Problem Description: All versions of stunnel from 3.15 to 3.21c are vulnerable to format string bugs in the functions which implement smtp, pop, and nntp client negotiations. Using stunnel with the "-n service" option and the "-c" client mode option, a malicious server could use the format sting vulnerability to run arbitrary code as the owner of the current stunnel process. Version 3.22 is not vulnerable to this bug. ------------------------------------------------------------------------ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0002 http://marc.theaimsgroup.com/?l=stunnel-users&m=100868569203440 http://marc.theaimsgroup.com/?l=stunnel-users&m=100913948312986 Please update package :) Including new ebuild that will fix the prob old one should be deleted from cvs
here is the ebuild still cant atach it :(( stunnel-3.22.ebuild #Copyright 2002 Gentoo Technologies,Inc. #Distributed under the terms of the GNU General Public License, v2 or later #Author Ferry Meyndert <m0rpheus@poseidon.mine.nu> based on #Achim Gottinger <achim@gentoo.org> old ebuild script A=${P}.tar.gz S=${WORKDIR}/${P} DESCRIPTION="TSL/SSL - Port Wrapper" SRC_URI="http://www.stunnel.org/download/stunnel/src/${A}" HOMEPAGE="http://www.stunnel.org/" DEPEND="virtual/glibc >=dev-libs/openssl-0.9.6c" RDEPEND=">dev-libs/openssl-0.9.6c" src_unpack() { unpack ${A} patch -p0 < ${FILESDIR}/${PF}-gentoo.diff } src_compile() { try ./configure --prefix=/usr --infodir=/usr/share/info \ --mandir=/usr/share/man try make } src_install() { into /usr dosbin stunnel dodoc FAQ README HISTORY COPYING BUGS PORTS TODO transproxy.txt doman stunnel.8 dolib.so stunnel.so }
