Bugtraq mailing list archives
Complete list of Stunnel vulnerabilities
From: Brian Hatch <bri () STUNNEL ORG>
Date: Mon, 18 Dec 2000 21:47:29 -0800
We have recently discovered a format bug in stunnel<= 3.8 in which the log() function calls directly the syslog() with only two parameters: syslog(level, text). It should be syslog(level, "%s", text).
This was fixed in stunnel version 3.9. I was actually writing up an advisory to cover all the thing that were fixed since 3.8, but since you brought it up here they are in a terribly uninteresting format: 1) stunnel-3.8 and previous did not properly seed the PRNG. This could lead to weak encryption on machines that lack /dev/urandom (such as Solaris, Windows, etc. BSD's, and Linux for example were not affected.) 2) stunnel-3.8 and previous had insecure pid file creation, and was thus vulnerable to symlink games. (Ability to overwrite any file on the system. Since stunnel is usually used to bind low ports, stunnel was usually run as root, and this was potentially very damaging.) 3) stunnel-3.8p4 and previous were affected by the afformeantioned format string bug. (And shame on me for not catching it during my audit.) 4) stunnel-3.8p4 and previous was not entirely thread-safe. (Only informational counters were affected by this, nothing security or functional related.) Everyone should upgrade to stunnel version 3.9 or later immediately. Stunnel-3.9 was released December 13th, 2000. It is Available at http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz Stunnel-3.10 is slated for release soon. It is a functional release, and does not contain any additional security related changes. To report a bug in stunnel, please email the maintainer, Michal Trojnara <Michal.Trojnara () mirt net>, and the stunnel FAQ maintainer, Brian Hatch <bri () stunnel org>. -- Brian Hatch Madness takes it's Systems and toll. Please have Security Engineer exact change ready. http://www.onsight.com/ Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Stunnel format bug Lez (Dec 18)
- Complete list of Stunnel vulnerabilities Brian Hatch (Dec 19)