Skip to content

Changelog stunnel4 (3:5.44-1ubuntu3)

2018

stunnel4 (3:5.44-1ubuntu3) bionic; urgency=medium

   * d/p/disable_expired_cert_tests.patch: disable failing tests due to
     expired test certs until upstream publishes new ones.

stunnel4 (3:5.44-1ubuntu2) bionic; urgency=high

   * No change rebuild against openssl1.1.

stunnel4 (3:5.44-1ubuntu1) bionic; urgency=medium

   * Add missing test dependency on net-tools for ifconfig command.

2017

stunnel4 (3:5.44-1) unstable; urgency=medium

   * New upstream release, drop the 10-accept patch taken from upstream.

stunnel4 (3:5.43-1) unstable; urgency=medium

   * Remove whitespace at the end of the lines in old changelog entries.
   * Declare compliance with Debian Policy 4.1.1 with no changes.
   * Fix some typographical errors in old changelog entries.
   * Add "Rules-Requires-Root: no" to the source control stanza.
   * New upstream release:
     - add netcat-traditional to the build dependencies since
       the new upstream test suite uses it
     - also run the upstream test suite as an automated package test
     - add an upstream patch for the behavior of the "accept" option
   * Rename the automated test scripts without a language extension.

stunnel4 (3:5.42-1) unstable; urgency=medium

   * Add a simple autopkgtest suite.
   * Declare compliance with Debian Policy 4.1.0:
     - do not install documentation files if the "nodoc" build option is
       set or the "nodoc" build profile is active.
     - add the 09-try-restart patch to implement the "try-restart" action
       in the SysV init script.
   * New upstream version:
     - drop the 08-session-free patch, fixed upstream in a better way
     - refresh the 02-rename-binary, 04-restore-pidfile-default, and
       07-path-max patches
     - add a Lintian override because "CAs" is not a typo for this package
     - add a build dependency on autoconf-archive
     - bump the year in the upstream copyright notice
   * Drop the sdf build dependency, it does not seem to be needed any more.

stunnel4 (3:5.39-2) unstable; urgency=medium

   * Add the 08-session-free patch to avoid freeing the SSL session
     twice, which will either be detected by the OpenSSL library and
     crash the stunnel process, or cause use-after-free problems that
     may lead to even worse results later.  Closes: #850292

stunnel4 (3:5.39-1) unstable; urgency=medium

   * New upstream version:
     - drop the 08-dh-openssl-1.1 patch, dhparam.c was regenerated with
       OpenSSL 1.1 again
     - refresh the rest of the patches
   * Remove the cybermirror sites from the watch file; their stunnel
     mirror has been "undergoing maintenance" for at least three months.
   * Bump the year of my debian/* copyright notice.

2016

stunnel4 (3:5.38-1) unstable; urgency=medium

   * New upstream release:
     - drop the 06-lfs, 08-typos, and 09-realloc patches, included upstream
     - add the 08-dh-openssl-1.1.patch to fix the build with OpenSSL 1.1

stunnel4 (3:5.37-2) unstable; urgency=medium

   * Add the 09-realloc patch to fix a reallocation / double-free bug.
     Closes: #843988; thanks, Sebastian Andrzej Siewior and gregor
     herrmann!

stunnel4 (3:5.37-1) unstable; urgency=medium

   * Reformat the build and runtime dependency lists in the control file.
   * Add a runtime dependency on lsb-base for /lib/lsb/init-functions.
   * Drop the dh_installinit override: --restart-after-upgrade is already
     the default behavior in debhelper compatibility level 10.
   * Update the watch file a bit:
     - replace pgpmode=auto with pgpsigurlmangle - the former will not
       fail on a missing upstream signature file
     - make the version regular expression a bit more sane
     - use v4's @ARCHIVE_EXT@ substitution variable
   * Add another correction to the typos patch.
   * New upstream release.
   * Correct the download webpage's URL in the copyright file.
   * Correct the project homepage's URL in the stunnel3 manual page.
   * Use the HTTPS scheme for various upstream URLs.

stunnel4 (3:5.36-1) unstable; urgency=medium

   * Add the 24-typos patch to fix some typographical errors.
   * New upstream version:
     - drop the 10-no-zlib-compression patch, integrated upstream
   * Bump the debhelper B-D to 10 and drop the Lintian override.
   * Rename the patch files to "reindex" sequentially.

stunnel4 (3:5.35-1) unstable; urgency=medium

   * New upstream release:
     - drop the 24-ssl23 patch, integrated upstream
     - refresh the other patches

stunnel4 (3:5.33-1) unstable; urgency=medium

   * Switch the bugs.debian.org URL in a patch to HTTPS.
   * Switch the copyright format URL to HTTPS.
   * New upstream version:
     - fix the build with OpenSSL-1.1; Closes: #828562
     - refresh the 12-restore-pidfile-default and 23-path-max patches
   * Add the 24-ssl23.h patch to further fix the OpenSSL 1.1 build -
     the ssl23.h file was removed.

stunnel4 (3:5.32-1) unstable; urgency=medium

   * Declare compliance with Debian Policy 3.9.8 with no changes.
   * Remove the Breaks/Replaces relations for the old "stunnel" package;
     it is not even present in oldstable.
   * Update the watch file:
     - switch to the HTTPS scheme for the upstream downloads page
     - re-enable the ftp://ftp.stunnel.org/stunnel/archive/5.x/ location
       and use FTP passive mode to access it
     - actually include upstream's signing subkey in the key file!
     - update to the watch file format 4 and use pgpmode=auto
   * Use Autoconf's AC_SYS_LARGEFILE for Large File Support.
   * New upstream release:
     - update the upstream author's e-mail address in the copyright file,
       the upstream metadata file, and the stunnel3.8 manual page
     - refresh the 02-rename-binary patch
   * Bump the debhelper compatibility level to 10:
     - override the Lintian debhelper warning as it itself suggests
     - let debhelper handle the parallel building and autoreconf by itself
   * Add the 23-path-max patch to allocate the configuration filename
     dynamically and avoid the use of the possibly undefined PATH_MAX.

