-
Notifications
You must be signed in to change notification settings - Fork 17
/
CHANGELOG
410 lines (328 loc) · 16.4 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
* Fri Sep 13 2024 Steven Pritchard <steve@sicura.us> - 6.12.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
* Mon Oct 23 2023 Steven Pritchard <steve@sicura.us> - 6.11.0
- [puppetsync] Add EL9 support
* Wed Oct 11 2023 Steven Pritchard <steve@sicura.us> - 6.10.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
* Thu Sep 28 2023 Steven Pritchard <steve@sicura.us> - 6.9.0
- Add AlmaLinux 8 support
- Update module dependencies
- Add Puppet 8 support
- Drop Puppet 6 support
* Mon Jul 24 2023 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.8.0
- Add RockyLinux 8 support
* Wed Oct 27 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.7.1
- Fixed
- Set all tcpwrappers connections to allow 'ALL' to work around a bug in the
version of stunnel that ships with EL7.9 where a tcpwrappers deny will
cause 100% CPU usage and hung process
* Thu Jun 17 2021 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.7.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
* Wed Jan 13 2021 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.6.1
- Removed EL6 support
* Tue Dec 10 2019 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.6.0
- Add support for EL8
- Added REFERENCE.md
- Updated README.md
- Set default for stunnel::connection::ssl_version to TLSv1.2 for EL8
compatibility
- Set default for stunnel::instance::ssl_version to TLSv1.2 for EL8
compatibility
- Add an stunnel::instance_purge class to remedy the 'floating services' issue
- Set the stunnel::connection::app_pki_crl parameter to ``undef`` by default due
to issues with pointing the setting to an absent directory in EL8
- Set the stunnel::instance::app_pki_crl parameter to ``undef`` by default due
to issues with pointing the setting to an absent directory in EL8
- Update valid ssl_version entries
- Update acceptance tests to pass data between all combinations of nodes
* Fri Aug 02 2019 Robert Vincent <pillarsdotnet@gmail.com> - 6.6.0
- Support puppetlabs/concat 6.x.
* Tue Jun 04 2019 Steven Pritchard <steven.pritchard@onyxpoint.com> - 6.5.0
- Add v2 compliance_markup data
* Fri Apr 12 2019 Joseph Sharkey <shark.bruhaha@gmail.com> - 6.4.2
- Removed out of date doc/
- Updated tests for pup6 support and removed pup4 support
* Tue Mar 19 2019 Liz Nemsick <lnemsick.simp@gmail.com> - 6.4.2
- Use simplib::nets2ddq in lieu of simplib's deprecated Puppet 3 nets2ddq
- Use Puppet Integer instead of simplib's deprecated Puppet 3 to_integer
- Use Puppet String instead of simplib's deprecated Puppet 3 to_string
- Use simplib::validate_array_member in lieu of simplib's deprecated
Puppet 3 validate_array_member
* Wed Mar 06 2019 Michael Morrone <michael.morrone@onyxpoint.com> - 6.4.1
- If statement evaluating boolean parameter prevented RNDoverwrite being
set to 'no'. Fixed logic, updated tests, and changed default value
to maintain default behavior.
* Mon Mar 04 2019 Liz Nemsick <lnemsick.simp@gmail.com> - 6.4.1
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated URLs in the README.md
* Mon Jan 21 2019 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.4.0
- Add ability for users to override stunnel::connection and stunnel::instance
options either globally or by specific identified instance.
- Fixed stunnel::connection and stunnel::instance template bugs
- sni is not applicable on EL6
- retry is only applicable when exec is specified and
needs to be translated from a boolean to 'yes'/'no'
- session is only applicable on EL6
* Thu Dec 06 2018 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.3.4
- Fix bug that broke `puppet describe <anything>`
* Fri Sep 14 2018 Adam Yohrling <adam.yohrling@onyxpoint.com> - 6.3.3
- Add support for Puppet5
- Clean up acceptance tests to use facts for hostname, domain
- Update badges and contribution guide URL in README.md
* Tue Sep 11 2018 Nicholas Markowski <nicholas.markowski@onyxpoint.com> - 6.3.3
- Updated $app_pki_external_source to accept any string. This matches the
functionality of pki::copy.
* Tue Jul 17 2018 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.3.2
- Fix the service name used by stunnel so that tcpwrappers would not
incorrectly drop connections.
