Login
Newsletter
Werbung

Sicherheit: Mangelnde Prüfung von Zertifikaten in stunnel
Aktuelle Meldungen Distributionen
Name: Mangelnde Prüfung von Zertifikaten in stunnel
ID: MDVSA-2008:168
Distribution: Mandriva
Plattformen: Mandriva 2007.1, Mandriva 2008.0, Mandriva 2008.1
Datum: Do, 14. August 2008, 06:10
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2420
Applikationen: stunnel

Originalnachricht

This is a multi-part message in MIME format...

------------=_1218687034-11275-8123


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:168
http://www.mandriva.com/security/
_______________________________________________________________________

Package : stunnel
Date : August 13, 2008
Affected: 2007.1, 2008.0, 2008.1
_______________________________________________________________________

Problem Description:

A vulnerability was found in the OCSP search functionality in stunnel
that could allow a remote attacker to use a revoked certificate that
would be successfully authenticated by stunnel (CVE-2008-2420).
This flaw only concerns users who have enabled OCSP validation
in stunnel.

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2420
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.1:
8d76312a1f68dae3c5547d1efe1f04cc
2007.1/i586/libstunnel0-4.20-1.1mdv2007.1.i586.rpm
da8a96417052081eb33b507f308a6c4b
2007.1/i586/libstunnel0-devel-4.20-1.1mdv2007.1.i586.rpm
b5c31bfed05245b1c0d4597ded096312
2007.1/i586/stunnel-4.20-1.1mdv2007.1.i586.rpm
748e1bb078bd1ac4e1e6c00b6487c1d1
2007.1/SRPMS/stunnel-4.20-1.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
eb6d688c10d208e525463866bfe329b4
2007.1/x86_64/lib64stunnel0-4.20-1.1mdv2007.1.x86_64.rpm
ef94ec15ddb3eba1d2c8b17e17dd52e9
2007.1/x86_64/lib64stunnel0-devel-4.20-1.1mdv2007.1.x86_64.rpm
4b16e5420f5d54420a2399c6d03a93dd
2007.1/x86_64/stunnel-4.20-1.1mdv2007.1.x86_64.rpm
748e1bb078bd1ac4e1e6c00b6487c1d1
2007.1/SRPMS/stunnel-4.20-1.1mdv2007.1.src.rpm

Mandriva Linux 2008.0:
7a790c1d719af5dc1643e5df86f8f8a7
2008.0/i586/libstunnel0-4.20-1.1mdv2008.0.i586.rpm
4f1c7188d0c0b37619806db9bd2c817a
2008.0/i586/libstunnel0-devel-4.20-1.1mdv2008.0.i586.rpm
af62cf5ddc6a2245b71e3f184837cfab
2008.0/i586/stunnel-4.20-1.1mdv2008.0.i586.rpm
4b30c083467a6c39ccadfbf11aca0349
2008.0/SRPMS/stunnel-4.20-1.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
77ff841a053da0420a6bd673106c5505
2008.0/x86_64/lib64stunnel0-4.20-1.1mdv2008.0.x86_64.rpm
3ec61049acebcadf3f3a758316aa161c
2008.0/x86_64/lib64stunnel0-devel-4.20-1.1mdv2008.0.x86_64.rpm
0e796c52f469cf1b3514336de2da4f9a
2008.0/x86_64/stunnel-4.20-1.1mdv2008.0.x86_64.rpm
4b30c083467a6c39ccadfbf11aca0349
2008.0/SRPMS/stunnel-4.20-1.1mdv2008.0.src.rpm

Mandriva Linux 2008.1:
6e339adfe0c54fa629fe274c1647e390
2008.1/i586/libstunnel0-4.21-2.1mdv2008.1.i586.rpm
f9a621e2ffd56803df35989fcd503781
2008.1/i586/libstunnel-devel-4.21-2.1mdv2008.1.i586.rpm
14fd3a1dbc4dfda671ce5d7b12d471cf
2008.1/i586/libstunnel-static-devel-4.21-2.1mdv2008.1.i586.rpm
1fc86b79e57285aa4ebcc6c08f67c656
2008.1/i586/stunnel-4.21-2.1mdv2008.1.i586.rpm
9633ff426cab24ddb64434c2fc4c1416
2008.1/SRPMS/stunnel-4.21-2.1mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
d1c79ff16707a8d6e0303562207821f3
2008.1/x86_64/lib64stunnel0-4.21-2.1mdv2008.1.x86_64.rpm
b9f07f12bff285f437e49fe82a105778
2008.1/x86_64/lib64stunnel-devel-4.21-2.1mdv2008.1.x86_64.rpm
b4548ec863f78cb0e82059579860e59d
2008.1/x86_64/lib64stunnel-static-devel-4.21-2.1mdv2008.1.x86_64.rpm
dc3877966ffddfdb363cf4a0edcca71f
2008.1/x86_64/stunnel-4.21-2.1mdv2008.1.x86_64.rpm
9633ff426cab24ddb64434c2fc4c1416
2008.1/SRPMS/stunnel-4.21-2.1mdv2008.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIo4ZYmqjQ0CJFipgRAlJcAJ9SxbqPWr7rFfXOQrvunstzD6CaDQCcDFVV
gu0oRt+IXZm2jrzLl95gwaQ=
=rbeI
-----END PGP SIGNATURE-----


------------=_1218687034-11275-8123
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1218687034-11275-8123--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung