Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 222805 (CVE-2008-2420)

Summary: net-misc/stunnel <4.24: authentication with revoked certificates (CVE-2008-2420)
Product: Gentoo Security Reporter: Christian Hoffmann (RETIRED) <hoffie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ramereth, ulm, zubator
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://stunnel.mirt.net/pipermail/stunnel-users/2008-May/001976.html
Whiteboard: C3 [glsa]
Package list:
Runtime testing required: ---

Description Christian Hoffmann (RETIRED) gentoo-dev 2008-05-19 13:42:43 UTC 
$URL:

"I have just released a new version of stunnel, which fixes a security issue
in the OCSP functionality.  The bug allows a revoked certificate to
successfully authenticate.  Any installations with OCSP enabled should be
upgraded ASAP.  Other users are not affected."
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 19:07:01 UTC 
ramereth, please bump as necessary.
Comment 2 Ulrich Müller gentoo-dev 2008-07-09 11:09:22 UTC 
I've bumped stunnel to version 4.25.
Comment 3 Ulrich Müller gentoo-dev 2008-07-09 11:12:04 UTC 
*** Bug 225113 has been marked as a duplicate of this bug. ***
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2008-07-09 19:03:00 UTC 
ppc64 stable
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-10 07:59:03 UTC 
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-07-10 10:19:06 UTC 
alpha/sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-11 15:07:37 UTC 
Stable for HPPA.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-13 17:31:47 UTC 
ppc stable
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2008-07-25 20:09:13 UTC 
amd64 stable
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-26 16:35:44 UTC 
time for GLSA decision. I vote YES.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-08-03 21:53:54 UTC 
ok then.... YES
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-08 17:30:02 UTC 
GLSA 200808-08
Comment 13 Ulrich Müller gentoo-dev 2009-08-09 09:21:00 UTC 
NB: The stunnel 3.x branch doesn't implement OCSP and is therefore not affected.