Bug 379859 (CVE-2011-2940)

Comment 1 GLSAMaker/CVETool Bot 2011-10-07 22:44:44 UTC

CVE-2011-2940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2940):
  stunnel 4.40 and 4.41 might allow remote attackers to execute arbitrary code
  or cause a denial of service (heap memory corruption) via unspecified
  vectors.

Comment 2 Stefan Behte (RETIRED) 2011-10-11 13:05:08 UTC

The listen-queue patch is now upstream.

I've had hoped to get the x-forwarded-for patch upstream too, but the author is unsatisfied with it's quality and unwilling to merge it, though there are several people in the haproxy community (including me) using the patch in production without problems. He is actually searching for someone that sponsors him the development of a patch of better quality that does everything right(tm). :/

I'm sorry about that, but in order to be able to provider faster bumps for security fixes, we should punt the x-forwarded-for patch. Beginning with stunnel-4.45, stunnel will have "sendproxy" support, making x-forwarded-for obsolete for the haproxy-community anyways, meaning that there will be much less interest in providing patches for newer stunnel versions.

@ramerath: I'm sorry for the hassle with the package, can you provide an updated ebuild?

Comment 3 Robin Johnson 2011-10-11 21:01:05 UTC

stunnel-4.44 in the tree now, with BOTH patches because they are used.

Comment 4 Agostino Sarubbo 2011-10-11 21:10:31 UTC

Thanks Robin and Stefan.

Arches, please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 5 Agostino Sarubbo 2011-10-11 22:47:32 UTC

@Robin, Lance:

I'm not a guru with this program, but it seems does not working properly; frmo my shell:

amd64box ~ # /etc/init.d/stunnel start
stunnel         | * Starting stunnel ...
stunnel         |No limit detected for the number of clients
stunnel         |signal_pipe: FD=3 allocated (non-blocking mode)
stunnel         |signal_pipe: FD=4 allocated (non-blocking mode)
stunnel         |stunnel 4.44 on x86_64-pc-linux-gnu platform
stunnel         |Compiled/running with OpenSSL 1.0.0e 6 Sep 2011
stunnel         |Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
stunnel         |Reading configuration from file /etc/stunnel/stunnel.conf
stunnel         |PRNG seeded successfully
stunnel         |Line 61: End of section stunnel: SSL server needs a certificate
stunnel         |str_stats: 41 block(s), 1478 data byte(s), 2050 control byte(s)                     [ ok ]

Now it seems started:

amd64box ~ # /etc/init.d/stunnel status
 * status: started

but I didn't see pid:

amd64box ~ # ls /var/run/stunnel/
amd64box ~ # 

and ps aux does not returns anything:


amd64box ~ # ps aux | grep stunnel
root     26933  0.0  0.0   6288   576 pts/1    S+   00:46   0:00 grep --colour=auto stunnel


So I think that if is not running, status shouldn't be return [ok].

Can you provide more info to test? or is enough compile test?TIA

Comment 6 Stefan Behte (RETIRED) 2011-10-12 20:44:18 UTC

Please wait with stabilization until further testing of the new ebuild was done.

Comment 7 Agostino Sarubbo 2011-10-12 21:10:21 UTC

(In reply to comment #6)
> Please wait with stabilization until further testing of the new ebuild was
> done.

I'm available for testing after ebuild changement.

Comment 8 Stefan Behte (RETIRED) 2011-10-20 10:01:49 UTC

The root cause of agos testing failure seems to be that he didn't test with a proper configuration. I'm sorry for not looking into this earlier. stunnel-4.44 works just fine for me.


Arches, please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 9 Stefan Behte (RETIRED) 2011-10-20 11:02:47 UTC

Actually adding arches now; please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 10 Stefan Behte (RETIRED) 2011-10-20 11:04:04 UTC

Actually adding arches now; please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 11 Paweł Hajdan, Jr. (RETIRED) 2011-10-22 07:22:58 UTC

x86 stable

Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) 2011-10-22 08:56:50 UTC

ppc/ppc64 stable

Comment 13 Ian Delaney (RETIRED) 2011-10-22 13:35:25 UTC

amd64

all appears ok; emerges, starts and stops
archtester xen-tools # rc-status |grep stunnel
 stunnel                                                           [  started  ]

Comment 14 Markos Chandras (RETIRED) 2011-10-22 18:59:06 UTC

amd64 done. Thanks Ian

Comment 15 Markus Meier 2011-10-23 11:39:48 UTC

arm stable

Comment 16 Jeroen Roovers (RETIRED) 2011-10-24 11:17:23 UTC

Stable for HPPA.

Comment 17 Raúl Porcel (RETIRED) 2011-10-29 18:55:41 UTC

alpha/ia64/s390/sparc stable

Comment 18 Agostino Sarubbo 2011-10-30 18:46:42 UTC

Thanks all. Glsa request filed.

Comment 19 Stefan Behte (RETIRED) 2012-02-29 18:01:53 UTC

Our lazy GLSA bot does not want to update the bug, so I have to do it manually.
GLSA sent. Closing.

Comment 20 Stefan Behte (RETIRED) 2012-02-29 18:02:08 UTC

Now really closing.

Comment 21 GLSAMaker/CVETool Bot 2012-02-29 18:08:45 UTC

This issue was resolved and addressed in
 GLSA 201202-08 at http://security.gentoo.org/glsa/glsa-201202-08.xml
by GLSA coordinator Stefan Behte (craig).

Comment 22 Ulrich Müller 2012-02-29 18:53:23 UTC

Today, glsa-check reports that my system would be affected by a vulnerability in net-misc/stunnel-3.26. However, the upstream bug clearly states that only versions 4.40 and 4.41 are affected, so it is a false positive.

Could the GLSA be fixed please, such that stunnel-3* is excepted from the list of vulnerable versions?

Reopening.

Comment 23 Alex Legler (RETIRED) 2012-02-29 20:51:44 UTC

(In reply to comment #22)
> 
> Reopening.

File a new bug in the GLSA errors category, please.