* Mon Apr 23 2018 Jeanne Greulich <jeanne.greulich@onyxpoint.com> - 6.3.2
- Updated selinux settings in acceptance tests to reflect removal of
simp_options::selinux setting and use selinux::ensure setting.
* Tue Apr 03 2018 Nick Miller <nick.miller@onyxpoint.com> - 6.3.1
- Added two new parameters to the stunnel::instance define:
- systemd_wantedby: sent to the WantedBy systemd unit install directive
- systemd_requiredby: sent to the RequiredBy systemd unit install directive
- These should allow ordering during boot. For example, if you have NFS set up
over stunnel, you want stunnel to start before NFS.
- Fixed the systemd startup scripts to properly pre-create the PID directory if
required
* Tue Mar 27 2018 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.3.0
- Ensure init.d script is absent if systemd system because puppet
was finding it and running it and setting permissions on root to
stunnel:stunnel.
- Ensure pid file name is not left undefined to prevent unplanned results.
- Added check to make sure chroot has not evaluated to '/'.
* Tue Mar 06 2018 Liz Nemsick <lnemsick.simp@gmail.com> - 6.3.0
- Fixed bug in which the stunnel systemd pre-exec script failed to
execute completely, because one command did not have a fully
qualified path.
- Reworked stunnel systemd pre-exec scripts to only emit error
messages when errors have occurred.
* Wed Dec 13 2017 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.3.0
- Isolated the 'instance' logic away from the 'connection' logic
- Added a private 'monolithic' class that arranges everything properly for the
legacy stunnel connections
- Ensure that 'instances' and 'connections' do not conflict by using a
'reserve_port' class
- Add a native type that will clean up all instances that would be randomly
created by the 'stunnel::instance' defines and will come before both legacy
and new stunnel connections so that we do not have random left over services
that may conflict with new services
* Fri Nov 17 2017 Nick Miller <nick.miller@onyxpoint.com> - 6.2.1
- Add feature to systemd init script to kill stunnels started from
the previous version of the module
- Fixed bug where `stunnel::config::pid` was being ignored
* Wed Oct 25 2017 Nick Miller <nick.miller@onyxpoint.com> - 6.2.0
- Added acceptance test to switch between SELinux enabled and disabled
- Renamed them to make more sense
- Updated SysV scripts for safety concerns
- PKI now is now owned by the proper $setuid
- Renamed templates to make more sense
- Manage PID dir in Puppet when possible
- Fixed bug where PID dir was being created with SELinux contexts
even when SELinux was disabled
- Added systemd unit to `connection` for use on EL7 systems
- Switched tenplates to use a safe name
- Added support for Puppet 5
* Tue Jun 20 2017 Nick Markowski <nmarkowski@keywcorp.com> - 6.1.0
- Added a define, stunnel::instance
- Creates standalone connections with their own configurations
and services
- Adds systemd support
- Possible to chroot when selinux is permissive/enforcing
- Backwards compatible with existing stunnel configurations
- stunnel::connection is unofficially deprecated until the SIMP-7
release, at which point stunnel::instance will replace
stunnel::connection
- Update puppet requirement in metadata.json
* Fri Mar 17 2017 Ryan Russell-Yates, Liz Nemsick - 6.0.1-0
- Flesh out README
- Remove OBE 'pe' requirement from metadata.json
- Update puppet version in .travis.yaml
* Wed Jan 11 2017 Nick Markowski <nmarkowski@keywcorp.com> - 6.0.0-0
- Updated pki::copy to use the new scheme.
- Application certs now managed in /etc/pki/simp_apps/stunnel/x509
- Removed parameters from README because we are puppet-strings-ified.
- Removed redundant parameter $libwrap
* Thu Dec 29 2016 Nick Markowski <nmarkowski@keywcorp.com> - 6.0.0-0
- Updated the stunnel::connection connect parameter to take an array
of simplib::netlist::port
* Sun Dec 25 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.0.0-0
- Moved `stunnel::add` to `stunnel::connection` for syntactic correctness
- Updated to work with the new IPTables module
* Thu Dec 08 2016 Nick Markowski <nmarkowski@keywcorp.com> - 6.0.0-0
- Updated global catalysts.
- Refactored the module.
