|
| Current Newswire:
Debian Security Advisory: multiple stunnel vulnerabilitiesDec 25, 2000, 03:05 (0 Talkback[s])(Other stories by Wichert Akkerman) Date: Mon, 25 Dec 2000 03:21:57 +0100 Debian Security Advisory DSA-009-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman December 25, 2000
Package : stunnel
Problem type : insecure file handling, format string bug
Debian-specific: no
Lez discovered a format string problem in stunnel (a tool to create
Universal SSL tunnel for other network daemons). Brian Hatch
responded by stating he was already preparing a new release with
multiple security fixes:
1. the PRNG (pseudo-random generated) was not seeded correctly.
This only affects operation on operating systems without a
secure random generator (like Linux)
2. Pid files were not created securely, making stunnel vulnerable
to a symlink attack
3. There was an insecure syslog() call which could be exploited if
the user could manage to insert text into the logged text. At
least one way to exploit this using faked identd responses was
demonstrated by Lez.
These problems have been fixed in version 3.10-0potato1.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.2 alias potato
Potato was released for alpha, arm, i386, m68k, powerpc and
sparc. At this moment no fix is available for arm, Once a fix for
that architecture will become available it will be announced on Source archives: Alpha architecture: Intel ia32 architecture: Motorola 680x0 architecture: PowerPC architecture: Sun Sparc architecture: These files will be moved into For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . apt-get: deb http://security.debian.org/
stable/updates main
|
