Moderate CentOS stunnel Update

Metadata

medium
6.6
stunnel-4.29-3.el6_4.i686.rpm, stunnel-4.29-3.el6_4.src.rpm, stunnel-4.29-3.el6_4.x86_64.rpm
CVE-2013-1762
rhn.redhat.com, lists.centos.org
2013-04-08
2017-07-27 19:05
CVE-2013-1762 stunnel4
CVE-2013-1762
2017-04-01 19:07
2017-01-05 20:11

Description


An updated stunnel package that fixes one security issue is now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

stunnel is a socket wrapper which can provide SSL (Secure Sockets Layer)
support to ordinary applications. For example, it can be used in
conjunction with imapd to create an SSL-secure IMAP server.

An integer conversion issue was found in stunnel when using Microsoft NT
LAN Manager (NTLM) authentication with the HTTP CONNECT tunneling method.
With this configuration, and using stunnel in SSL client mode on a 64-bit
system, an attacker could possibly execute arbitrary code with the
privileges of the stunnel process via a man-in-the-middle attack or by
tricking a user into using a malicious proxy. (CVE-2013-1762)

All stunnel users should upgrade to this updated package, which contains a
backported patch to correct this issue.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
6 stunnel stunnel-4.29-3.el6_4.i686.rpm
stunnel stunnel-4.29-3.el6_4.src.rpm
stunnel stunnel-4.29-3.el6_4.x86_64.rpm