Gentoo Logo

stunnel: Security bypass

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200808-08 / stunnel
Release Date August 08, 2008
Latest Revision August 09, 2009: 02
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-misc/stunnel < 4.24 >= 4.24, < 4 All supported architectures

Related bugreports: #222805

Synopsis

stunnel does not properly prevent the authentication of a revoked certificate which would be published by OCSP.

2.  Impact Information

Background

The stunnel program is designed to work as an SSL encryption wrapper between a remote client and a local or remote server. OCSP (Online Certificate Status Protocol), as described in RFC 2560, is an internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Description

An unspecified bug in the OCSP search functionality of stunnel has been discovered.

Impact

A remote attacker can use a revoked certificate that would be successfully authenticated by stunnel. This issue only concerns the users who have enabled the OCSP validation in stunnel.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All stunnel users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/stunnel-4.24"

4.  References

Print

Page updated August 08, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.