----- CITE -----
From: Brian Hatch <bri@STUNNEL.ORG>
Subject: Complete list of Stunnel vulnerabilities
Date: Mon, 18 Dec 2000 21:47:29 -0800
> We have recently discovered a format bug in stunnel<= 3.8 in which the
> log() function calls directly the syslog() with only two parameters:
> syslog(level, text). It should be syslog(level, "%s", text).
This was fixed in stunnel version 3.9. I was actually writing up an
advisory to cover all the thing that were fixed since 3.8, but since
you brought it up here they are in a terribly uninteresting format:
1) stunnel-3.8 and previous did not properly seed the PRNG.
This could lead to weak encryption on machines that
lack /dev/urandom (such as Solaris, Windows, etc.
BSD's, and Linux for example were not affected.)
2) stunnel-3.8 and previous had insecure pid file creation,
and was thus vulnerable to symlink games. (Ability
to overwrite any file on the system. Since stunnel
is usually used to bind low ports, stunnel was usually
run as root, and this was potentially very damaging.)
3) stunnel-3.8p4 and previous were affected by the afformeantioned
format string bug. (And shame on me for not catching it during
4) stunnel-3.8p4 and previous was not entirely thread-safe.
(Only informational counters were affected by this,
nothing security or functional related.)
Everyone should upgrade to stunnel version 3.9 or later immediately.
Stunnel-3.9 was released December 13th, 2000. It is Available at
Stunnel-3.10 is slated for release soon. It is a functional
release, and does not contain any additional security
To report a bug in stunnel, please email the maintainer,
Michal Trojnara <Michal.Trojnara@mirt.net>, and the stunnel
FAQ maintainer, Brian Hatch <firstname.lastname@example.org>.
----- CITE -----
As far as I can see we are affected by Bugs 2, 3 and 4. With #4 not being
I file this one against the "openssl" package as Nalin is also maintainer
of OpenSSL and there is no "stunnel" package in Bugzilla available.
OK, I see. Errata already released today. Sorry.
(but "stunnel" package is still missing in Bugzilla :->)