[gentoo-dev] [SECURITY] [GENTOO] New stunnel version to fix format string bugs]

[gentoo-dev] [SECURITY] [GENTOO] New stunnel version to fix format string bugs]

[M0rpheus]

- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE        :stunnel
SUMMARY        :vulnerable to format string bugs
DATE           :2002-01-17 20:32:00

- --------------------------------------------------------------------------

OVERVIEW

 
 All versions of stunnel from 3.15 to 3.21c are vulnerable to format
 string bugs in the functions which implement smtp, pop, and nntp client
 negotiations.  Using stunnel with the "-n service" option and the "-c"
 client mode option, a malicious server could use the format sting
 vulnerability to run arbitrary code as the owner of the current stunnel
 process.  Version 3.22 is not vulnerable to this bug.



DETAIL

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0002
 http://marc.theaimsgroup.com/?l=stunnel-users&m=100868569203440
 http://marc.theaimsgroup.com/?l=stunnel-users&m=100913948312986




SOLUTION
 
 It is recommended that all sudo users apply the update

 Portage Auto:

 emerge rsync
 emerge update
 emerge update --world


 Portage by hand:

 emerge rsync
 emerge net-misc/stunnel

 Manually:

 Download the new stunnel package here and follow in file instructions:
 http://www.stunnel.org/download/stunnel/src/stunnel-3.22.tar.gz

- --------------------------------------------------------------------------
Ferry Meyndert
m0rpheus@poseidon.mine.nu
- --------------------------------------------------------------------------