Your message dated Wed, 28 Jun 2017 14:20:37 +0200
with message-id
<CAG+KjmMUv10d7cPb8L615sFBKxL21Zw_hREYN-=n6iwzh8s...@mail.gmail.com>
and subject line Fixed in upstream version 5.33 according to bug reporter
has caused the Debian Bug report #864391,
regarding stunnel4: SSL session leak
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
864391: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864391
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: stunnel4
Version: 3:5.30-1.1
Severity: important
Tags: patch
User: [email protected]
Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer,
This fixes an SSL session leak present in the version of stunnel4 currently
in jessie-backports (the versions in jessie (main), stretch, and sid are not
subject to this bug). This bug was introduced in stunnel4 5.27, subsequently
fixed in 5.33, leaving the version in jessie-backports (5.30) subject to
the leak (and the version in Ubuntu Xenial, which appears to be the same
version and have the same patchset as jessie-backports).
The bug results in long running stunnel4 processes eventually consuming all
memory.
*** /tmp/tmpjfgeGr/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
With 5.30-1 (the current version in Xenial), the RSS keeps growing. With
this patch applied, RSS grows to around ~13000 and stays there.
It's somewhat difficult to prove the derivation of this patch from
upstream stunnel4, as there is no version control repository for
stunnel4. I made this patch by comparing the source of 5.32 and 5.33,
and ultimately there was just a single line that looked to be relevant -
adding a call to SSL_SESSION_free(). I can't promise this is a full fix,
but it looks promising based on my own testing.
More information in:
https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1655153
* Non-maintainer upload.
- Backport fix for TLS session leak introduced in stunnel4 5.27
from stunnel4 5.33. Fixes launchpad bug 1655153.
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch
--- stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch 1970-01-01 00:00:00.000000000 +0000
+++ stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch 2017-06-07 00:30:17.000000000 +0000
@@ -0,0 +1,12 @@
+Index: stunnel4-5.30/src/ctx.c
+===================================================================
+--- stunnel4-5.30.orig/src/ctx.c
++++ stunnel4-5.30/src/ctx.c
+@@ -734,6 +734,7 @@ NOEXPORT void sess_remove_cb(SSL_CTX *ct
+ opt=SSL_CTX_get_ex_data(ctx, index_opt);
+ if(opt->option.sessiond)
+ cache_remove(ctx, sess);
++ SSL_SESSION_free(sess);
+ }
+
+ /**************************************** sessiond functionality */
diff -Nru stunnel4-5.30/debian/patches/series stunnel4-5.30/debian/patches/series
--- stunnel4-5.30/debian/patches/series 2015-12-03 22:28:57.000000000 +0000
+++ stunnel4-5.30/debian/patches/series 2017-06-07 00:29:27.000000000 +0000
@@ -4,3 +4,4 @@
10-no-zlib-compression.patch
12-restore-pidfile-default.patch
21-author-tests.patch
+30-fix-ssl-session-leak.patch
--- End Message ---
--- Begin Message ---
fixed 864391 3:5.33-1
thanks
--
Balint Reczey
Debian & Ubuntu Developer
--- End Message ---
