|
|
| Problem Description |
A vulnerability was found in the OCSP search functionality in stunnel
that could allow a remote attacker to use a revoked certificate that
would be successfully authenticated by stunnel (CVE-2008-2420).
This flaw only concerns users who have enabled OCSP validation
in stunnel.
The updated packages have been patched to correct this issue.
| Updated Packages |
Mandriva Linux 2007.1
8d76312a1f68dae3c5547d1efe1f04cc 2007.1/i586/libstunnel0-4.20-1.1mdv2007.1.i586.rpm da8a96417052081eb33b507f308a6c4b 2007.1/i586/libstunnel0-devel-4.20-1.1mdv2007.1.i586.rpm b5c31bfed05245b1c0d4597ded096312 2007.1/i586/stunnel-4.20-1.1mdv2007.1.i586.rpm 748e1bb078bd1ac4e1e6c00b6487c1d1 2007.1/SRPMS/stunnel-4.20-1.1mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64
eb6d688c10d208e525463866bfe329b4 2007.1/x86_64/lib64stunnel0-4.20-1.1mdv2007.1.x86_64.rpm ef94ec15ddb3eba1d2c8b17e17dd52e9 2007.1/x86_64/lib64stunnel0-devel-4.20-1.1mdv2007.1.x86_64.rpm 4b16e5420f5d54420a2399c6d03a93dd 2007.1/x86_64/stunnel-4.20-1.1mdv2007.1.x86_64.rpm 748e1bb078bd1ac4e1e6c00b6487c1d1 2007.1/SRPMS/stunnel-4.20-1.1mdv2007.1.src.rpm
Mandriva Linux 2008.0
7a790c1d719af5dc1643e5df86f8f8a7 2008.0/i586/libstunnel0-4.20-1.1mdv2008.0.i586.rpm 4f1c7188d0c0b37619806db9bd2c817a 2008.0/i586/libstunnel0-devel-4.20-1.1mdv2008.0.i586.rpm af62cf5ddc6a2245b71e3f184837cfab 2008.0/i586/stunnel-4.20-1.1mdv2008.0.i586.rpm 4b30c083467a6c39ccadfbf11aca0349 2008.0/SRPMS/stunnel-4.20-1.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64
77ff841a053da0420a6bd673106c5505 2008.0/x86_64/lib64stunnel0-4.20-1.1mdv2008.0.x86_64.rpm 3ec61049acebcadf3f3a758316aa161c 2008.0/x86_64/lib64stunnel0-devel-4.20-1.1mdv2008.0.x86_64.rpm 0e796c52f469cf1b3514336de2da4f9a 2008.0/x86_64/stunnel-4.20-1.1mdv2008.0.x86_64.rpm 4b30c083467a6c39ccadfbf11aca0349 2008.0/SRPMS/stunnel-4.20-1.1mdv2008.0.src.rpm
Mandriva Linux 2008.1
6e339adfe0c54fa629fe274c1647e390 2008.1/i586/libstunnel0-4.21-2.1mdv2008.1.i586.rpm f9a621e2ffd56803df35989fcd503781 2008.1/i586/libstunnel-devel-4.21-2.1mdv2008.1.i586.rpm 14fd3a1dbc4dfda671ce5d7b12d471cf 2008.1/i586/libstunnel-static-devel-4.21-2.1mdv2008.1.i586.rpm 1fc86b79e57285aa4ebcc6c08f67c656 2008.1/i586/stunnel-4.21-2.1mdv2008.1.i586.rpm 9633ff426cab24ddb64434c2fc4c1416 2008.1/SRPMS/stunnel-4.21-2.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64
d1c79ff16707a8d6e0303562207821f3 2008.1/x86_64/lib64stunnel0-4.21-2.1mdv2008.1.x86_64.rpm b9f07f12bff285f437e49fe82a105778 2008.1/x86_64/lib64stunnel-devel-4.21-2.1mdv2008.1.x86_64.rpm b4548ec863f78cb0e82059579860e59d 2008.1/x86_64/lib64stunnel-static-devel-4.21-2.1mdv2008.1.x86_64.rpm dc3877966ffddfdb363cf4a0edcca71f 2008.1/x86_64/stunnel-4.21-2.1mdv2008.1.x86_64.rpm 9633ff426cab24ddb64434c2fc4c1416 2008.1/SRPMS/stunnel-4.21-2.1mdv2008.1.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2420
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.