Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

stunnel4: CVE-2015-3644

Related Vulnerabilities: CVE-2015-3644  

Source

Debian Bug report logs - #785352
stunnel4: CVE-2015-3644

version graph

Package: src:stunnel4; Maintainer for src:stunnel4 is Peter Pentchev <roam@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 15 May 2015 06:27:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version stunnel4/3:5.06-2

Fixed in versions stunnel4/3:5.18-1, stunnel4/3:5.06-2+deb8u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Pentchev <roam@ringlet.net>:
Bug#785352; Package src:stunnel4. (Fri, 15 May 2015 06:27:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Peter Pentchev <roam@ringlet.net>. (Fri, 15 May 2015 06:27:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stunnel4: CVE-2015-3644
Date: Fri, 15 May 2015 08:25:57 +0200
Source: stunnel4
Version: 3:5.06-2
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for stunnel4. Could you
please have a look at it. I was not able to isolate a fix yet, so just
reporting to the BTS.

CVE-2015-3644[0]:
| Stunnel 5.00 through 5.13, when using the redirect option, does not
| redirect client connections to the expected server after the initial
| connection, which allows remote attackers to bypass authentication.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3644
[1] https://www.stunnel.org/CVE-2015-3644.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as fixed in versions stunnel4/3:5.18-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 14 Jun 2015 15:42:04 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 04 Jul 2015 18:18:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 04 Jul 2015 18:18:10 GMT) (full text, mbox, link).

Message #12 received at 785352-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 785352-close@bugs.debian.org
Subject: Bug#785352: fixed in stunnel4 3:5.06-2+deb8u1
Date: Sat, 04 Jul 2015 18:17:14 +0000
Source: stunnel4
Source-Version: 3:5.06-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
stunnel4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 785352@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated stunnel4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Jun 2015 06:57:25 +0200
Source: stunnel4
Binary: stunnel4
Architecture: source
Version: 3:5.06-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 stunnel4   - Universal SSL tunnel for network daemons
Closes: 785352
Changes:
 stunnel4 (3:5.06-2+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 17-CVE-2015-3644.patch patch.
     CVE-2015-3644: authentication bypass with the "redirect" option.
     (Closes: #785352)
Checksums-Sha1:
 71e8d9108b2addfe142f52996c555d6a5a8d5a27 1971 stunnel4_5.06-2+deb8u1.dsc
 315c5414562c39f39a58f1952cdcd7a2e343b175 595550 stunnel4_5.06.orig.tar.gz
 df20353dba7017176feddf1d6bb15cdd7fed3a1d 39648 stunnel4_5.06-2+deb8u1.debian.tar.xz
Checksums-Sha256:
 cc7f6951ade80d34835dbb22d6cd4eec76b692b2c04cf4bde7fc809d66baeab1 1971 stunnel4_5.06-2+deb8u1.dsc
 098c2b6db0793ea4fa5b6767ce6ef1853e9f6cc2f32133024be55f6a460b1a40 595550 stunnel4_5.06.orig.tar.gz
 d91d6b714b2c632ba3057070c2efebdc9fcf8d32a7aaff646327a88c6044fdf4 39648 stunnel4_5.06-2+deb8u1.debian.tar.xz
Files:
 05baa85c3e085bface0859fe26fc7f66 1971 net optional stunnel4_5.06-2+deb8u1.dsc
 827901cd4690796eadf17f792b658573 595550 net optional stunnel4_5.06.orig.tar.gz
 733b28398a65075a0267c04239bfa832 39648 net optional stunnel4_5.06-2+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVj4ctAAoJEAVMuPMTQ89E8QEP/1y0K94i/1lpGciGB5LLXKFU
KDt7Dk+LgnYgDNK0xxz9I6xa0tXbw/dP1Mg3mQugbqs/FLA9WmFLqYrzILyph+6g
xFp+qEsPjANXv4zwxlyLNfQ6/F+RmHtHbzuNrRYZjdMGISD7u+QOCuf7vXt+k1XH
UgAdqLHt0AbOi5vuOROfWbn8YX2yhzF6htWmaadCWcyNRjFwGu9r00RqHeuXxzTR
vbl5fiqO5ri5P6hCNuwM1u7xHhWib/GPFjx1tKUMSxyER1vZKM7LOOo/TblIrZeY
LvUSmvocReSmMavoyxmmHqV5jKDuVK15lhqBsDLWijlWy3dS/ixK2n8GpA2dDdp6
jlpQ2wC8CHHgrMWZ4zgzloPNnI7+IKq4yCZZ+BiDjzwkSyFSufYIINrNa/mh0X/A
J8ksvZOBjZvty5Mgef0CxRnLjUw8wG26P+9plKOX/s75OQlE7b2JFo1SFBXiydYN
ETs/ffFBFA6eTWB02I/EENg26ryKU8KP0wyLkDG8FCnkNO24nlRZ9QtA60wsJRuw
tjsmBAbQ03hVwIqjdRUJcTj0bSWmCX5IKFbxS0FWeX6z9IorxpOW0RE2UuGAvoa5
a6zX6Zg5K/S1bUc8PMx/oxdp5hCNJkK8j9vHCvQaMcG++RxUR0210ofWe5HDwpPK
xL1ASXyjRdtezdi5qknb
=wYN6
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Sep 2015 07:34:01 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:04:06 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started