commit stunnel for openSUSE:Factory

Thu, 16 Dec 2021 12:21:40 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package stunnel for openSUSE:Factory checked 
in at 2021-12-16 21:19:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/stunnel (Old)
 and      /work/SRC/openSUSE:Factory/.stunnel.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "stunnel"

Thu Dec 16 21:19:37 2021 rev:28 rq:940847 version:5.60

Changes:
--------
--- /work/SRC/openSUSE:Factory/stunnel/stunnel.changes  2021-08-19 
10:02:04.951186360 +0200
+++ /work/SRC/openSUSE:Factory/.stunnel.new.2520/stunnel.changes        
2021-12-16 21:20:54.166557551 +0100
@@ -1,0 +2,6 @@
+Wed Nov 24 08:51:33 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_stunnel.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_stunnel.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ stunnel.spec ++++++
--- /var/tmp/diff_new_pack.txoKUh/_old  2021-12-16 21:20:54.626557726 +0100
+++ /var/tmp/diff_new_pack.txoKUh/_new  2021-12-16 21:20:54.630557728 +0100
@@ -53,6 +53,7 @@
 Source7:        stunnel.README
 # PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after 
network is really up!
 Patch1:         stunnel-5.59_service_always_after_network.patch
+Patch2:         harden_stunnel.service.patch
 BuildRequires:  libopenssl-devel
 BuildRequires:  tcpd-devel
 BuildRequires:  zlib-devel
@@ -89,6 +90,7 @@
 %patch1 -p1
 chmod -x %{_builddir}/stunnel-%{version}/tools/ca.*
 chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.*
+%patch2 -p1
 
 %build
 sed -i 's/-m 1770//g' tools/Makefile.in

++++++ harden_stunnel.service.patch ++++++
Index: stunnel-5.60/tools/stunnel.service.in
===================================================================
--- stunnel-5.60.orig/tools/stunnel.service.in
+++ stunnel-5.60/tools/stunnel.service.in
@@ -4,6 +4,19 @@ After=syslog.target network-online.targe
 Wants=syslog.target network-online.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=@bindir@/stunnel
 Type=forking

Reply via email to