Debian Linux Security Advisory 3299-1 - Johan Olofsson discovered an authentication bypass vulnerability in Stunnel, a program designed to work as an universal SSL tunnel for network daemons. When Stunnel in server mode is used with the redirect option and certificate-based authentication is enabled with "verify = 2" or higher, then only the initial connection is redirected to the hosts specified with "redirect". This allows a remote attacker to bypass authentication.
a35025683861bd7df860796bb533cd4638d8dd509bc8bb664cf125dc5e4db7ac-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3299-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 02, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : stunnel4
CVE ID : CVE-2015-3644
Debian Bug : 785352
Johan Olofsson discovered an authentication bypass vulnerability in
Stunnel, a program designed to work as an universal SSL tunnel for
network daemons. When Stunnel in server mode is used with the redirect
option and certificate-based authentication is enabled with "verify = 2"
or higher, then only the initial connection is redirected to the hosts
specified with "redirect". This allows a remote attacker to bypass
authentication.
For the stable distribution (jessie), this problem has been fixed in
version 3:5.06-2+deb8u1.
For the testing distribution (stretch), this problem has been fixed
in version 3:5.18-1.
For the unstable distribution (sid), this problem has been fixed in
version 3:5.18-1.
We recommend that you upgrade your stunnel4 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVlVtTAAoJEAVMuPMTQ89Ez4wP/1HBhk0TceEkAqzpxWukyK5W
i2L4/QNbh2xCAKAXn/6YcgiNjeec0CDkXx9xsXMKG8jiUEobxdXMISznOIt0OZTN
a8QleldQYD+lTaLxCoXYkTZEefuvkDYEETQdLEql7D5T1QW6UQ5RTnDX+7BO7uNS
uNsqeKye5FeoNRZznbndjfGkh/Xyk0CzPv9my5FreTzneq9XxrrnoMHsYDNCIeFB
hxuaPDnaEejcXYaA2T0FtDW9nG3BVEcnlxl9/Ryj2js+LVRc03gIsiQFgP6hhgB8
Jx9bz9OErGs8uR272nQJuV60qCMGDMhtNhVngQtfc1JwwwQ4vmv1W0nsvT03LdNP
VaLYTT+8NQRY8WVzOswJhC+6zVt6XF5aoOhxyW0Q1bFHi6Hb5rDM01DCkZLYnUvX
1McJel3NySZxf4ckZ8HGOCsYDcoMd+gczrmhfd29iGT0+M5Yx/vyY0Eb7XX8aCLA
Maszd/pUBkY5BRyl8+flFwRVO0ma7zVi29z7f7679XZ9Hc+r77OROStbk8SJe/ec
dzOPTG4SzzBvgpbdChtjX6B/nDJMl63H5vovG/dVkMxna+iE6eOjwFFZQ2dfP3UM
64tJvHHRn0v49kU2xDrZDxmoDcT4HhSB+9bABh24u9IR9JpaSIruxx3OZhluuYP4
/XxtShKrQNCApKgc7pjR
=jN0q
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed