Bug 9312 - stunnel new security issue CVE-2013-1762
: stunnel new security issue CVE-2013-1762
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
:
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-10 00:23 CET by David Walser
Modified: 2013-03-16 23:39 CET (History)
4 users (show)

See Also:
Source RPM: stunnel
CVE:
Status comment:


Attachments

Description David Walser 2013-03-10 00:23:25 CET
Upstream released an advisory on March 3:
https://www.stunnel.org/CVE-2013-1762.html

This was fixed upstream in 4.55, which Guillaume updated in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-03-13 21:14:43 CET
Guillaume, you are the packager for this package.  Please help with this.
Comment 2 Guillaume Rousse 2013-03-13 21:28:45 CET
I just helped to fix some trivial packaging errors, but I never used it myself. I couldn't care less personally.

More generaly, I think all packages without motivated maintainer should be dropped, and that's a waste of time to try to fix every security issue without any clue of actual usage for them.
Comment 3 David Walser 2013-03-13 21:37:20 CET
If we've already shipped the package in a released distro version, we should fix security issues.  We can't just recall the package and be like, ahh, nobody's using this.  As for Cauldron, yes I totally agree with dropping things that nobody cares about enough to maintain.
Comment 4 David Walser 2013-03-14 21:44:01 CET
OK, updating to 4.55 is easy, sorry to bother you with it.

Thanks for taking care of it in Cauldron.

I've committed in SVN, will push to the build system once package signing works.
Comment 5 David Walser 2013-03-15 16:14:23 CET
Updated package uploaded for Mageia 2.

Advisory:
========================

Updated stunnel packages fix security vulnerability:

stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM
authentication are enabled, does not correctly perform integer conversion,
which allows remote proxy servers to execute arbitrary code via a crafted
request that triggers a buffer overflow (CVE-2013-1762).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762
https://www.stunnel.org/CVE-2013-1762.html
========================

Updated packages in core/updates_testing:
========================
stunnel-4.55-1.mga2

from stunnel-4.55-1.mga2.src.rpm
Comment 6 Dave Hodgins 2013-03-15 19:46:09 CET
No poc, so just testing that it works.

Testing complete on Mageia 2 x86-64.

I use stunnel in order to allow leafnode to use an encrypted connection.
Regular nntp connections are given a lower priority than http
connections, by my isp's upstream, so it doesn't work during peak
usage hours.  Using nntps, the connections are reliable, and also
benefit from the compression.  I hope a packager does step forward to
maintain the package.

I'll test i586 shortly.
Comment 7 Dave Hodgins 2013-03-15 20:24:02 CET
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
stunnel-4.55-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated stunnel packages fix security vulnerability:

stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM
authentication are enabled, does not correctly perform integer conversion,
which allows remote proxy servers to execute arbitrary code via a crafted
request that triggers a buffer overflow (CVE-2013-1762).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762
https://www.stunnel.org/CVE-2013-1762.html

https://bugs.mageia.org/show_bug.cgi?id=9312
Comment 8 D Morgan 2013-03-16 23:39:08 CET
Update Pushed: 
           https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0097

Note You need to log in before you can comment on or make changes to this bug.