Security update for stunnel

Announcement ID: SUSE-SU-2021:0194-1
Rating: moderate
Affected Products:
  • Server Applications Module 15-SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise Real Time 15 SP2
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Manager Proxy 4.1
  • SUSE Manager Retail Branch Server 4.1
  • SUSE Manager Server 4.1

An update that has two security fixes can now be installed.


This update for stunnel fixes the following issues:

Security issue fixed:

  • The "redirect" option was fixed to properly handle "verifyChain = yes" (bsc#1177580).

Non-security issues fixed:

  • Fix startup problem of the stunnel daemon (bsc#1178533)

  • update to 5.57:

  • Security bugfixes
  • New features
    • New securityLevel configuration file option.
    • Support for modern PostgreSQL clients
    • TLS 1.3 configuration updated for better compatibility.
  • Bugfixes

    • Fixed a transfer() loop bug.
    • Fixed memory leaks on configuration reloading errors.
    • DH/ECDH initialization restored for client sections.
    • Delay startup with systemd until network is online.
    • A number of testing framework fixes and improvements.
  • update to 5.56:

  • Various text files converted to Markdown format.
  • Support for realpath(3) implementations incompatible with POSIX.1-2008, such as 4.4BSD or Solaris.
  • Support for engines without PRNG seeding methods (thx to Petr Mikhalitsyn).
  • Retry unsuccessful port binding on configuration file reload.
  • Thread safety fixes in SSL_SESSION object handling.
  • Terminate clients on exit in the FORK threading model.

  • Fixup stunnel.conf handling:

  • Remove old static openSUSE provided stunnel.conf.
  • Use upstream stunnel.conf and tailor it for openSUSE using sed.
  • Don't show README.openSUSE when installing.

  • enable /etc/stunnel/conf.d

  • re-enable openssl.cnf

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Server Applications Module 15-SP2
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-194=1

Package List:

  • Server Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
    • stunnel-debugsource-5.57-3.5.1
    • stunnel-debuginfo-5.57-3.5.1
    • stunnel-5.57-3.5.1