- Fixed bug whereby 'chroot = false' is written to stunnel.conf when
selinux is enabled.
* Wed Nov 23 2016 Jeanne Greulich <jgreulich@onyxpoint.com> - 5.0.0-0
- Fix dependancies for simp 6 bump
* Mon Nov 21 2016 Chris Tessmer <chris.tessmer@onyxpoint.com> - 5.0.0-0
- Updated to compliance_markup version 2
* Wed Nov 16 2016 Liz Nemsick <lnemsick.simp@gmail.com> - 5.0.0-0
- Updated iptables dependency version
- Updated openldap dependency version
* Wed Oct 12 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with
'puppetlabs/concat'.
* Fri Sep 30 2016 Trevor Vaughan <tvaughan@onyxpoint.com>,Ryan Russell-Yates <ryan.russellyates@gmail.com> - 4.2.8-0
- Validate compliance_markup mapping
- Create Functional README.md for Forge
* Fri Jul 08 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.7-0
- Incorrectly referenced the global $::use_simp_pki in ::stunnel
* Wed Jul 06 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.6-0
- Ensure that the PKI copy is performed prior to copying the system cacerts
into the stunnel chroot.
* Thu Jun 30 2016 Nick Markowski <nmarkowski@keywcorp.com> - 4.2.5-0
- Use_haveged is now a global catalyst.
* Mon Jun 27 2016 Nick Markowski <nmarkowski@keywcorp.com> - 4.2.4-0
- Pupmod-haveged now included by default to assist with entropy generation.
* Tue Jun 21 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.3-0
- Ensure that `$use_iptables` is handled properly.
* Wed May 18 2016 Chris Tessmer <chris.tessmer@onypoint.com> - 4.2.2-0
- Sanitize code for `STRICT_VARIABLES=yes`
* Sat Mar 19 2016 Trevor Vaughan <tvaughan@onyxpoint.comm> - 4.2.1-0
- Migrated use_simp_pki to a global catalyst.
- Fixed several ordering issues.
- Increase safety by moving the public and private keys out of the chroot jail.
* Tue Mar 01 2016 Ralph Wright <ralph.wright@onyxpoint.com> - 4.2.0-11
- Added compliance function support
* Mon Nov 09 2015 Chris Tessmer <chris.tessmer@onypoint.com> - 4.2.0-10
- migration to simplib and simpcat (lib/ only)
* Tue Jul 21 2015 Nick Markowski <nmarkowski@keywcorp.com> - 4.2.0-9
- Moved stunnel's default pid location back to /var/run/stunnel/stunnel.pid.
- Stunnel's init script now only creates and chowns the pid file directory
if it does not exist, which is needed because stunnel runs as the stunnel
user
* Wed Jul 01 2015 Nick Markowski <nmarkowski@keywcorp.com> - 4.2.0-8
- Stunnel's default pid file location moved from /var/run/stunnel/stunnel.pid
to /var/run/stunnel.pid
* Thu Apr 02 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.0-7
- Fixed a scoping error in the template
* Fri Feb 27 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.0-6
- Fixed a non-scoped call to @options in the stunnel ERB file.
* Thu Feb 19 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.0-5
- Migrated to the new 'simp' environment.
* Fri Jan 16 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.0-4
- Changed puppet-server requirement to puppet
* Thu Nov 06 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.0-3
- Fix chroot detection in SELinux mode.
* Tue Nov 04 2014 Trevor Vaughan <tvaughan@onxypoint.com> - 4.2.0-2
- Ensure that renegotiation and reset only apply on RHEL>6 systems.
* Sun Nov 02 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.0-1
- Updated to add the FIPS global option to the stunnel configuration.
* Tue Oct 21 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.0-0
- CVE-2014-3566: Updated protocols to mitigate POODLE.
- Updated all of the stunnel module to properly handle both RHEL6 and
RHEL7.
- Now support multiple connect options.
- The connect/accept hosts and ports are no longer separate.
* Fri Aug 08 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-4
- Change 'delay' to 'no' by default to ensure that DNS lookups happen
before entering the chroot jail. This currently does not work in
RHEL7.
- Add nsswitch.conf to the chroot jail.
* Fri Aug 08 2014 Kendall Moore <kmoore@keywcorp.com> - 4.1.0-4
- Move stunnel outside of a chroot jail when SELinux is set to enforcing.
