Advisories » MGASA-2015-0289

Updated stunnel package fixes security vulnerability

Publication date: 27 Jul 2015
Modification date: 27 Jul 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-3644

Description

Johan Olofsson discovered an authentication bypass vulnerability in
Stunnel, a program designed to work as an universal SSL tunnel for network
daemons. When Stunnel in server mode is used with the redirect option and
certificate-based authentication is enabled with "verify = 2" or higher,
then only the initial connection is redirected to the hosts specified with
"redirect". This allows a remote attacker to bypass authentication
(CVE-2015-3644).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15891
• https://www.stunnel.org/CVE-2015-3644.html
• https://www.debian.org/security/2015/dsa-3299
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3644

SRPMS

5/core

• stunnel-5.03-4.1.mga5