Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0662 stunnel security update 23 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: stunnel Publisher: Red Hat Operating System: Red Hat Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20230 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0620 https://access.redhat.com/errata/RHSA-2021:0618 https://access.redhat.com/errata/RHSA-2021:0619 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running stunnel check for an updated version of the software for their operating system. This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: stunnel security update Advisory ID: RHSA-2021:0620-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0620 Issue date: 2021-02-22 CVE Names: CVE-2021-20230 ===================================================================== 1. Summary: An update for stunnel is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS) or to provide an encrypted means of connecting to services that do not natively support encryption. Security Fix(es): * stunnel: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1925226 - CVE-2021-20230 stunnel: client certificate not correctly verified when redirect and verifyChain options are used 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.1): Source: stunnel-5.48-6.el8_1.src.rpm aarch64: stunnel-5.48-6.el8_1.aarch64.rpm stunnel-debuginfo-5.48-6.el8_1.aarch64.rpm stunnel-debugsource-5.48-6.el8_1.aarch64.rpm ppc64le: stunnel-5.48-6.el8_1.ppc64le.rpm stunnel-debuginfo-5.48-6.el8_1.ppc64le.rpm stunnel-debugsource-5.48-6.el8_1.ppc64le.rpm s390x: stunnel-5.48-6.el8_1.s390x.rpm stunnel-debuginfo-5.48-6.el8_1.s390x.rpm stunnel-debugsource-5.48-6.el8_1.s390x.rpm x86_64: stunnel-5.48-6.el8_1.x86_64.rpm stunnel-debuginfo-5.48-6.el8_1.x86_64.rpm stunnel-debugsource-5.48-6.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-20230 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYDOHQtzjgjWX9erEAQiX5w//fSp7muESFK0MFGna8G7hlPxBPiX3MGaT ccN+guyedREQKDkJbzcGj0IKmoajDZbiaE6DjpxqV3sUUZhI0yM3f3YHqBlLTZAa OulNwCZwOhmixUOVdm+9vG1xyPXFm7D5IiiGF8Cfkb5jheD5NhL1ZzVXVuNm2Sup 2EcR0Iv6OwRdVbJWlgYqrrKSzpCRsbssvzDM1erjqirrGx6VdYM6TB8EjXMZpqBi 5g3ajGiEKo3IJduvv6sk6lYtfr7qCU6zeZE1K3+Jn+PMurACKGQcb6UW/7IxEOY6 zaN4NWFBm0CrQSAzjqA/Cie7yK5c6RM3AGC231DjWSJwcL9gCstTTX8UGx/ci9J1 3x18RVpUJJ+6ulI2blp+oslYGVeIsuKFiF6ffUm5KNPQjQqDIHaRC3j5d6aL0LVA I16mUyVUb6xQ0hLgHZqYWBlbrWs1Pmv1mhlOfmUn+fSWBpWv8Dq6iY8zBrQXz9d5 suIna+6YhXPpvEmt57N4X59X37tNRaCm7XX8Q59gwMTYE/kdwYpzEfwd8pW3/vlQ 8TLWYpP2If/X+98XWHFvvdP8bbEWOjfAXQxs52znSNlYz0blzw/aUqfm14IqkNg8 HBnfdHxPZh/xon6GozoLhh67DT/aK/FGE3LHKbt3RQQBoBc1OYhMwLZWAPwsYt6Q /ohUy1hMz1I= =evFH - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: stunnel security update Advisory ID: RHSA-2021:0618-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0618 Issue date: 2021-02-22 CVE Names: CVE-2021-20230 ===================================================================== 1. Summary: An update for stunnel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS) or to provide an encrypted means of connecting to services that do not natively support encryption. Security Fix(es): * stunnel: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1925226 - CVE-2021-20230 stunnel: client certificate not correctly verified when redirect and verifyChain options are used 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: stunnel-5.56-5.el8_3.src.rpm aarch64: stunnel-5.56-5.el8_3.aarch64.rpm stunnel-debuginfo-5.56-5.el8_3.aarch64.rpm stunnel-debugsource-5.56-5.el8_3.aarch64.rpm ppc64le: stunnel-5.56-5.el8_3.ppc64le.rpm stunnel-debuginfo-5.56-5.el8_3.ppc64le.rpm stunnel-debugsource-5.56-5.el8_3.ppc64le.rpm s390x: stunnel-5.56-5.el8_3.s390x.rpm stunnel-debuginfo-5.56-5.el8_3.s390x.rpm stunnel-debugsource-5.56-5.el8_3.s390x.rpm x86_64: stunnel-5.56-5.el8_3.x86_64.rpm stunnel-debuginfo-5.56-5.el8_3.x86_64.rpm stunnel-debugsource-5.56-5.el8_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-20230 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYDOHXdzjgjWX9erEAQgJHA//XO6gs71FL1/5O9e3ckFV4QkIKF8Z2d+f rQwSmpcelOEYGV5q56EF7cZV7MhunQcXVia8gBXdZMSA9liPBNR7b3VXgYrmPHgk /6nU/2IkvxT6GwZBchAO0DQlXvD7TUZGQmoI0llmvHBrj93BG3WeoSi4hQIauBLZ tuGhH8euKCNwX/XJJ+7V5t7JjWDE5FzGFMcfw6i/DO6hhn47f1IOeUz+TH3iXRpd uvE1aF9TMcctKn3jQj7w/7Uf0UCpBpOa32SKKRmjMrtExmHSTJJ3tM7c0xgGEg35 w4h6PEeUHc5x4aWM9fNZcWaPAyPgNPj925DMYRVlVM2L6O3HiNPojwnZNSHJ9YS5 MYeTQikLN7Gbkt+MM1JOusLn00oOxgmYXEjTnaallKwDrWw5U2SwuH333ISRmlvb Mm+0j+G/91flDDxg1kCIeC39eSnn7sAcn6CucJV52HLgQbevtEwKSpnrqlg/TWh7 c02PGOoGK7hVKGTxddMrMT/PxIfCKzonJhvqn+pxujb6T8c5cl6HC+cJEEfaNl9e AzaI5/0d9jx4I46A7azHlp35vW5a+CbNq0mocN7JRW3QgqXZgrghgazeCs5lOBte RCWzLdPHbwjohTfu2lxymvzUb9aU9HlQnnCyeGLPuUnafaHCkyDeW/OjtY2jeV5r rsEhsbXmB+4= =Zo9I - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: stunnel security update Advisory ID: RHSA-2021:0619-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0619 Issue date: 2021-02-22 CVE Names: CVE-2021-20230 ===================================================================== 1. Summary: An update for stunnel is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS) or to provide an encrypted means of connecting to services that do not natively support encryption. Security Fix(es): * stunnel: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1925226 - CVE-2021-20230 stunnel: client certificate not correctly verified when redirect and verifyChain options are used 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.2): Source: stunnel-5.48-6.el8_2.src.rpm aarch64: stunnel-5.48-6.el8_2.aarch64.rpm stunnel-debuginfo-5.48-6.el8_2.aarch64.rpm stunnel-debugsource-5.48-6.el8_2.aarch64.rpm ppc64le: stunnel-5.48-6.el8_2.ppc64le.rpm stunnel-debuginfo-5.48-6.el8_2.ppc64le.rpm stunnel-debugsource-5.48-6.el8_2.ppc64le.rpm s390x: stunnel-5.48-6.el8_2.s390x.rpm stunnel-debuginfo-5.48-6.el8_2.s390x.rpm stunnel-debugsource-5.48-6.el8_2.s390x.rpm x86_64: stunnel-5.48-6.el8_2.x86_64.rpm stunnel-debuginfo-5.48-6.el8_2.x86_64.rpm stunnel-debugsource-5.48-6.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-20230 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYDOKTtzjgjWX9erEAQh5whAAniQS7NIRQLDondyaE3KhyLb/AFW/gl0a JnqYms2VscBUrGqoiA1McSHynE2TIhEBv0A4kXlzYxcq3GtICa3KtCHlVeUiVBsx KZm8sJ1XWfUPchDpvI2wAELsRdcQW+GeLaAIiiy8SW42cbqrjpesKqsmvjQk/UAd IU9o50x8qqeqbyHy2/ke0Muztj3E+Fze+JzuTdlqtNsev577n2ull1nrxJxn7Gpt 2tSDWn12UWQ+52kO1CgRXRqZxZbNhYBgVkoSypj37AfSwO0k6QrSsnzKCmbldZ5O iwU+UYsesrKwGranlu7CuOO/pxrNL50SMvQm99HAhiW/kezxqdP6Mvhy0g5XuS6j RG5IdvqISGr5sevqmancSecG8HlMqLXT+0OgIuHTkd5lD29kYiBTmPwVDtQbaDCh kQ2/Iat/+VKUY1n5CEuL5WpgTcmEyOeLw5THtoIlGMYTqvvWvvSgVqccFyviTZK1 59Dse/6Ym4dePiNFxWOKw5hAhkkDSY1A0/xFC8xQEkltr/TVSNEhnrVxnHk75Qch DbTgUQEEFgN2nDSXq0rFFGJBvg+yDJ+Hxob72z437dPtdv6x/l5Ql0h6KanxIHqj 98aHYIp9o5GBYkVlpoIYmDo8fVKkmskm0Z7YtX/B7wJvS2sm/hCSClrj23DYbCer E7LmVQcsJQw= =LTzC - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYDRjkuNLKJtyKPYoAQiUwxAApS1DNlEPniHqR24to456MynxbQcdZO7l 6W7z7Hldg+k97xBmsXowcgf06rq2/z1Hn0fTaxfSvcvf+EAtJJLjNlQHKpcnBx0t umhHqXUdxkvWXDXfHkTNpwP/D7bbkZcHTZj0pz2G4CklDDGqLFSPF4K0pXwSMpr3 BMGy9aS4L8yAzpO8JaSrTYEq6CDJUJ9VMkhui0qT/4KEjTxCR2CF8sKuf7phXFUl XvpHbtlcFA5GVR4pwHnXcPhrPVBsQZV9Ip/LoSbNAbLYah59oN52WEXnIalKL0C3 mwMfL4jATpEwShWcGm3Cw+ku6TEpnQtO38b0r4BxnQR5yKn7fpXDRdBGALp9/fY9 C9nbiuPjjZmKgoCF7EGrZHtWDXdaIFiCeky/15Ubqs2k7oe7tyWj16zVBsmHUbm6 SXFR82hAABEjJecf+KrtWkQxiWSYQ3M0QMq9b9MuR+O1kx27EdY1d/Rhcfh4igO8 Tc+wmXcLYtND9BDkteXOu1MAIUWHTuPRfZjhbKtvfwQ3qW0/dhHeQRSKwZQ/PWSj pYM9rCA7ckS5TfWyUxgBAZ1KISJDWmXtBUvEpmeOYZRpg6KibgNl6fqDnnDBBh2N CecJjNvSYF1L1C4TbD/AsQiXQ3HbN4NNa18UnxwVDhXX/juDvwI+wj0Ke8qCASB6 8P97BLthgxg= =6Uar -----END PGP SIGNATURE-----