Package: stunnel4 Version: 3:5.30-1.1 Severity: important Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer, This fixes an SSL session leak present in the version of stunnel4 currently in jessie-backports (the versions in jessie (main), stretch, and sid are not subject to this bug). This bug was introduced in stunnel4 5.27, subsequently fixed in 5.33, leaving the version in jessie-backports (5.30) subject to the leak (and the version in Ubuntu Xenial, which appears to be the same version and have the same patchset as jessie-backports). The bug results in long running stunnel4 processes eventually consuming all memory. *** /tmp/tmpjfgeGr/bug_body In Ubuntu, the attached patch was applied to achieve the following: With 5.30-1 (the current version in Xenial), the RSS keeps growing. With this patch applied, RSS grows to around ~13000 and stays there. It's somewhat difficult to prove the derivation of this patch from upstream stunnel4, as there is no version control repository for stunnel4. I made this patch by comparing the source of 5.32 and 5.33, and ultimately there was just a single line that looked to be relevant - adding a call to SSL_SESSION_free(). I can't promise this is a full fix, but it looks promising based on my own testing. More information in: https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1655153 * Non-maintainer upload. - Backport fix for TLS session leak introduced in stunnel4 5.27 from stunnel4 5.33. Fixes launchpad bug 1655153. Thanks for considering the patch. -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch --- stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.30/debian/patches/30-fix-ssl-session-leak.patch 2017-06-07 00:30:17.000000000 +0000 @@ -0,0 +1,12 @@ +Index: stunnel4-5.30/src/ctx.c +=================================================================== +--- stunnel4-5.30.orig/src/ctx.c ++++ stunnel4-5.30/src/ctx.c +@@ -734,6 +734,7 @@ NOEXPORT void sess_remove_cb(SSL_CTX *ct + opt=SSL_CTX_get_ex_data(ctx, index_opt); + if(opt->option.sessiond) + cache_remove(ctx, sess); ++ SSL_SESSION_free(sess); + } + + /**************************************** sessiond functionality */ diff -Nru stunnel4-5.30/debian/patches/series stunnel4-5.30/debian/patches/series --- stunnel4-5.30/debian/patches/series 2015-12-03 22:28:57.000000000 +0000 +++ stunnel4-5.30/debian/patches/series 2017-06-07 00:29:27.000000000 +0000 @@ -4,3 +4,4 @@ 10-no-zlib-compression.patch 12-restore-pidfile-default.patch 21-author-tests.patch +30-fix-ssl-session-leak.patch
