Your message dated Sun, 08 Jan 2017 17:04:58 +0000 with message-id <e1cqgtu-0001jw...@fasolo.debian.org> and subject line Bug#850292: fixed in stunnel4 3:5.39-2 has caused the Debian Bug report #850292, regarding stunnel4: killed by shadowserver.org port scanner to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 850292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850292 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: stunnel4 Version: 3:5.38-1 Severity: important Hi, I use stunnel4 to tunnel SSH over SSL, and I experience daily failures triggered by shadowserver.org port scanning [1][2]. Here is the pattern from journalctl: janv. 04 14:53:55 maison stunnel[13384]: LOG5[6]: Service [ssh] accepted connection from 216.218.206.66:17748 janv. 04 14:53:56 maison stunnel[13384]: LOG3[6]: SSL_accept: 1417D18C: error:1417D18C:SSL routines:tls_process_client_hello:version too low janv. 04 14:53:56 maison stunnel[13384]: LOG5[6]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 04 14:54:51 maison stunnel[13384]: LOG5[7]: Service [ssh] accepted connection from 216.218.206.66:6922 janv. 04 14:54:51 maison stunnel[13384]: LOG3[7]: SSL_accept: 1417A0C1: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher janv. 04 14:54:51 maison stunnel[13384]: LOG5[7]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 04 14:54:51 maison kernel: traps: stunnel4[12705] trap stack segment ip:7f310cea5c4a sp:7f310d65bb20 error:0 in libcrypto.so.1.1[7f310cdff000+26 ... janv. 05 13:03:35 maison stunnel[342]: LOG5[8]: Service [ssh] accepted connection from 184.105.139.68:52520 janv. 05 13:03:36 maison stunnel[342]: LOG3[8]: SSL_accept: 1417D18C: error:1417D18C:SSL routines:tls_process_client_hello:version too low janv. 05 13:03:36 maison stunnel[342]: LOG5[8]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 05 13:04:30 maison stunnel[342]: LOG5[9]: Service [ssh] accepted connection from 184.105.139.68:38530 janv. 05 13:04:30 maison stunnel[342]: LOG3[9]: SSL_accept: 1417A0C1: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher janv. 05 13:04:30 maison stunnel[342]: LOG5[9]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 05 13:04:30 maison kernel: traps: stunnel4[28471] trap stack segment ip:7f76c2c01c4a sp:7f76c33b7b20 error:0 in libcrypto.so.1.1[7f76c2b5b000+26 216.218.206.66 is scan-05.shadowserver.org 184.105.139.68 is scan-02.shadowserver.org After each of these failures stunnel isn't running anymore and systemd doesn't know it has to restart it, because 'systemctl status' says: 'active (exited)'. But this one is related to #826883. My stunnel config file is: $ cat /etc/stunnel/stunnel.conf pid = /var/run/stunnel.pid cert = /etc/stunnel/stunnel.pem [ssh] accept = 443 connect = 127.0.0.1:22 Thanks in advance for any hint. [1] https://poodlescan.shadowserver.org/ [2] https://freakscan.shadowserver.org/ _g. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages stunnel4 depends on: ii adduser 3.115 ii libc6 2.24-8 ii libssl1.1 1.1.0c-2 ii libsystemd0 232-8 ii libwrap0 7.6.q-25 ii lsb-base 9.20161125 ii netbase 5.3 ii openssl 1.1.0c-2 pn perl:any <none> stunnel4 recommends no packages. Versions of packages stunnel4 suggests: pn logcheck-database <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: stunnel4 Source-Version: 3:5.39-2 We believe that the bug you reported is fixed in the latest version of stunnel4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 850...