stunnel4 (3:5.31-1) unstable; urgency=medium

   * New upstream release.
   * Declare compliance with Debian Policy 3.9.7 with no changes.

stunnel4 (3:5.30-1) unstable; urgency=medium

   * New upstream release:
     - bump the upstream copyright years
     - refresh the 02-rename-binary patch
     - refresh the 10-no-zlib-compression patch (line numbers only)
   * Bump the year on my debian/* copyright notice.

stunnel4 (3:5.29-1) unstable; urgency=medium

   * New upstream release, refresh the patches' line numbers.

2015

stunnel4 (3:5.28-1) unstable; urgency=high

   * New upstream release:
     - high urgency: fix a bug introduced in 3:5.27-1: if an OpenSSL
       engine is used, the SSL library's initialization would not be
       performed completely, skipping, for instance, the proper
       initialization of the pseudo-random number generator
     - refresh the patches

stunnel4 (3:5.27-1) unstable; urgency=medium

   * New upstream release:
     - refresh the patches
     - drop the 19-typos patch, applied upstream

stunnel4 (3:5.26-1) unstable; urgency=medium

   * New upstream version:
     - drop the 14-lsb-init-functions, 18-lsb-startup, and 20-comparison
       patches, applied upstream
     - rework the 02-rename-binary and 10-no-zlib-compression patches
     - update the 19-typos patch: the fixes within it were applied
       upstream, but a couple of new typos were introduced
     - refresh patches
     - add the 21-author-tests patch to make the building of the Win32
       binaries conditional on an environment variable and not on
       the presence of the .git directory
     - update the upstream copyright notice in debian/copyright
   * Drop the perl-modules dependency - "perl", brought in by perl:Depends,
     ought to be enough.
   * Run the build in all of the source directories.  Closes: #804292
   * Use an https:// URL for Vcs-Git.

stunnel4 (3:5.18-1) unstable; urgency=medium

   * Add the 17-upstream-hangup patch to fix prematurely closed
     connections when there is still data to be written.
     Thanks to Joachim Falk for backporting the patch!
     Closes: #771241
   * Add the 18-lsb-startup patch to make the daemons' startup consistent
     with the way things are done in Debian.
     Among other things, Closes: #782030
   * Rework the patches a bit:
     - update the description of 01-fix-paths
     - move the tools/script.sh chunk from 01-fix-paths to 02-rename-binary
     - drop 08-client-example: it was actually applied upstream, no need
       to add the same text twice
     - drop 11-no-rle-compression: the OpenSSL bug has been fixed
       somewhere in the 1.x release timeframe
   * Add the 19-typos patch to fix some minor documentation typos and
     rework the 02-rename-binary patch to make the change in the manual page
     during the stunnel.pod -> stunnel.8 rebuild
   * Add the 20-comparison patch to fix a minor logging bug.
   * Remove ${misc:Pre-Depends} as explained in debhelper's #783898.
   * Bump the year on my debian/* copyright notice.
   * Add --parallel to the debhelper invocation.
   * New upstream version:
     - rework the 01-fix-paths and the 10-zlib-compression patches to
       catch up with upstream updates
     - refresh patches
     - drop the 05-logrotate-warning-in-sample-conf patch, applied upstream
     - drop the 15-upstream-systemd-libs, 16-upstream-sslv23-method, and
       17-upstream-hangup patches since they were cherry-picked from
       upstream to begin with
     - remove handling for the dropped French manual page

2014

stunnel4 (3:5.06-2) unstable; urgency=medium

   * Limit the systemd build dependency to Linux architectures only,
     so that we actually give Stunnel a chance to build on kFreeBSD
     or the Hurd.
   * Add debian/upstream/metadata.

stunnel4 (3:5.06-1) unstable; urgency=medium

   * New upstream release:
     - refresh patches
     - drop 13-init-script-typo.patch, included upstream
   * Update Standards-Version to 3.9.6.
 
   [ Santiago Vila <sanvila@unex.es> ]
   * Fix logrotate typo (closes: #762242).
 
   [ Peter Pentchev ]
   * Disable the autodetection of zlib in the configure script,
     it will most probably not be used at all later.
   * Fix the DEP-3 format of the 01-fix-paths, 02-rename-binary, and
     03-runas-user patches - use multiple "Author" headers.
   * Switch to the cgit frontend for Vcs-Browser.
   * New upstream release:
     - refresh the patches
     - add a build dependency on libsystemd-dev for the systemd socket
       activation support
     - add the 15-upstream-systemd-libs patch to fix the build with
       the systemd version in unstable/testing
     - add a news blurb about the disabled SSLv2 and SSLv3 protocols
       and the configuration options to enable them
     - add the 16-upstream-sslv23-method patch to fix the build for
       OpenSSL with disabled SSLv2 and SSLv3
     - add Mark Theunissen's copyright notice for the systemd socket
       activation code
   * Drop an ancient README.Debian note about upgrading from 4.20 or
     earlier, it has not even been in oldstable for quite some time now.
   * Switch the /usr/bin/stunnel symlink from stunnel3 to stunnel4,
     as README.Debian has threatened for ages.  Add a news blurb.
   * Add perl:Depends to the binary package.

