English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 76783 CVE descriptions
and 40246 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.51456
Category:Conectiva Local Security Checks
Title:Conectiva Security Advisory CLA-2003:736
Summary:Conectiva Security Advisory CLA-2003:736
Description:
The remote host is missing updates announced in
advisory CLA-2003:736.

Stunnel is a wrapper for network connections. It can be used to
tunnel an unencrypted network connection over a secure connection
(encrypted using SSL or TLS) or to provide a secure means of
connecting to services that do not natively support encryption.

This update fixes two vulnerabilities that affect stunnel versions
shipped with Conectiva Linux:

1. SIGCHLD Denial of Service (CVE-2002-1563)[1]
Henrik Eriksson found[2] a race in the code that handles the SIGCHLD
signal. This vulnerability affects stunnel when configured to listen
for incoming connections (instead of being invoked by inetd) and to
start a new child process to handle each new connection. A remote
attacker can exploit this vulnerability to bring the tunneled service
down.

2. File descriptor leak (CVE-2003-0740)[3]
Steve Grubb found[4] a file descriptor leak vulnerability in versions
prior to 3.26 of stunnel that allows a local attacker to hijack the
stunnel server.

Since this update brings a new version of stunnel (3.26), several
other fixes and minor changes are included as well[5].


Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1563
http://marc.theaimsgroup.com/?l=stunnel-users&m=103600188215117&w=2
http://www.securityfocus.com/archive/1/335996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0740
http://www.stunnel.org/news/
http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:736
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003

Risk factor : Medium
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2002-1563
http://marc.theaimsgroup.com/?l=stunnel-users&m=103600188215117&w=2
Bugtraq: 20030112 SIGCHLD problem in Stunnel (Google Search)
http://marc.theaimsgroup.com/?l=bugtraq&m=104247606910598
http://www.redhat.com/support/errata/RHSA-2003-221.html
http://www.redhat.com/support/errata/RHSA-2003-223.html
En Garde Linux Advisory: ESA-20030806-020
http://www.linuxsecurity.com/advisories/engarde_advisory-3535.html
Conectiva Linux advisory: CLA-2003:736
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000736
http://marc.theaimsgroup.com/?l=bugtraq&m=106029168514511&w=2
BugTraq ID: 6592
http://www.securityfocus.com/bid/6592
Common Vulnerability Exposure (CVE) ID: CVE-2003-0740
Bugtraq: 20030903 Stunnel-3.x Daemon Hijacking (Google Search)
http://marc.theaimsgroup.com/?l=bugtraq&m=106260760211958&w=2
http://www.redhat.com/support/errata/RHSA-2003-297.html
http://www.mandriva.com/security/advisories?name=MDKSA-2003:108
CopyrightCopyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 40246 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.