Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0071
Multiple OpenSSL vulnerabilities have been identified within stunnel.
13 June 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: stunnel
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3470 CVE-2014-0224 CVE-2014-0221
CVE-2014-0198 CVE-2014-0195 CVE-2014-0076
CVE-2010-5298
Member content until: Sunday, July 13 2014
OVERVIEW
Multiple OpenSSL vulnerabilities have been identified within stunnel.
[1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"OpenSSL DLLs updated to version 1.0.1h. See
http://www.openssl.org/news/secadv_20140605.txt" [1, 2]
Details about these vulnerabilities can be also be found within our
ESB. [3]
MITIGATION
The vendor recommends upgrading to the latest version of stunnel. [1]
REFERENCES
[1] stunnel: ChangeLog
https://www.stunnel.org/sdf_ChangeLog.html
[2] OpenSSL Security Advisory [05 Jun 2014]
https://www.auscert.org.au/19818
[3] ESB-2014.0887 - ALERT [Win][UNIX/Linux] OpenSSL: Multiple
vulnerabilities
https://www.auscert.org.au/19818
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU5pwDhLndAQH1ShLAQJKHxAAr24D0jTM1ggVZOyCpwOC4JFyMFffYmsG
w4C+AGePvfZzQzyyQ5hNfAj8Gr9DX59wQad0KKhIYha4uH1kVYYnCQFTFS6t7Lk8
aXr0AJj25ChemWUao/22cTZxt7IPXJhI0lAeRfLAUpj0ITToLVHB4idIDfM7kimP
vyyWPJyn4Tepk80nAruuHd2tWNofystcwYkVTz/rGID6nshQvebh+iXwsYEU/yRL
o8Um9XDONGpk5NnlLZex32sYTSGiGaVI6Bjg2++KndVFKK6b9QrGNHNI0nhrJWmG
MeWlvrusb5nvgahbOl8ex7otepvDbC1Uzp/NuFZKdVJS8cn/mBF6app7b3Tm86C2
79a5gMV78UqzUFe8oRo+Y75xODP2wo97bJWxfwUDBrTlLLVLt2v6nF1ZZJO6zDnc
4lUlakmsmimapPzkVKRm1Xd2qYZi0eqq8TunoKZRsSWc5mvaXajMo7FFEoKP2hjZ
VA0u5PLVLygLmiUXyuuWS9lBLcQxcKv6g30wbuhDjorTQqbVhTIXejhLMAjsGs95
uNE623iLCv5u++4w//GZisShbSjCVJ6zqp3kFCzPHMCPmb6rdMFj67VP/wZAduUU
eGWZ6v8uYVGPpfrVmmDVuZ54dnwn9N9ofakqq38XNL+QITXEQ5oRle8J2D66O+BU
U3Cz+38MoIk=
=gD2A
-----END PGP SIGNATURE-----