Upstream released an advisory on March 3: https://www.stunnel.org/CVE-2013-1762.html This was fixed upstream in 4.55, which Guillaume updated in Cauldron. Reproducible: Steps to Reproduce:
Assignee: guillomovitch => bugsquad
Guillaume, you are the packager for this package. Please help with this.
CC: (none) => guillomovitchAssignee: bugsquad => guillomovitch
I just helped to fix some trivial packaging errors, but I never used it myself. I couldn't care less personally. More generaly, I think all packages without motivated maintainer should be dropped, and that's a waste of time to try to fix every security issue without any clue of actual usage for them.
If we've already shipped the package in a released distro version, we should fix security issues. We can't just recall the package and be like, ahh, nobody's using this. As for Cauldron, yes I totally agree with dropping things that nobody cares about enough to maintain.
OK, updating to 4.55 is easy, sorry to bother you with it. Thanks for taking care of it in Cauldron. I've committed in SVN, will push to the build system once package signing works.
Updated package uploaded for Mageia 2. Advisory: ======================== Updated stunnel packages fix security vulnerability: stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow (CVE-2013-1762). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762 https://www.stunnel.org/CVE-2013-1762.html ======================== Updated packages in core/updates_testing: ======================== stunnel-4.55-1.mga2 from stunnel-4.55-1.mga2.src.rpm
Assignee: guillomovitch => qa-bugs
No poc, so just testing that it works. Testing complete on Mageia 2 x86-64. I use stunnel in order to allow leafnode to use an encrypted connection. Regular nntp connections are given a lower priority than http connections, by my isp's upstream, so it doesn't work during peak usage hours. Using nntps, the connections are reliable, and also benefit from the compression. I hope a packager does step forward to maintain the package. I'll test i586 shortly.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA2-64-OK
Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm stunnel-4.55-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated stunnel packages fix security vulnerability: stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow (CVE-2013-1762). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762 https://www.stunnel.org/CVE-2013-1762.html https://bugs.mageia.org/show_bug.cgi?id=9312
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-64-OK => MGA2-64-OK MGA2-32-OK
Update Pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0097
Status: NEW => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED