[stunnel-users] OpenSSL Vulnerabilities

Cal Webster cwebster at ec.rr.com
Tue Apr 7 19:19:17 CEST 2009

Will there be a security update of stunnel to address vulnerabilities
outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789? 

Alternatively, will stunnel use updated OpenSSL libraries on the host?

It appears that this is true on Fedora RPM packages.

For Example:

ldd stunnel:
libssl.so.7 => /lib64/libssl.so.7 (0x0000000006a3c000)
libcrypto.so.7 => /lib64/libcrypto.so.7 (0x0000000007954000)
rpm -q --requires stunnel

rpm -ql openssl | egrep 'libcrypto.so.7|libssl.so.7'

However, I don't know how to determine whether the same dependency works
with Win32 dll's.

For example, could we install "Win32 OpenSSL v0.9.8k Light" from the
below link to resolve the vulnerabilities?


The description says that it "Installs the most commonly used essentials
of Win32 OpenSSL v0.9.8k" but it doesn't say exactly what.

Thanks for any insights or suggestions.

Cal Webster

More information about the stunnel-users mailing list