is priority: extra