stunnel4 (3:5.03-1) unstable; urgency=medium

   * New upstream version:
     - refresh the 02-rename-binary, 10-no-zlib-compression, and
       12-restore-pidfile-default patches
     - drop the 09-init-script-ulimits patch, it was actually
       included upstream in 5.02
     - add the 13-init-script-typo patch to remove a stray quote
   * Add the 14-lsb-init-functions patch to source /lib/lsb/init-functions,
     although the init script does not use anything there yet.

stunnel4 (3:5.02-1) unstable; urgency=medium

   * New upstream version:
     - drop the 04-selective-tunnel-restart, 06-init-script-description,
       and 07-init-script-status patches, applied upstream
     - refresh the 01-fix-paths, 02-rename-binary, 03-runas-user,
       05-logrotate-warning-in-sample-conf, 08-client-example,
       09-init-script-ulimits, and 12-restore-pidfile-default patches
     - augment the 01-fix-paths patch to also move the pidfile to
       /var/run/ and not /usr/var/run/.

stunnel4 (3:5.01-3) unstable; urgency=medium

   * Add the 12-restore-pidfile-default patch to restore stunnel's
     "create the pid file by default" behavior, since the init script
     has no way of monitoring the started stunnel4 processes otherwise.
     The init script now warns about configurations with no "pid"
     setting; in a future version it will refuse to start stunnel for
     these configurations.  Closes: #744851

stunnel4 (3:5.01-2) unstable; urgency=medium

   * Add the 11-no-rle-compression patch to disable RLE compression since
     OpenSSL does not really implement it.  Closes: #744350
   * Modify the 10-no-zlib-compression patch to not even allow starting
     a tunnel configured with "zlib" or "deflate" compression.

stunnel4 (3:5.01-1) unstable; urgency=medium

   * New maintainer.  Closes: #738093
   * A new upload should fix the build with newer OpenSSL.
     Closes: #737517
   * Add DEP-3 headers to the patch files.
   * Switch to debhelper override rules.
   * Use dh-autoreconf and retarget the rename-binary patch.
     Closes: #727511
   * Canonicalize the Vcs-Git and Vcs-Browser source control fields.
   * Update the watch file a bit:
     - watch a mirror in addition to the main site, at least temporarily
       until the main FTP site is fixed
     - watch for 5.x versions, too
     - add Michal Trojnara's PGP key
   * Convert the copyright file to the 1.0 format and add my notice.
   * Remove the README.source file, unnecessary in the 3.0 (quilt) format.
   * Bump Standards-Version to 3.9.5 with no further changes.
   * Bump the debhelper compatibility level to 9 with multiarch:
     - let debhelper set the build environment variables
     - add misc:Pre-Depends to the binary package
     - remove the libtool .la file in the multiarch lib directory
   * Drop the versions from the libssl-dev and openssl build dependencies.
   * Drop two automatically-created directories from debian/dirs
   * New upstream release:
     - Closes: #723781 (package new upstream version)
     - a fix for CVE-2014-0016 was included.  Closes: #740802
     - refresh the rename-binary patch
     - drop the CVE-2013-1762 patch, it was taken from stunnel-4.55
     - add a stunnel4.NEWS item to note the newly disabled by default
       pidfile and libwrap options
     - update the copyright file
   * Build with Large File Support - no problems there, since stunnel
     never really uses the position or the size of any open files.
   * Add the init_script_status patch to support the 'status' command.
     Closes: #548974
   * Rename the Debian patches following a number sequence.
   * Modify the debian/stunnel3.8 and add the 08-client-example patch
     to add a client configuration example to the English manual page.
     Closes: #644398, although this one shall have to be referred to
     upstream for inclusion in the rest of the documentation, too.
   * Reword the note about FIPS support in README.Debian, fix a typo
     and correct the URLs to the OpenSSL FIPS User Guide.
     Closes: #642440
   * Optionally set resource limits on startup.  Closes: #599138
     - add the RLIMITS variable to /etc/default/stunnel4
     - add the 09-init-script-ulimits patch to honor it
   * Add the 10-no-zlib-compression patch to disable the hardcoded
     addition of zlib as a compression algorithm for OpenSSL 0.9.8 and
     later; the Debian OpenSSL package is compiled without support for
     zlib compression since version 1.0.1e-5.

2013

stunnel4 (3:4.53-1.1) unstable; urgency=high

   * Non-maintainer upload.
   * Add CVE-2013-1762.patch patch.
     CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT
     protocol negotiation. (Closes: #702267)

2012

stunnel4 (3:4.53-1) unstable; urgency=low

   * New upstream version 4.53.
     - Added client-mode "sni" option to directly control the value of
       TLS Server Name Indication (RFC 3546) extension (Closes: #668041).
     - Added support for IP_FREEBIND socket option with a pached Linux kernel.
     - Glibc-specific dynamic allocation tuning was applied to help unused memory
       deallocation.
     - Non-blocking OCSP implementation.
     - Various other bugfixes, see upstream changelog for details.
 
   * Enabled hardening compile flags. There were NO compile time warning messages
     or errors triggered because of this.
 
   * Updated to Standards-Version 3.9.3. No changes required.
     - Migrating to /run from /var/run will be a hard problem, because we expect
       user written config files to refer to the directory. We'll punt on making
       this change for now.
   * Updated copyright years to 2012.
   * Added Description: LSB header to init script.

stunnel4 (3:4.52-1) unstable; urgency=low

   * New upstream version 4.52.
   * Do not enable chroot in sample config file. It is misleading to users, it
     suggests it can be used with no further changes. Closes: #652812
   * Remove log files on purge. Closes: #657135

stunnel4 (3:4.51~b5-1) experimental; urgency=low

   * New upstream version
     - Fixed exec+connect sections (Closes: #653882).
     - New "compression = deflate" global option to enable RFC 2246 compression.
       For compatibility with previous versions "compression = zlib" and
       "compression = rle" also enable the deflate (RFC 2246) compression.
     - Separate default ciphers and sslVersion for "fips = yes" and "fips = no".

