Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222805 (CVE-2008-2420) - net-misc/stunnel <4.24: authentication with revoked certificates (CVE-2008-2420)
Summary: net-misc/stunnel <4.24: authentication with revoked certificates (CVE-2008-2420)
Alias: CVE-2008-2420
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: C3 [glsa]
: 225113 (view as bug list)
Depends on:
Reported: 2008-05-19 13:42 UTC by Christian Hoffmann (RETIRED)
Modified: 2020-04-09 06:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-05-19 13:42:43 UTC

"I have just released a new version of stunnel, which fixes a security issue
in the OCSP functionality.  The bug allows a revoked certificate to
successfully authenticate.  Any installations with OCSP enabled should be
upgraded ASAP.  Other users are not affected."
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 19:07:01 UTC
ramereth, please bump as necessary.
Comment 2 Ulrich Müller gentoo-dev 2008-07-09 11:09:22 UTC
I've bumped stunnel to version 4.25.
Comment 3 Ulrich Müller gentoo-dev 2008-07-09 11:12:04 UTC
*** Bug 225113 has been marked as a duplicate of this bug. ***
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2008-07-09 19:03:00 UTC
ppc64 stable
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-10 07:59:03 UTC
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-07-10 10:19:06 UTC
alpha/sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-11 15:07:37 UTC
Stable for HPPA.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-13 17:31:47 UTC
ppc stable
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2008-07-25 20:09:13 UTC
amd64 stable
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-26 16:35:44 UTC
time for GLSA decision. I vote YES.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-08-03 21:53:54 UTC
ok then.... YES
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-08 17:30:02 UTC
GLSA 200808-08
Comment 13 Ulrich Müller gentoo-dev 2009-08-09 09:21:00 UTC
NB: The stunnel 3.x branch doesn't implement OCSP and is therefore not affected.