stunnel: Improper certificate validation — GLSA 202105-02

Stunnel was not properly verifying TLS certificates, possibly allowing an integrity/confidentiality compromise.

Affected packages

net-misc/stunnel on all architectures
Affected versions < 5.58
Unaffected versions >= 5.58

Background

The stunnel program is designed to work as an SSL/TLS encryption wrapper between a client and a local or remote server.

Description

It was discovered that stunnel did not correctly verified the client certificate when options “redirect” and “verifyChain” are used.

Impact

A remote attacker could send a specially crafted certificate, possibly resulting in a breach of integrity or confidentiality.

Workaround

There is no known workaround at this time.

Resolution

All stunnel users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/stunnel-5.58"
 

References

Release date
May 26, 2021

Latest revision
May 26, 2021: 1

Severity
low

Exploitable
local, remote

Bugzilla entries