2011

stunnel4 (3:4.50-1) unstable; urgency=low

   * New Upstream Releases. Highlights:
     + 4.46:
       - Added Unix socket support (e.g. "connect = /var/run/stunnel/socket").
       - Added "verify = 4" mode to ignore CA chain and only verify peer
         certificate.
       - Removed the limit of 16 IP addresses for a single 'connect' option.
       - Removed the limit of 256 stunnel.conf sections in PTHREAD threading
         model.
     + 4.45:
       - "protocol = proxy" support to send original client IP address to haproxy
          http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
          This requires accept-proxy bind option of haproxy 1.5-dev3 or later.
       - Libwrap helper processes are no longer started if libwrap is disabled
         in all sections of the configuration file.
       - Fixed -l option handling in stunnel3 script (thx to Kai Gülzau).
       - Script to build default stunnel.pem was fixed (thx to Sebastian Kayser).
     + 4.44:
       - Heap buffer overflow protection with canaries.
       - Stack buffer overflow protection with -fstack-protector.
       - Fixed garbled error messages on errors with setuid/setgid options.
     + 4.43:
       - Major optimization of the logging subsystem.
         Benchmarks indicate up to 15% stunnel performance improvement.
   * Remove config.guess and config.sub in clean target, otherwise build fails
     because of changes in source outside of a patch. Found and fixed by
     Peter Eisentraut <petere@debian.org> (Closes: #647176).
   * Updated watchfile to new upstream's directory structure for archived
     releases.

stunnel4 (3:4.42-1) unstable; urgency=low

   * New Upstream Release.
    - Fixed a heap corruption vulnerability in versions 4.40 and 4.41.  It may
      possibly be leveraged to perform DoS or remote code execution attacks.
      (Closes: #638758)
    - New verify level 0 to request and ignore peer certificate.

stunnel4 (3:4.40-1) unstable; urgency=low

   * New Upstream Release:
    - Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters
      are not provided in stunnel.pem.
    - Default "ciphers" value updated to prefer ECDH:
      "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
    - Default ECDH curve updated to "prime256v1".
    - Removed support for temporary RSA keys (used in obsolete export ciphers).

stunnel4 (3:4.39-1) unstable; urgency=low

   * New Upstream Releases. Highlights:
    + 4.38:
      - Server-side SNI implemented (RFC 3546 section 3.1) with a new
        service-level option "nsi".
      - "socket" option also accepts "yes" and "no" for flags.
      - Nagle's algorithm is now disabled by default for improved interactivity.
      - Bugfix: Signal pipe set to non-blocking mode.  This bug caused
        hangs of stunnel features based on signals, e.g. local mode, FORK
        threading, or configuration file reload on Unix.  Win32 platform was
        not affected.
    + 4.37:
      - Client-side SNI implemented (RFC 3546 section 3.1).
      - Default "ciphers" changed from the OpenSSL default to a more secure
        and faster "RC4-MD5:HIGH:!aNULL:!SSLv2".
        A paranoid (and usually slower) setting would be "HIGH:!aNULL:!SSLv2".
      - Recommended "options = NO_SSLv2" added to the sample stunnel.conf file.
      - Default client method upgraded from SSLv3 to TLSv1.
        To connect servers without TLS support use "sslVersion = SSLv3" option.
      - Bugfix: Non-blocking socket handling in local mode fixed
        (Closes: #626856).
    + 4.36:
      - Dynamic memory management for strings manipulation:
        no more static STRLEN limit, lower stack footprint. (Closes: #594876).
      - Strict public key comparison added for "verify = 3" certificate
        checking mode (thx to Philipp Hartwig).
    For more details see upstream ChangeLog.
 
   * Removed /usr/lib/stunnel/libstunnel.la file.
   * Support restarting selected stunnel instances. Thanks Peter Palfrader.
     (Closes: #627765).

stunnel4 (3:4.35-2) unstable; urgency=low

   * Fix variable substitution in init script (Closes: #623221).
     Thanks Tomas Kapralek <kapralek@cvut.cz> for report and diagnosis.

stunnel4 (3:4.35-1) unstable; urgency=low

   * New Upstream Releases (Closes: #621987).
   * Upstream incorporated our init script, so this package no longer carries
     its own copy of it.
   * Bump Standards-Version to 3.9.2. No changes needed.
   * Remove /etc/stunnel/stunnel4.conf file as it is useless, except as a sample.
     A README file for /etc/stunnel was provided (Closes: #549384).
   * Minor cleanup of debian/rules, no longer runs configure twice.

2010

stunnel4 (3:4.33-1) experimental; urgency=low

   * New Upstream Releases
    - 4.31
     + A SIGHUP to the server will cause it to reload the configuration file.
     + A SIGUSR1 to the server causes it to reopen its log files.
    - 4.32
     + New service-level "libwrap" option for run-time control whether
       /etc/hosts.allow and /etc/hosts.deny are used for access control.
       Disabling libwrap significantly increases performance of stunnel.
    - 4.33
     + Fixes to inetd mode
 
    For more details please see upstream's ChangeLog.
 
   * Init script now provides reload and reopen-log options (Closes: #323171).
   * The logrotate config file now takes advantage of reopen-log option.
   * Update config.{build,sub} on build. Closes: #535719.
   * Add missing ${misc:Depends} entry to debian/control.
   * Update copyright years.
   * Update to Standards-Version: 3.9.1
    - stunnel4 no longer Conflicts: stunnel, but merely Breaks: stunnel.
   * Update packaging to source format 3.0 (quilt).

