Stunnel was not properly verifying TLS certificates, possibly allowing an integrity/confidentiality compromise.
|Package||net-misc/stunnel on all architectures|
|Affected versions||< 5.58|
|Unaffected versions||>= 5.58|
The stunnel program is designed to work as an SSL/TLS encryption wrapper between a client and a local or remote server.
It was discovered that stunnel did not correctly verified the client certificate when options “redirect” and “verifyChain” are used.
A remote attacker could send a specially crafted certificate, possibly resulting in a breach of integrity or confidentiality.
There is no known workaround at this time.
All stunnel users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/stunnel-5.58"
May 26, 2021
May 26, 2021: 1