Bug 22565 - multiple stunnel vulnerabilies
multiple stunnel vulnerabilies
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: openssl (Show other bugs)
7.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-12-19 21:31 EST by Daniel Roesen
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-12-19 21:31:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Roesen 2000-12-19 21:31:02 EST
----- CITE -----
From: Brian Hatch <bri@STUNNEL.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject:      Complete list of Stunnel vulnerabilities
Date:         Mon, 18 Dec 2000 21:47:29 -0800

> We have recently discovered a format bug in stunnel<= 3.8 in which the
> log() function calls directly the syslog() with only two parameters:
> syslog(level, text). It should be syslog(level, "%s", text).

This was fixed in stunnel version 3.9.  I was actually writing up an
advisory to cover all the thing that were fixed since 3.8, but since
you brought it up here they are in a terribly uninteresting format:

1) stunnel-3.8 and previous did not properly seed the PRNG.
        This could lead to weak encryption on machines that
        lack /dev/urandom (such as Solaris, Windows, etc.
        BSD's, and Linux for example were not affected.)

2) stunnel-3.8 and previous had insecure pid file creation,
        and was thus vulnerable to symlink games.  (Ability
        to overwrite any file on the system.  Since stunnel
        is usually used to bind low ports, stunnel was usually
        run as root, and this was potentially very damaging.)

3) stunnel-3.8p4 and previous were affected by the afformeantioned
        format string bug.  (And shame on me for not catching it during
        my audit.)

4) stunnel-3.8p4 and previous was not entirely thread-safe.
        (Only informational counters were affected by this,
        nothing security or functional related.)


Everyone should upgrade to stunnel version 3.9 or later immediately.


Stunnel-3.9 was released December 13th, 2000.  It is Available at
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

Stunnel-3.10 is slated for release soon.  It is a functional
release, and does not contain any additional security
related changes.


To report a bug in stunnel, please email the maintainer,
Michal Trojnara <Michal.Trojnara@mirt.net>, and the stunnel
FAQ maintainer, Brian Hatch <bri@stunnel.org>.
----- CITE -----


As far as I can see we are affected by Bugs 2, 3 and 4. With #4 not being
security-relevant.

I file this one against the "openssl" package as Nalin is also maintainer
of OpenSSL and there is no "stunnel" package in Bugzilla available.
Comment 1 Daniel Roesen 2000-12-19 21:41:40 EST
OK, I see. Errata already released today. Sorry.

(but "stunnel" package is still missing in Bugzilla :->)

Note You need to log in before you can comment on or make changes to this bug.