2009

stunnel4 (3:4.29-1) unstable; urgency=low

   * New upstream version (Closes: #559270).
    - sessiond, a high performance SSL session cache was built for stunnel.
      A new service-level "sessiond" option was added.  sessiond is
      available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
      stunnel clusters will be a lot faster, now!
    - Transparent proxy support on Linux kernels >=2.6.28.
      See the manual for details.
      The old transproxy.txt file is no longer provided.
    - New socket options to control TCP keepalive on Linux:
      TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
    - SSL options updated for the recent version of OpenSSL library.
    - Bugfixes
     + Missing "fips" option was added to the manual.
     + A serious bug in asynchronous shutdown code fixed.
     + Data alignment updated in libwrap.c.
     + Polish manual encoding fixed. Debian's patch for this removed.
     + Notes on compression implementation in OpenSSL added to the manual.
 
   * Use correct owner:group for logs after rotation. (Closes: #529481).
     Thanks Brian 'morlenxus' Miculcy <morlenxus@gmx.net>
   * Use copytruncate in logrotate file, instead of restarting the
     daemon (Closes: #535915).
     Thanks Andrew Buckeridge <andrewb@bgc.com.au>
   * Bump Standards-Version to 3.8.3. No changes required.
   * Do not specify path to true in postinst script.

stunnel4 (3:4.27-1) unstable; urgency=low

   * New upstream release.
    - Remove debian/patches/security-check_certificate, now included upstream.
      Fixes: CVE-2008-2420
    - Libwrap helper processes fixed to close standard
      input/output/error file descriptors. (Closes: #482379)
   * Rebase quilt patches to not require -p0. (Closes: #484966)
   * Fix sample configuration file to use ssl cert from /etc/ssl/certs
     (Closes: #460953).
   * Warn if automatic startup is disabled in /etc/default/stunnel4
     (Closes: #475599).
   * Use invoke-rc.d in ppp start/stop scripts.
   * Standards-Version: 3.8.1.
     - Add README.source documenting use of quilt.
   * Bump to debhelper 7
     - Remove unused old option from dh_mkshlibs call
   * Declare the polish pod's encoding and use unicode when converting it
     to a manpage.
   * Dummy upgrade package is priority: extra

2008

stunnel4 (3:4.22-2) unstable; urgency=low

   * Check if a daemon is already running before trying to start it with the
     same configuration file. Thanks Peter Palfrader <weasel@debian.org> for
     the report (Closes: #506091).

stunnel4 (3:4.22-1.1) unstable; urgency=high

   * Non-maintainer upload by the security team
   * Fix security bug in the OCSP functionality that allowed revoked
     certificates to authenticate (Closes: #482644)
     Fixes: CVE-2008-2420

stunnel4 (3:4.22-1) unstable; urgency=low

   * New upstream release.
    - Build system now uses standard automake dirs.
    - Reworked logging system avoids outputting before log file is configured
     (Closes: #460019).
    - Simultaneous logging to a file and the syslog is now possible.
    - A new service level option to control stack size:
      stack = <number of bytes>
    - Bugfixes in libwrap support code.
   * debian/patches/setuid.patch: Removed, it's included upstream.
   * debian/patches/fix-paths: Reworked to use automake's standard dirs.
   * Rebase the rest of the patches.
   * Update standards-version to 3.7.3. No changes needed.
   * Fix build-dependencies on -1 revisions of libssl-dev, openssl and quilt.
   * Register documentation in the System/Security section.

2007

stunnel4 (3:4.21-1) unstable; urgency=low

   * New upstream release.
    - Binaries moved from /usr/sbin to /usr/bin. Thus, Debian no longer
     diverges in that from upstream.
    - libstunnel.so migrated inside /usr/lib/stunnel.
    - Preliminary FIPS 140-2 support, but this package does not include it,
     as it requires static compilation.
    - Miscellaneous bugfixing.
   * debian/patches/no_zlib_link:
    - Rebased. Only line numbering changed.
   * debian/patches/libstunnel_is_private_lib:
    - Removed. Included upstream.
   * debian/patches/fix-paths:
    - Remove hunks related to moving binaries to /usr/bin. Refresh line numbers
     in the rest.
   * debian/patches/rename-binary:
    - Rebased. Minor changes due to changed dates in the manpage and the use of
     @prefix@ in src/stunnel3.in.
   * debian/patches/setuid.patch:
    - Patch from upstream to allow using setuid/setgid with /etc/passwd and
     /etc/group not within chrooted directory.
   * debian/README.Debian:
    - Add explanation about not turning FIPS mode on.
    - Reword warning about binaries changing place.
   * debian/rules, debian/stunnel4.manpages:
    - No longer need to move the binaries.
    - Upstream location for manpages changed. We still install them by hand,
     anyways.
    - Ship fr and pl manpages.
    - Do not pass --host to configure if not cross compiling.
    - Reorder target dependencies. This should avoid problems when doing
     parallel builds.
   * debian/control:
    - Remove XS- prefix from Vcs-* fields.
    - Add Homepage: field.
    - Correct minor typo in dummy package's description.
    - Version build dependency on quilt, since we require
     /usr/share/quilt/quilt.make (Closes: #447751).
    - Change my maintainer address.

stunnel4 (3:4.20-5) unstable; urgency=low

   * debian/stunnel3.8:
     - Remove references to unsupported -S and -V options in manpage, and
     include an explicit list of tunable parameters for -O and their
     default values (Closes: #440718).
     - Rewrite -P argument description. It must be a file to be created, or
     empty (Closes: #398012).

