Summary: | <net-misc/stunnel-5.58: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, conikost |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa+ cve] | ||
Package list: | Runtime testing required: | No |
Description
Sam James
2021-02-22 10:37:46 UTC
(In reply to Sam James from comment #0) > [...] > > From 5.58 NEWS: > > "Security bugfixes > The "redirect" option was fixed to properly handle unauthenticated requests > (thx to Martin Stein). I believe this is CVE-2021-20230. FYI: I bumped after speaking to blueness to 5.58. https://gitweb.gentoo.org/repo/gentoo.git/commit/net-misc/stunnel?id=021b0cccd5ea0f8b0cdb764ef696a71a5e430487 (In reply to Conrad Kostecki from comment #2) > FYI: I bumped after speaking to blueness to 5.58. > > https://gitweb.gentoo.org/repo/gentoo.git/commit/net-misc/ > stunnel?id=021b0cccd5ea0f8b0cdb764ef696a71a5e430487 Thanks! Please proceed with stabilization when ready. Ping amd64 stable arm done x86 stable sparc stable ppc64 done ppc done all arches done cleanup of vulnerable version done New GLSA request filed. This issue was resolved and addressed in GLSA 202105-02 at https://security.gentoo.org/glsa/202105-02 by GLSA coordinator Thomas Deutschmann (whissi). |