[stunnel-users] OpenSSL Vulnerabilities

• Previous message (by thread): [stunnel-users] Problem with name resolving when using delay option
• Next message (by thread): [stunnel-users] OpenSSL Vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Will there be a security update of stunnel to address vulnerabilities
outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789? 

Alternatively, will stunnel use updated OpenSSL libraries on the host?

It appears that this is true on Fedora RPM packages.

For Example:

ldd stunnel:
------------
libssl.so.7 => /lib64/libssl.so.7 (0x0000000006a3c000)
libcrypto.so.7 => /lib64/libcrypto.so.7 (0x0000000007954000)
------------
rpm -q --requires stunnel
-----------------------------------------
...
libcrypto.so.7
...
libssl.so.7
...
-----------------------------------------

rpm -ql openssl | egrep 'libcrypto.so.7|libssl.so.7'
-----------------------------------------
/lib/libcrypto.so.7
/lib/libssl.so.7
-----------------------------------------


However, I don't know how to determine whether the same dependency works
with Win32 dll's.

For example, could we install "Win32 OpenSSL v0.9.8k Light" from the
below link to resolve the vulnerabilities?

http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe

The description says that it "Installs the most commonly used essentials
of Win32 OpenSSL v0.9.8k" but it doesn't say exactly what.

Thanks for any insights or suggestions.

Cal Webster

• Previous message (by thread): [stunnel-users] Problem with name resolving when using delay option
• Next message (by thread): [stunnel-users] OpenSSL Vulnerabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]