stunnel4 (3:4.20-4) unstable; urgency=low

   * Add missing names and dates of copyright attributions to
     debian/copyright. Update licencing blurb to mention the new FSF's
     postal address.
   * Restructure README.Debian into sections.
   * Remove /usr/share/lintian/overrides and /usr/sbin from
     debian/dirs. Explicitly create the first if needed to install an
     override file, and explicitly remove the later after moving the
     binaries, in debian/rules.
   * Move StunnelConf-0.1.pl into /usr/share/doc/stunnel4/contrib. Remove
     it from debian/docs and explicitely install it in dh_install call.
   * Patch configure (debian/patches/no_zlib_link) to avoid linking to
     zlib. This library is a dependency of openssl, but not of ours.
   * Rewrite changelog entries from previous version, adding mention of
     modified files.
   * Use make -C dir instead of cd dir; make constructs in debian/rules.

stunnel4 (3:4.20-3) unstable; urgency=low

   * New Maintainer (Closes: #416955).
   * Manage patches to upstream source with quilt.
    - fix-paths changes references to /usr/sbin.
     We install binaries in /usr/bin. It also removes bogus @PREFIX@ uses
     from several paths.
    - rename-binary changes the name of the executable to stunnel4.
    - runas-user sets the default config to run as the stunnel4 user and group.
    - connect-proxy-dunbar unapplied patch from upstream's
     site. (It does not apply to 4.07 onwards)
    - openssl0.9.8-initialization unapplied patch. Originally meant to
     close #334180, was disabled by previous maintainer without
     explanation.
   * Add stunnel dummy upgrade package.
    - debian/control: Add package stanza.
    - debian/rules: Modify to build the arch-indep package.
    - debian/stunnel.NEWS: Add upgrade notice for stunnel 3 users.
   * Shorten dh_* invocations in debian/rules.
    - new files: stunnel4.examples, stunnel4.links, stunnel4.manpages.
   * Ship upstream Changelog (Closes: #419842).
    - Add ChangeLog to dh_installchangelogs call in debian/rules.
   * Do not compress StunnelConf-0.1.pl (Closes: #432304).
    - Add exclude entry to dh_compress call in debian/rules.
   * Add watch file.
   * Suggests: logcheck-database (Closes: #382099).
   * Move libstunnel.so into /usr/lib/stunnel, as it is a private DSO.
    - Remove lintian overrides.
    - Added debian/patches/libstunnel_is_private_lib
    - Remove ldconfig calls from post{inst,rm}
    - Remove /usr/lib/libstunnel.so.4 link
   * Use debhelper compat mode 5.
    - Bump debhelper build-depends to >= 5. No other changes.
   * Remove /var/lib/stunnel4 when purged, if empty (in debian/postinst).
   * Remove manual call to invoke-rc.d from postinst. debhelper inserts it
     automatically.

stunnel4 (3:4.20-2) unstable; urgency=low

   * Orphan package

stunnel4 (3:4.20-1) unstable; urgency=low

   * New upstream release

2006

stunnel4 (3:4.18-2) unstable; urgency=low

   * Updated chroot default path in configuration file
   * Added LSB section in init script

stunnel4 (3:4.18-1) unstable; urgency=low

   * New upstream release

stunnel4 (3:4.17-2) unstable; urgency=low

   * Check if pids are valid before trying to use kill
     (Closes: #388379)

stunnel4 (3:4.17-1) unstable; urgency=low

   * New upstream release

stunnel4 (3:4.16-1) unstable; urgency=low

   * New upstream release

stunnel4 (2:4.150-7) unstable; urgency=low

   * Fixed a bug when pid is not given in configuration file :
     init.d script was looking for /var/run/stunnel4/stunnel4.pid but
     stunnel was creating /var/run/stunnel4.pid
     (Closes: #384275)
   * Added check during start to encourage users to fill the pid= section
     of configuration file when start failed (for example if you use two
     configuration files without pid= option)

stunnel4 (2:4.150-6) unstable; urgency=low

   * Updated to debian policy 3.7.2
   * Fixed lintian warnings

stunnel4 (2:4.150-5) unstable; urgency=low

   * Fixed typo in postinst :
     /var/lib/stunnel4/stunnel.log instead of /var/log/stunnel4/stunnel.org
     (Closes: #381127)

stunnel4 (2:4.150-4) unstable; urgency=low

   * Create /var/lib/stunnel4 if it does not exist in postinst
     (Closes: #377074)

stunnel4 (2:4.150-3) unstable; urgency=low

   * Fixed another problem with stunnel3 compatibility script
     (call to /usr/sbin/stunnel4 instead of /usr/bin/stunnel4) and added
     a check in debian/rules (Closes: #340113)

stunnel4 (2:4.150-2) unstable; urgency=low

   * Fixed stunnel3 compatibility script problem (infinite loop)
     Thanks to "Martin Schwenke" <martin@meltin.net> for bug report.
   * Added a check in debian/rules to ensure that stunnel3 compatibility script
     does not contains infinite loop

stunnel4 (2:4.150-1) unstable; urgency=low

   * New upstream release

stunnel4 (2:4.140-6) unstable; urgency=low

   * Added check/creation of /var/run/stunnel4 directory in init.d script instead of
     postinst in order to be FHS compliant when /var/run is cleared at startup
     (note that /var/run/stunnel4 cleanup does not allow a chroot in /var/run/stunnel4)
     Thanks to Jim Helm : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343882;msg=25

stunnel4 (2:4.140-5) unstable; urgency=low

   * Move stunnel and stunnel-dsa from /usr/sbin to /usr/bin in order to be
     compliant with FHS standard. The stunnel program is interesting for
     "normal" users as well as administrator.

