The stunnel changelog: https://www.stunnel.org/sdf_ChangeLog.html Shows some security fixes since 5.03. Version 5.06, 2014.10.15, urgency: HIGH: Security bugfixes The insecure SSLv2 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv2". The insecure SSLv3 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv3". Default sslVersion changed to "all" (also in FIPS mode) to autonegotiate the highest supported TLS version. Version 5.14, 2015.03.25, urgency: HIGH: Security bugfixes The "redirect" option now also redirects clients on SSL session reuse. In stunnel versions 5.00 to 5.12 reused sessions were instead always connected hosts specified with the "connect" option regardless of their certificate verification result. This vulnerability was reported by Johan Olofsson. The changelog also shows openssl updates, but that shouldn't matter for us since it's using the system openssl library. I did attempt to have SSLv3 disabled in the default config in the commit I just made, but the upstream change in 5.06 is a better solution. I'm not sure how impactful/important the sslVersion change in 5.06 is. Reproducible: Steps to Reproduce:
CC: (none) => guillomovitch, pterjanWhiteboard: (none) => MGA5TOO
Perhaps we could devise a better solution to Bug 15881 that I just implemented too. I guess it has some hard-coded location in which it looks for the PID file. I fixed it by overriding that in the default config, but it would be better to fix where it's looking for it by default.
in f20 they always update so i think there no "update issues" wdyt ?
CC: (none) => mageia
Well Fedora tends to update everything, so their model isn't always appropriate for us, but AFAIK there shouldn't be any problems with updating stunnel to the newest version on Mageia 5.
Any progress?
Upstream issued an advisory for this on March 25: https://www.stunnel.org/CVE-2015-3644.html Debian has issued an advisory for this on July 2: https://www.debian.org/security/2015/dsa-3299
Summary: stunnel new security fix in 5.14 => stunnel new security fix in 5.14 (CVE-2015-3644)
Assignee: bugsquad => guillomovitch
Adding Dan and Shlomi as their packages depend on this one: popa3d and curl.
CC: (none) => dan, shlomifHardware: i586 => All
So, I updated cauldron to the latest version (5.20) and modified Debian's patch to apply on 5.03. It still needs an advisory and some proper methods for QA to test that it actually fixed the issue. I tried to rebuild curl with this patched version and it still succeeded, so the package itself at least seems to work.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Thanks Sander. It might be better to just update it, but this should solve the immediate issue. It'd be nice to have a better fix for Bug 15881 too, but it should work for now. Advisory: ======================== Updated stunnel packages fix security vulnerability: Johan Olofsson discovered an authentication bypass vulnerability in Stunnel, a program designed to work as an universal SSL tunnel for network daemons. When Stunnel in server mode is used with the redirect option and certificate-based authentication is enabled with "verify = 2" or higher, then only the initial connection is redirected to the hosts specified with "redirect". This allows a remote attacker to bypass authentication (CVE-2015-3644). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3644 https://www.stunnel.org/CVE-2015-3644.html https://www.debian.org/security/2015/dsa-3299 ======================== Updated packages in core/updates_testing: ======================== stunnel-5.03-4.1.mga5 from stunnel-5.03-4.1.mga5.src.rpm
Assignee: guillomovitch => qa-bugs
Testing tips: https://bugs.mageia.org/show_bug.cgi?id=12943#c8
(In reply to Samuel VERSCHELDE from comment #9) > Testing tips: https://bugs.mageia.org/show_bug.cgi?id=12943#c8 tested per this procedure on a Mageia 5 i586 VBox VM. Everything worked - even more smoothly than was described there (just had to enable https and the higher port). Adding MGA5-32-OK.
Whiteboard: (none) => MGA5-32-OK
Now doing "MGA5-64-OK" because tested this on a Mageia 5 x86-64 laptop and it also is working fine.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Which gives us a validated update, thanks! It'll only need the advisory to be uploaded.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0289.html
Status: NEW => RESOLVEDResolution: (none) => FIXED