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Peter Pentchev <r...@ringlet.net> (supplier of updated stunnel4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 08 Jan 2017 17:30:12 +0200 Source: stunnel4 Binary: stunnel4 Architecture: source amd64 Version: 3:5.39-2 Distribution: unstable Urgency: medium Maintainer: Peter Pentchev <r...@ringlet.net> Changed-By: Peter Pentchev <r...@ringlet.net> Description: stunnel4 - Universal SSL tunnel for network daemons Closes: 850292 Changes: stunnel4 (3:5.39-2) unstable; urgency=medium . * Add the 08-session-free patch to avoid freeing the SSL session twice, which will either be detected by the OpenSSL library and crash the stunnel process, or cause use-after-free problems that may lead to even worse results later. Closes: #850292 Checksums-Sha1: cf6ad19f918ff41d19984cd97e51c1a252789233 2194 stunnel4_5.39-2.dsc 3563fca85f24b0517c2986e467284bfe8d6a7585 37780 stunnel4_5.39-2.debian.tar.xz 3e121d328ddfbfe90294d59e684fde1231614a5e 200728 stunnel4-dbgsym_5.39-2_amd64.deb 4c2c22048e910cecb9eb54fb5c6e087a248211cc 5592 stunnel4_5.39-2_amd64.buildinfo 5339cfc1d6ef339b9ed0dd5d376bf8284b4aec92 188030 stunnel4_5.39-2_amd64.deb Checksums-Sha256: 8c7abc679decc689435990fcd3ee7bb30f0eb8daec1fe9ba79c6b7c649988f42 2194 stunnel4_5.39-2.dsc 19b4d5cb014f9129fa8a3e0ec11df22edff9068c4ebeb5127e1766b0a054d419 37780 stunnel4_5.39-2.debian.tar.xz c4bb8ffb68c6821e1b1ee437d5eaf5f584e69e04b4fcacae15fced44cecf07cd 200728 stunnel4-dbgsym_5.39-2_amd64.deb 45bb938b90a97942319c2d672724378f626585059384888a907169932b48ec19 5592 stunnel4_5.39-2_amd64.buildinfo c49d3a5be6decf8d4290284e533b95bf1ff35c71d5b651c271473cb180183fd9 188030 stunnel4_5.39-2_amd64.deb Files: dcee6172d4b51037b0db0b73bf83346a 2194 net optional stunnel4_5.39-2.dsc 23e95c5c6ea6dee50a94a08e738d6c5d 37780 net optional stunnel4_5.39-2.debian.tar.xz 68591bfd1094a62d42f503c9e9d3285a 200728 debug extra stunnel4-dbgsym_5.39-2_amd64.deb 0e463f30fade7f4d756cc177084c8896 5592 net optional stunnel4_5.39-2_amd64.buildinfo 3c8f4515a6077cecd19fa96150853632 188030 net optional stunnel4_5.39-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlhyajEACgkQ3OMQ54ZM yL+Iaw//a5lNLhL3Ta+R/Ug46FcOg+3awUX9ijWNhuZ8z095wpsvHaObnlUkvg3Y qVbJM01AVOFgLgRPQ9wQcSOQdxb5M4t3YVxrFwpXnZPIfOBipfEpupg/KaClLBFn c9Ea6i6GiV0iEeovRS2pKhAKLwVn8KIZATeO4ypO9GD9dI2Jn8PNmpVMhpVt+x6B nlOVKnUUd4FBMbr8ot7sPYjFHy09bdd+MkOKuSPyi7LsjbEaloYf+q3iComxPplb rtBa6bKL1pNd5ltEpg8ZSM6Rf/pP8lwXzghCkgkiOXm1FNmXRNKB9RrKztABshmB Gy43ncV/jzE9TdP2+0xXISTGId2M7NaW1HlyFqT8qGyIpIy+Qj5KqwRawpKWCuJt gxqxQDUNPuWbmXS6lH9A5EDtPlWqRwULMP+XO0Yii9aeSbnN5Ysdv/kKfniX6T3a ipdQRUtMmiOdvlr6oEpJIKc/4KQS0jNxvYe3cFvzCmwBbn7LsbPS4qLZGhz5omON iF1ioz46Hk4Lk71IjL0HAe53i9TCR0y8Lx5Mk05haIan3JSwLKn/b/Zfb9epFAs8 AyL5IJOsOFffRD25CXDo7zFq4ow/3pBzM8eaUN/ipos0y728cq6q6lkkUPssIhOa iQDe3kcLYYnkWqQiV4mft3I6oqE54bJzGyopKbBNmT8Cm1wCVek= =M8Zc -----END PGP SIGNATURE-----
--- End Message ---
