lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200310032306.h93N6ph08837@rafiki.ca.caldera.com>
Date: Fri, 3 Oct 2003 16:06:51 -0700
From: security@....com
To: announce@...ts.sco.com, bugtraq@...urityfocus.com,
   security-alerts@...uxsecurity.com, full-disclosure@...ts.netsys.com
Subject: OpenLinux: Updated stunnel packages fix signal vulnerability



To: announce@...ts.sco.com bugtraq@...urityfocus.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: Updated stunnel packages fix signal vulnerability
Advisory number: 	CSSA-2003-026.0
Issue date: 		2003 October 03
Cross reference: 	sr883627 fz528223 erg712413 CAN-2002-1563
______________________________________________________________________________


1. Problem Description

	stunnel is a wrapper for network connections. It can be used
	to tunnel an unencrypted network connection over a secure
	connection (encrypted using SSL or TLS) or to provide a secure
	means of connecting to services that do not natively support
	encryption. 

	When configured to listen for incoming connections (instead of 
	being invoked by xinetd), stunnel can be configured to either 
	start a thread or a child process to handle each new connection. 
	If Stunnel is configured to start a new child process to handle 
	each connection, it will receive a SIGCHLD signal when that child 
	exits. 
	
	Stunnel versions prior to 4.04 would perform tasks in the 
	SIGCHLD signal handler which, if interrupted by another SIGCHLD 
	signal, could be unsafe. This could lead to a denial of service. 

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2002-1563 to this issue.

2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to stunnel-4.04-1.i386.rpm
	OpenLinux 3.1.1 Workstation	prior to stunnel-4.04-1.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-026.0/RPMS

	4.2 Packages

	00d7179b1b5ca718d3ec6b85f144e4f1	stunnel-4.04-1.i386.rpm

	4.3 Installation

	rpm -Fvh stunnel-4.04-1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-026.0/SRPMS

	4.5 Source Packages

	ca450eb7d9ca61c042f0b6d1448def8d	stunnel-4.04-1.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-026.0/RPMS

	5.2 Packages

	e05b815b77113f4700875bb7a263a7ae	stunnel-4.04-1.i386.rpm

	5.3 Installation

	rpm -Fvh stunnel-4.04-1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-026.0/SRPMS

	5.5 Source Packages

	f13039bc38057f788d72ed9fa0448e0a	stunnel-4.04-1.src.rpm


6. References

	Specific references for this advisory:
	http://marc.theaimsgroup.com/?l=stunnel-users&m=103600188215117
	http://marc.theaimsgroup.com/?l=bugtraq&m=104247606910598
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1563

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr883627 fz528223
	erg712413.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.

8. Acknowledgements

	SCO would like to thank Henrik Eriksson from Axis Communications.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj999a8ACgkQbluZssSXDTFCZQCghaAuO/2UeV6CpVlvcsa8J/0H
SmkAoJmHopz4H4R8u6NewNY0+keWeI0E
=VZ9Z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