Format string vulnerability in stunnel before 3.22 when used in client mode for (1) smtp, (2) pop, or (3) nntp allows remote malicious servers to execute arbitrary code.
Stunnel v3.15 - 3.21 remote format string exploit. Tested against Red Hat 7.2, 7.3, 8.0, Slackware 8.1, Debian GNU 3.0, and Mandrake 9.0. More information on the bug available here.