Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20319
HistoryAug 08, 2008 - 12:00 a.m.

[ GLSA 200808-08 ] stunnel: Security bypass

2008-08-0800:00:00
vulners.com
17
JSON

Gentoo Linux Security Advisory GLSA 200808-08

                                        http://security.gentoo.org/

Severity: Low
Title: stunnel: Security bypass
Date: August 08, 2008
Bugs: #222805
ID: 200808-08

Synopsis

stunnel does not properly prevent the authentication of a revoked
certificate which would be published by OCSP.

Background

The stunnel program is designed to work as an SSL encryption wrapper
between a remote client and a local or remote server. OCSP (Online
Certificate Status Protocol), as described in RFC 2560, is an internet
protocol used for obtaining the revocation status of an X.509 digital
certificate.

Affected packages

-------------------------------------------------------------------
 Package           /  Vulnerable  /                     Unaffected
-------------------------------------------------------------------

1 net-misc/stunnel < 4.24 >= 4.24

Description

An unspecified bug in the OCSP search functionality of stunnel has been
discovered.

Impact

A remote attacker can use a revoked certificate that would be
successfully authenticated by stunnel. This issue only concerns the
users who have enabled the OCSP validation in stunnel.

Workaround

There is no known workaround at this time.

Resolution

All stunnel users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-misc/stunnel-1.2.3&quot;

References

[ 1 ] CVE-2008-2420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2420

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200808-08.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Related

gentoo 1
openvas 10
fedora 3
securityvulns 1
nessus 5
cve 1
ubuntucve 1
prion 1
debiancve 1
gentoo
gentoo
stunnel: Security bypass
2008-08-08 00:00:00
openvas
openvas
Fedora Update for stunnel FEDORA-2008-4579
2009-02-17 00:00:00
Fedora Update for stunnel FEDORA-2008-4606
2009-02-17 00:00:00
Gentoo Security Advisory GLSA 200808-08 (stunnel)
2008-09-24 00:00:00
fedora
fedora
[SECURITY] Fedora 9 Update: stunnel-4.24-1.fc9
2008-05-29 02:44:32
[SECURITY] Fedora 8 Update: stunnel-4.24-0.fc8
2008-05-29 02:47:46
[SECURITY] Fedora 7 Update: stunnel-4.24-0.fc7
2008-05-29 02:49:50
securityvulns
securityvulns
stunnel protection bypass
2008-08-08 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : stunnel (MDVSA-2008:168)
2009-04-23 00:00:00
Fedora 7 : stunnel-4.24-0.fc7 (2008-4606)
2008-05-29 00:00:00
Fedora 8 : stunnel-4.24-0.fc8 (2008-4579)
2008-05-29 00:00:00
cve
cve
CVE-2008-2420
2008-05-23 15:32:00
ubuntucve
ubuntucve
CVE-2008-2420
2008-05-23 00:00:00
prion
prion
Design/Logic Flaw
2008-05-23 15:32:00
debiancve
debiancve
CVE-2008-2420
2008-05-23 15:32:00
JSON
Related for SECURITYVULNS:DOC:20319
gentoo1openvas10fedora3securityvulns1nessus5cve1ubuntucve1prion1debiancve1