|
| Current Newswire:
Debian Security Advisory: multiple stunnel vulnerabilitiesDec 25, 2000, 03:05 (0 Talkback[s])(Other stories by Wichert Akkerman) Date: Mon, 25 Dec 2000 03:21:57 +0100 Debian Security Advisory DSA-009-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman December 25, 2000 Package : stunnel Problem type : insecure file handling, format string bug Debian-specific: no Lez discovered a format string problem in stunnel (a tool to create Universal SSL tunnel for other network daemons). Brian Hatch responded by stating he was already preparing a new release with multiple security fixes: 1. the PRNG (pseudo-random generated) was not seeded correctly. This only affects operation on operating systems without a secure random generator (like Linux) 2. Pid files were not created securely, making stunnel vulnerable to a symlink attack 3. There was an insecure syslog() call which could be exploited if the user could manage to insert text into the logged text. At least one way to exploit this using faked identd responses was demonstrated by Lez. These problems have been fixed in version 3.10-0potato1. wget url will fetch the file for you dpkg -i file.deb will install the referenced file.Debian GNU/Linux 2.2 alias potato Potato was released for alpha, arm, i386, m68k, powerpc and
sparc. At this moment no fix is available for arm, Once a fix for
that architecture will become available it will be announced on Source archives: Alpha architecture: Intel ia32 architecture: Motorola 680x0 architecture: PowerPC architecture: Sun Sparc architecture: These files will be moved into For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . apt-get: deb http://security.debian.org/
stable/updates main |