MDKSA-2002:004

Nom du paquet

stunnel

Date

2002-01-16

Advisory ID

MDKSA-2002:004

Affected versions

8.1 i586 , 8.1 i586

Problem description

All versions of stunnel from 3.15 to 3.21c are vulnerable to format string bugs in the functions which implement smtp, pop, and nntp client negotiations. Using stunnel with the "-n service" option and the "-c" client mode option, a malicious server could use the format sting vulnerability to run arbitrary code as the owner of the current stunnel process. Version 3.22 is not vulnerable to this bug.

Updated packages

8.1 i586

 08204f11728f2c6b6152de9ebb562ac5  8.1/RPMS/stunnel-3.22-1.1mdk.i586.rpm
e85fbd3435759fa7b94bb5c371738b30  8.1/SRPMS/stunnel-3.22-1.1mdk.src.rpm

8.1 i586

 3616248cce2e982035b6905252610980  ia64/8.1/RPMS/stunnel-3.22-1.1mdk.ia64.rpm
e85fbd3435759fa7b94bb5c371738b30  ia64/8.1/SRPMS/stunnel-3.22-1.1mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0002
• http://marc.theaimsgroup.com/?l=stunnel-users&m=100868569203440
• http://marc.theaimsgroup.com/?l=stunnel-users&m=100913948312986