2005

stunnel4 (2:4.140-4) unstable; urgency=low

   * Fixed problem with default directory (/etc/stunnel for configuration
     directory and /var/run/stunnel4.pid for pid file) (Closes: #343882)

stunnel4 (2:4.140-3) unstable; urgency=low

   * Default configuration file is now filled with values for usage
     in a chroot environment
     (if you do not want chroot or want to use vserver, you need to edit it)
     (Closes: #342507)

stunnel4 (2:4.140-2) unstable; urgency=low

   * Fixed stunnel3 compatibility script
     (wrong binary : stunnel instead of stunnel4)
     (Closes: #340113)

stunnel4 (2:4.140-1) unstable; urgency=low

   * New upstream release

stunnel4 (2:4.120-1) unstable; urgency=low

   * New upstream release
   * Applied patch from Kurt Roeckx <kurt@roeckx.be> to fix initialization
     problem with openssl 0.9.8 (Closes: #334180)

stunnel4 (2:4.110-2) unstable; urgency=low

   * Rebuild with openssl 0.9.8

stunnel4 (2:4.110-1) unstable; urgency=low

   * New upstream release
   * Updated to Standards-Version 3.6.2

stunnel4 (2:4.090-1) unstable; urgency=low

   * New upstream release
   * include better stunnel3 compatibility script from upstream, options
     like -cd can now be use instead of -c -d ...
     (closes: #305259)
   * Added depends on perl-modules to allow use of stunnel3 compatibility script

stunnel4 (2:4.070-5) unstable; urgency=low

   * Renamed stunnel3 compatibility script (/usr/sbin/stunnel) to be compatible
     with stunnel package
   * Added conflict with stunnel package (compatible, does not break user
     configuration) since stunnel 4.x is more actively maintained
     than stunnel 3.x

stunnel4 (2:4.070-4) unstable; urgency=low

   * Add an option (PPP_RESTART) in /etc/default/stunnel4 to enable/disable
     restart scripts (closes: #298352)

stunnel4 (2:4.070-3) unstable; urgency=low

   * Do not remove user and group if there already exist in postinst
     script (Closes: #290374)

stunnel4 (2:4.070-2) unstable; urgency=low

   * Fixed directory problem :
     - confdir was /usr/etc/stunnel instead of /etc/stunnel (Closes: #289832)
     - zlib compression was unable to start since /etc/stunnel/stunnel.conf
       was not read (Closes: #289872)

stunnel4 (2:4.070-1) unstable; urgency=low

   * New upstream release : Add IPV6 support
   * Disable proxy-connect patch (does not apply on 4.07 sources)

2004

stunnel4 (2:4.050-4) unstable; urgency=low

   * Restart connection instead of stop when ppp is down. It is possible to
     use stunnel for eth interfaces. (Closes: 271006)

stunnel4 (2:4.050-3) unstable; urgency=low

   * Added proxy-connect patch (Closes: #267533)
   * Create directory /var/log/stunnel in postinst (Closes: #267093)
   * Create user and group stunnel4 (Closes: #266339)
   * Uncomment some line in default configuration file :
     o Use /var/log/stunnel4/stunnel.log as default log file
     o Use stunnel4 user and group as default
     o Use /var/run/stunnel4/stunnel.pid as default pid file

stunnel4 (2:4.050-2) unstable; urgency=low

   * Fixed stopping problem in init.d script (Closes: #265449)
     Thanks to Wilfried Goesgens <willi@almado.de>
   * Added stunnel4 in logrotate (Closes: #265437)
     Thanks to Wilfried Goesgens <willi@almado.de>

stunnel4 (2:4.050-1) unstable; urgency=low

   * By default, store pidfile in /var/run/stunnel4/stunnel.pid with
     /var/run/stunnel4 owned by nobody:nogroup
   * Oops, stunnel4 was a debian native package

stunnel4 (2:4.05-1) unstable; urgency=low

   * New upstream release

stunnel4 (2:4.04.0-10) unstable; urgency=low

   * Shut down stunnel4 in postinst (Closes: #234498)

stunnel4 (2:4.04.0-9) unstable; urgency=low

   * Added configuration script from "Sergio Rua" <srua@debian.org>

stunnel4 (2:4.04.0-8) unstable; urgency=low

   * Added ppp ip-up and ip-down scripts
     (Closes: #227678)

2003

stunnel4 (2:4.04.0-7) unstable; urgency=low

   * Fix problem in init.d script (was not sh compatible)
     (Closes: #214818, #214823)

stunnel4 (2:4.04.0-6) unstable; urgency=low

   * Rewrite of /etc/init.d/stunnel4 :
     o does not use kill -9, thus giving a chance to stunnel4 to clean up
       puts common code in functions
     o avoids calling ps twice
     o uses fgrep
     o does not print the conf file name if no processes exist for it
     o corrects the `stoped' typo
     Thanks to Francesco Potorti` <pot@gnu.org> (Closes: #214562)

stunnel4 (2:4.04.0-5) unstable; urgency=low

   * /etc/init.d/stunnel4 can load more than one configuration file.
     It loads /etc/stunnel/*.conf. You can have a configuration file for
     server mode and one for client mode. (Closes: #211870)

stunnel4 (2:4.04.0-4) unstable; urgency=low

   * Put stunnel.html in /usr/share/doc/stunnel4/ instead of
     /usr/share/doc/stunnel
   * Updated to Standards-Version 3.6.1

stunnel4 (2:4.04.0-3) unstable; urgency=low

   * Fixed wrong path search for stunnel.conf
    (Closes: Bug#202931)

stunnel4 (2:4.04.0-2) unstable; urgency=low

   * Fixed stunnel.conf problems, file must be commented by default.
     (Closes: #202693)

stunnel4 (2:4.04.0-1) unstable; urgency=low

   * Oops, stunnel4 is not a native package -> reupload it with a diff.gz
   * Does not install stunnel.so since it is not used
   * Updated clean rules to have a clean diff
   * Updated to Standards-Version 3.6.0

stunnel4 (2:4.04-2) unstable; urgency=low

   * Fixed compilation errors (removed binary in clean rule)
   * removed libstunnel.so since it is not used

stunnel4 (2:4.04-1) unstable; urgency=low

   * Stunnel versions 4.x are now in stunnel4 package and stunnel versions 3.x
     are in stunnel package to keep backward compatibility.

