Security update for stunnel

Announcement ID:	SUSE-SU-2021:0194-1
Rating:	moderate
References:	bsc#1177580 bsc#1178533
Affected Products:	Server Applications Module 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that has two security fixes can now be installed.

Description:

This update for stunnel fixes the following issues:

Security issue fixed:

• The "redirect" option was fixed to properly handle "verifyChain = yes" (bsc#1177580).

Non-security issues fixed:

• Fix startup problem of the stunnel daemon (bsc#1178533)

• update to 5.57:

• Security bugfixes
• New features
  • New securityLevel configuration file option.
  • Support for modern PostgreSQL clients
  • TLS 1.3 configuration updated for better compatibility.

• Bugfixes

  • Fixed a transfer() loop bug.
  • Fixed memory leaks on configuration reloading errors.
  • DH/ECDH initialization restored for client sections.
  • Delay startup with systemd until network is online.
  • A number of testing framework fixes and improvements.

• update to 5.56:

• Various text files converted to Markdown format.
• Support for realpath(3) implementations incompatible with POSIX.1-2008, such as 4.4BSD or Solaris.
• Support for engines without PRNG seeding methods (thx to Petr Mikhalitsyn).
• Retry unsuccessful port binding on configuration file reload.
• Thread safety fixes in SSL_SESSION object handling.

• Terminate clients on exit in the FORK threading model.

• Fixup stunnel.conf handling:

• Remove old static openSUSE provided stunnel.conf.
• Use upstream stunnel.conf and tailor it for openSUSE using sed.

• Don't show README.openSUSE when installing.

• enable /etc/stunnel/conf.d

• re-enable openssl.cnf

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-194=1

Package List:

• Server Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • stunnel-debugsource-5.57-3.5.1
  • stunnel-debuginfo-5.57-3.5.1
  • stunnel-5.57-3.5.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1177580
• https://bugzilla.suse.com/show_bug.cgi?id=1178533