Control: retitle -1 pu: package stunnel4/3:5.06-2+deb8u1 On Thu, Apr 23, 2015 at 10:35:28PM +0100, Jonathan Wiltshire wrote: > Control: retitle -1 pu: package stunnel4/3:5.06-3 > Control: tag -1 jessie > > On Wed, Apr 08, 2015 at 02:32:49PM +0300, Peter Pentchev wrote: > > This is a pre-approval request for unblocking a RC bugfix upload of > > stunnel4 that will fix two RC bugs: > > - #771421 - makes stunnel unusable for some users in certain > > configurations; not for everyone, but still, it happens too often to > > be ignored > > - #782030 - makes stunnel start and stop properly, checking whether > > the action has actually succeeded > > Deferring to a point release; SRM will confirm after release.
OK, here's an updated debdiff that retargets the upload towards stable-proposed-updates; the only change is the header and the footer of the changelog entry itself. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org p.penc...@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
diff -Nru stunnel4-5.06/debian/changelog stunnel4-5.06/debian/changelog --- stunnel4-5.06/debian/changelog 2014-11-28 11:08:35.000000000 +0200 +++ stunnel4-5.06/debian/changelog 2015-04-26 01:34:49.000000000 +0300 @@ -1,3 +1,15 @@ +stunnel4 (3:5.06-2+deb8u1) stable-proposed-updates; urgency=medium + + * Add the 17-upstream-hangup patch to fix prematurely closed + connections when there is still data to be written. + Thanks to Joachim Falk for backporting the patch! + Closes: #771241 + * Add the 18-lsb-startup patch to make the daemons' startup consistent + with the way things are done in Debian. + Among other things, Closes: #782030 + + -- Peter Pentchev <r...@ringlet.net> Sun, 26 Apr 2015 01:34:42 +0300 + stunnel4 (3:5.06-2) unstable; urgency=medium * Limit the systemd build dependency to Linux architectures only, diff -Nru stunnel4-5.06/debian/patches/17-upstream-hangup.patch stunnel4-5.06/debian/patches/17-upstream-hangup.patch --- stunnel4-5.06/debian/patches/17-upstream-hangup.patch 1970-01-01 02:00:00.000000000 +0200 +++ stunnel4-5.06/debian/patches/17-upstream-hangup.patch 2015-04-24 10:53:33.000000000 +0300 @@ -0,0 +1,74 @@ +Description: Fix premature data truncation in the POLLRDHUP handling +DebianBug: https://bugs.debian.org/771241 +Origin: upstream; https://www.stunnel.org/pipermail/stunnel-users/2014-November/004860.html +Last-Update: 2015-03-04 + +--- a/src/client.c ++++ b/src/client.c +@@ -515,6 +515,11 @@ + int write_wants_read=0, write_wants_write=0; + /* actual conditions on file descriptors */ + int sock_can_rd, sock_can_wr, ssl_can_rd, ssl_can_wr; ++#ifdef USE_WIN32 ++ unsigned long bytes; ++#else ++ int bytes; ++#endif + + c->sock_ptr=c->ssl_ptr=0; + +@@ -810,32 +815,44 @@ + } + + /****************************** check for hangup conditions */ +- if(s_poll_rdhup(c->fds, c->sock_rfd->fd)) { +- s_log(LOG_INFO, "Read socket closed (hangup)"); ++ /* http://marc.info/?l=linux-man&m=128002066306087 */ ++ /* readsocket() must be the last sock_rfd operation before FIONREAD */ ++ if(sock_open_rd && s_poll_rdhup(c->fds, c->sock_rfd->fd) && ++ (ioctlsocket(c->sock_rfd->fd, FIONREAD, &bytes) || !bytes)) { ++ s_log(LOG_INFO, "Read socket closed (read hangup)"); + sock_open_rd=0; + } +- if(s_poll_hup(c->fds, c->sock_wfd->fd)) { ++ if(sock_open_wr && s_poll_hup(c->fds, c->sock_wfd->fd)) { + if(c->ssl_ptr) { + s_log(LOG_ERR, +- "Write socket closed (hangup) with %d unsent byte(s)", ++ "Write socket closed (write hangup) with %d unsent byte(s)", + c->ssl_ptr); + longjmp(c->err, 1); /* reset the socket */ + } +- s_log(LOG_INFO, "Write socket closed (hangup)"); ++ s_log(LOG_INFO, "Write socket closed (write hangup)"); + sock_open_wr=0; + } +- if(s_poll_hup(c->fds, c->ssl_rfd->fd) || +- s_poll_hup(c->fds, c->ssl_wfd->fd)) { ++ /* SSL_read() must be the last ssl_rfd operation before FIONREAD */ ++ if(!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN) && ++ s_poll_rdhup(c->fds, c->ssl_rfd->fd) && ++ (ioctlsocket(c->ssl_rfd->fd, FIONREAD, &bytes) || !bytes)) { + /* hangup -> buggy (e.g. Microsoft) peer: + * SSL socket closed without close_notify alert */ ++ s_log(LOG_INFO, "SSL socket closed (read hangup)"); ++ SSL_set_shutdown(c->ssl, ++ SSL_get_shutdown(c->ssl)|SSL_RECEIVED_SHUTDOWN); ++ } ++ if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && ++ s_poll_hup(c->fds, c->ssl_wfd->fd)) { + if(c->sock_ptr || write_wants_write) { + s_log(LOG_ERR, +- "SSL socket closed (hangup) with %d unsent byte(s)", ++ "SSL socket closed (write hangup) with %d unsent byte(s)", + c->sock_ptr); + longjmp(c->err, 1); /* reset the socket */ + } +- s_log(LOG_INFO, "SSL socket closed (hangup)"); +- SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); ++ s_log(LOG_INFO, "SSL socket closed (write hangup)"); ++ SSL_set_shutdown(c->ssl, ++ SSL_get_shutdown(c->ssl)|SSL_SENT_SHUTDOWN); + } + + /****************************** check write shutdown conditions */ diff -Nru stunnel4-5.06/debian/patches/18-lsb-startup.patch stunnel4-5.06/debian/patches/18-lsb-startup.patch --- stunnel4-5.06/debian/patches/18-lsb-startup.patch 1970-01-01 02:00:00.000000000 +0200 +++ stunnel4-5.06/debian/patches/18-lsb-startup.patch 2015-04-24 10:53:33.000000000 +0300 @@ -0,0 +1,199 @@ +Description: Use the LSB start/stop functions in the init script +DebianBug: https://bugs.debian.org/782030 +Author: Peter Pentchev <r...@ringlet.net> +Forwarded: not needed +Last-Update: 2014-04-08 + +--- a/tools/stunnel.init.in ++++ b/tools/stunnel.init.in +@@ -29,7 +29,7 @@ + grep -i "^$2=" | sed -e "s;^[^=]*=;;" + } + +-get_pids() { ++get_pidfile() { + local file=$1 + if [ -f $file ]; then + CHROOT=`get_opt $file chroot` +@@ -37,13 +37,13 @@ + if [ "$PIDFILE" = "" ]; then + PIDFILE=$DEFAULTPIDFILE + fi +- if [ -f $CHROOT/$PIDFILE ]; then +- cat $CHROOT/$PIDFILE +- fi ++ echo "$CHROOT/$PIDFILE" + fi + } + + startdaemons() { ++ local res file args pidfile warn status ++ + if ! [ -d /var/run/stunnel4 ]; then + rm -rf /var/run/stunnel4 + install -d -o stunnel4 -g stunnel4 /var/run/stunnel4 +@@ -51,52 +51,81 @@ + if [ -n "$RLIMITS" ]; then + ulimit $RLIMITS + fi ++ res=0 + for file in $FILES; do + if [ -f $file ]; then +- ARGS="$file $OPTIONS" +- PROCLIST=`get_pids $file` ++ echo -n " $file: " ++ args="$file $OPTIONS" ++ pidfile=`get_pidfile $file` + if egrep -qe '^pid[[:space:]]*=' "$file"; then +- warn='' ++ warn='' + else +- warn=' (no pid=pidfile specified!)' ++ warn=' (no pid=pidfile specified!)' + fi +- if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then +- echo -n "[Already running$warn: $file] " +- elif $DAEMON $ARGS; then +- echo -n "[Started$warn: $file] " ++ status=0 ++ start_daemon -p "$pidfile" "$DAEMON" $args || status=$? ++ if [ "$status" -eq 0 ]; then ++ echo -n "started$warn" + else +- echo "[Failed$warn: $file]" +- echo "You should check that you have specified the pid= in you configuration file" +- exit 1 ++ echo "failed$warn" ++ echo "You should check that you have specified the pid= in you configuration file" ++ res=1 + fi + fi + done; ++ echo '' ++ return "$res" + } + + killdaemons() + { +- SIGNAL=${1:-TERM} ++ local sig file pidfile status ++ ++ sig=${1:-TERM} ++ res=0 + for file in $FILES; do +- PROCLIST=`get_pids $file` +- if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then +- kill -s $SIGNAL $PROCLIST +- echo -n "[stopped: $file] " ++ echo -n " $file: " ++ pidfile=`get_pidfile $file` ++ if [ ! -e "$pidfile" ]; then ++ echo -n "no pid file" ++ else ++ status=0 ++ killproc -p "$pidfile" "$DAEMON" "$sig" || status=$? ++ if [ "$status" -eq 0 ]; then ++ echo -n 'stopped' ++ else ++ echo -n 'failed' ++ res=1 ++ fi + fi + done ++ echo '' ++ return "$res" + } + + querydaemons() + { ++ local res file pidfile status ++ + res=0 +- echo -n "$DESC status:" + for file in $FILES; do + echo -n " $file: " +- PROCLIST=`get_pids $file` +- if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then +- echo -n 'running' +- else +- echo -n 'stopped' ++ pidfile=`get_pidfile "$file"` ++ if [ ! -e "$pidfile" ]; then ++ echo -n 'no pid file' + res=1 ++ else ++ status=0 ++ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?" ++ if [ "$status" = 0 ]; then ++ echo -n 'running' ++ elif [ "$status" = 4 ]; then ++ echo "cannot access the pid file $pidfile" ++ res=1 ++ else ++ echo -n 'stopped' ++ res=1 ++ fi + fi + done + echo '' +@@ -133,42 +162,43 @@ + + set -e + ++res=0 + case "$1" in + start) +- echo -n "Starting $DESC: " ++ echo -n "Starting $DESC:" + startdaemons +- echo "$NAME." ++ res=$? + ;; + stop) +- echo -n "Stopping $DESC: " ++ echo -n "Stopping $DESC:" + killdaemons +- echo "$NAME." ++ res=$? + ;; + reopen-logs) +- echo -n "Reopening log files $DESC: " ++ echo -n "Reopening log files $DESC:" + killdaemons USR1 +- echo "$NAME." ++ res=$? + ;; + force-reload|reload) +- echo -n "Reloading configuration $DESC: " ++ echo -n "Reloading configuration $DESC:" + killdaemons HUP +- echo "$NAME." ++ res=$? + ;; + restart) +- echo -n "Restarting $DESC: " +- killdaemons +- sleep 5 +- startdaemons +- echo "$NAME." ++ echo -n "Restarting $DESC:" ++ killdaemons && startdaemons ++ res=$? + ;; + status) +- querydaemons +- ;; ++ echo -n "$DESC status:" ++ querydaemons ++ res=$? ++ ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2 +- exit 1 ++ res=1 + ;; + esac + +-exit 0 ++exit "$res" diff -Nru stunnel4-5.06/debian/patches/series stunnel4-5.06/debian/patches/series --- stunnel4-5.06/debian/patches/series 2014-10-16 14:24:04.000000000 +0300 +++ stunnel4-5.06/debian/patches/series 2015-04-24 10:53:33.000000000 +0300 @@ -9,3 +9,5 @@ 14-lsb-init-functions.patch 15-upstream-systemd-libs.patch 16-upstream-sslv23-method.patch +17-upstream-hangup.patch +18-lsb-startup.patch
signature.asc
Description: Digital signature
