[stunnel-users] Stunnel Version Vulnerability-Currently using 5.04

Tracy Drake - IQGC-C tracy.drake at gsa.gov
Tue Mar 28 14:37:33 CEST 2017


Hello Stunnel Users Forum!  I wonder if anyone may have suggestions of
what, if anything can be done to surmount a reported vulnerability for
Stunnel versions prior to 5.34.  I have limited savvy in this arena so
please excuse this "Stunnel for Dummies" question.

The following statements surfaced in a "security vulnerabilities" report...

The version of stunnel installed on the remote host is 4.46 or later but
prior to 5.34.
It is, therefore, affected by a security bypass vulnerability related to
the validation
 of level 4 peer certificates. An unauthenticated, remote attacker can
exploit this to
 have an impact on confidentiality, integrity, and/or availability. No
other details are
 available.

I am of the mind that perhaps an entry in Stunnel.conf until we can deploy
an upgrade?

Thanks in advance for any feedback! Upgrade to stunnel version 5.34 or
later.

-- 
Tracy Drake
CSM Senior Consultant
GSA-FAS CAMEO Contractor
URSA & INFOConnect Support & Training Team Lead
704-987-1211
tracy.drake at gsa.gov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170328/f686eaaf/attachment.html>


More information about the stunnel-users mailing list