stunnel (4.04-5) unstable; urgency=low

   * The "I need to sleep more to avoid making typos" release.
   * Fixed typos in default/init file (ENABLED instead of ENABLE)
     (Closes: #197958)
   * Commented all stunnel.conf file, client=no is the default value
     (Closes: #197961)

stunnel (4.04-4) unstable; urgency=low

   * Added /etc/default/stunnel with a variable ENABLE.
     ENABLE=0 by default since stunnel segv on some computer when all lines
     are commented (Closes: #197663, #197615)

stunnel (4.04-3) unstable; urgency=low

   * comment ldap sample (Closes: #197566)

stunnel (4.04-2) unstable; urgency=low

   * Fixed typo in init.d script (Closes: #197499)
   * Added a commented example in stunnel.conf from Craig Sanders

stunnel (4.04-1) unstable; urgency=low

   * New upstream release (Closes: #177532, Closes: 188137)
   * New maintainer
   * Stunnel has no more -L option (Closes: #120265)
   * Stunnel has no more -l option (Closes: #175844)
   * Shutdown(1) problem was fixed (Closes: #111125)
   * Problem with large data resolved (tested with a 5Mo file)
     (Closes: #112287)
   * Licence is now GPL version 2 with agreement to link with openssl
     (Closes: #147665)
   * stunnel can execute command (Closes: #147537)
   * added a lintian overwrite for libstunnel.so since it is compiled with
     -avoid-version
   * Fixed problem with path (/etc/ instead of $(prefix)/etc, ...)
   * Include default configuration file in /etc
   * Upgraded to debian policy 3.5.10
   * Added init.d file

2001

stunnel (3.22-1) unstable; urgency=high

   * New upstream release (closes: bug#126627).
   * Typo fix in postinst (closes: bug#120199, bug#121904)

stunnel (3.21.c-1) unstable; urgency=low

   * New upstream release (Closes: bug#111139, bug#102834, bug#61427).
   * Avoid generating automatically the initial stunnel.pem, openssl cannot be
     reliably used in a non-interactive way (Closes: bug#60776, bug#98445). Info
     on how to generate the certificate is now included in README.Debian.
   * There is support for (re)setting OOB data handling in the new upstream
     version (Closes: bug#107503).
   * Include the sample /etc/iniy.d/stunnel file as an example in the package
     (Closes: bug#114669).

stunnel (3.14-1) unstable; urgency=low

   * New upstream release
   * Actually compile it against the new libssl (Closes: #86916).

stunnel (3.13-1) unstable; urgency=low

   * New upstream release.
   * Recompile with and depend on libssl096 (Closes: #85000, #86385, #83857, #82500).
   * Already fixed in previous aborted upload (Closes: #82105, #77227, #80079, #76576).

2000

stunnel (3.10-1) unstable; urgency=high

   * New upstream release.

stunnel (3.10-0potato1) stable; urgency=high

   * New upstream release.

stunnel (3.9-0potato1) stable; urgency=high

   * New upstream release: security fix (Closes: #80079, #76576).
   * Use correct dir for pid (Closes: #77227).

stunnel (3.8-1) unstable; urgency=low

   * New upstream version (Closes: #75117, #67010).
   * Read 1k of random data in a temp file (Closes: #69808).
   * Added a note in postrm about the stunnel.pem file that
     is left in /etc/ssl/certs: it is safer if the user deals with
     it since it may have been create by him and not stunnel (Closes: #57648).

stunnel (3.4a-6) unstable; urgency=low

   * Depends on openssl 0.9.4 (closes: bug#53947).

1999

stunnel (3.4a-5) unstable; urgency=medium

   * Include upstream download info in copyright (closes: bug#53301).
   * Include example from Steve Haslam to make stunnel run from a
     init script (closes: bug#53300).

stunnel (3.4a-4) unstable; urgency=medium

   * Depends on openssl instead of Suggests (Closes: bug#49238).

stunnel (3.4a-3) unstable; urgency=high

   * Fixes security problem with the certificate.

stunnel (3.4a-2) unstable; urgency=low

   * Suggest openssl instead of ssleay. (Closes: bug#47712)

stunnel (3.4a-1) unstable; urgency=low

   * New upstream release.
   * Put cert in /etc/ssl/certs (closes:#41099). I think this is
     neither an openssl nor stunnel bug, but a dpkg one (other
     similar bugs are already filed against dpkg).

stunnel (3.3-1) unstable; urgency=low

   * New upstream release.

stunnel (3.2-2) unstable; urgency=low

   * Fixed stupid coding error.

stunnel (3.2-1) unstable; urgency=low

   * Recompilation with new ssl lib.
   * New upstream release.

1998

stunnel (2.1-2) unstable; urgency=low

   * Added libwrap support (/etc/hosts.{allow,deny}).
   * Recompilation with newer libc6.
   * Better stunnel-config script.

stunnel (2.1-1) unstable; urgency=low

   * Initial release.