|
| Current Newswire:
Conectiva Linux Security Announcement - stunnelDec 21, 2000, 00:48 (0 Talkback[s])Date: Wed, 20 Dec 2000 12:25:50 -0200 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : stunnel SUMMARY : Remote exploit and other bug fixes DATE : 2000-12-20 12:18:00 ID : CLA-2000:363 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, 5.1, 6.0 DESCRIPTION "stunnel" is a package which offers wrapped SSL connections for generic TCP services, such as pop3, ldap and others. Versions prior to 3.9 have a format string vulnerability in a syslog() call which could be exploited remotely. The package distributed with Conectiva Linux 5.1 and 6.0 has the daemon running as the "stunnel" user, and not root, which diminishes the effect of this vulnerability somewhat. Also, versions prior to 3.8 created the PID file in an insecure manner, possibly making it vulnerable to symlink attacks depending on where the user chose to put the PID file. Other bugs were also fixed in the 3.10 release, please refer to the Changelog for a full description. SOLUTION DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ADDITIONAL INSTRUCTIONS rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates - run: apt-get update - after that, execute: apt-get upgradeDetailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key can be obtained at http://www.conectiva.com.br/contato |