Stunnel is a wrapper for network connections. It can be used to
tunnel an unencrypted network connection over a secure connection
(encrypted using SSL or TLS) or to provide a secure means of
connecting to services that do not natively support encryption.
This update fixes two vulnerabilities that affect stunnel versions
shipped with Conectiva Linux:
1. SIGCHLD Denial of Service (CAN-2002-1563)
Henrik Eriksson found a race in the code that handles the SIGCHLD
signal. This vulnerability affects stunnel when configured to listen
for incoming connections (instead of being invoked by inetd) and to
start a new child process to handle each new connection. A remote
attacker can exploit this vulnerability to bring the tunneled service
2. File descriptor leak (CAN-2003-0740)
Steve Grubb found a file descriptor leak vulnerability in versions
prior to 3.26 of stunnel that allows a local attacker to hijack the
Since this update brings a new version of stunnel (3.26), several
other fixes and minor changes are included as well.
All stunnel users should upgrade.
Please note that after the upgrade all instances of stunnel and all
active network connections being served by it must be restarted