* Fri Apr 04 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-3
- Now simply include 'stunnel' in 'stunnel::add' instead of raising an
exception.
* Wed Mar 26 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-2
- Moved stunnel::stunnel_add to stunnel::add
- Replaced all of the PKI copy code with a call to the new pki::copy define.
- Fixed a bug with the CA path and CRL path in the stunnel configuration file.
* Wed Mar 12 2014 Nick Markowski <nmarkowski@keywcorp.com> - 4.1.0-1
- Updated module for hiera/puppet3, and lint tests.
- Copied pki keys and certs to <chroot_path>/etc/stunnel/pki
- Added rspec tests.
* Tue Jan 28 2014 Kendall Moore <kmoore@keywcorp.com> 4.1.0-0
- Update to remove warnings about IPTables not being detected. This is a
nuisance when allowing other applications to manage iptables legitimately.
* Mon Oct 07 2013 Kendall Moore <kmoore@keywcorp.com> - 4.0.0-12
- Updated all erb templates to properly scope variables.
* Fri Jun 07 2013 Kendall Moore <kmoore@keywcorp.com>
4.0.0-11
- Updated the stunnel start script to allow for the occurence of both *pid*
and *chroot* to appear in a hostname
* Mon Jan 07 2013 Maintenance
4.0.0-10
- Created a test to install and configure stunnel and to make sure that the
stunnel service is running.
- Created a test to add an stunnel on the first open port start at number 1024
and ensure that the chosen port is in state LISTEN and owned by stunnel.
* Tue Nov 27 2012 Maintenance
4.0.0-9
- Fixed the stunnel init script to have proper startup output.
- Updated to set the umask for stunnel open files to 1048576 for heavily loaded
systems.
- Updated the stunnel init script to allow unlimited processes since there is
one per connection.
* Mon Nov 05 2012 Maintenance
4.0.0-8
- Removed the useless CRL copy exec.
- Removed the PKI Cert copy exec and replaced it with a recursive copy/purge
file resource.
* Fri Sep 28 2012 Maintenance
4.0.0-7
- Moved the chroot run directory for stunnel from /var/run/stunnel to
/var/stunnel since /var/run gets cleaned out upon reboot.
* Fri Aug 10 2012 Maintenance
4.0.0-6
- Update to set max open files ulimit to unlimited in the init script.
* Wed Apr 11 2012 Maintenance
4.0.0-5
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
* Fri Mar 02 2012 Maintenance
4.0.0-4
- Improved test stubs.
* Mon Dec 26 2011 Maintenance
4.0-3
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
* Tue Oct 25 2011 Maintenance
4.0-2
- Added a note about the transparent mode of stunnel not working
properly in RHEL6.
* Mon Oct 10 2011 Maintenance
4.0-1
- Updated to put quotes around everything that need it in a comparison
statement so that puppet > 2.5 doesn't explode with an undef error.
* Tue Jul 12 2011 Maintenance
4.0-0
- Stunnel doesn't care if we're using LDAP or not, so don't check for the
value when setting up key permissions.
* Mon Apr 18 2011 Maintenance - 2.0.0-1
- Changed puppet://$puppet_server/ to puppet:///
- Ensure that stunnel does not restart when 'resolv.conf' or 'hosts' is updated.
- Ensure that the stunnel service watches for changes in the entire certificate
space.
- Changed all instances of defined(Class['foo']) to defined('foo') per the
directions from the Puppet mailing list.
- Updated to use concat_build and concat_fragment types.
* Tue Jan 11 2011 Maintenance
2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
* Tue Oct 26 2010 Maintenance - 1-2
- Converting all spec files to check for directories prior to copy.
* Wed Jul 14 2010 Maintenance
1.0-1
- Updated stunnel to start at runlevel 15 and ensured that it updated its
chkconfig entires approprately
* Tue May 25 2010 Maintenance
1.0-0
- Code refactoring.
* Thu Feb 18 2010 Maintenance
0.1-11
- Added a paramater $client_nets to the stunnel_add define to allow users to
lock down access to the encrypted port via IPTables.
* Thu Oct 08 2009 Maintenance
0.1-10
- Finally fixed the problem with cert verification. All uses of stunnel can now
set verify to 1 or 2.