Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0662
stunnel security update
23 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: stunnel
Publisher: Red Hat
Operating System: Red Hat
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20230
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0620
https://access.redhat.com/errata/RHSA-2021:0618
https://access.redhat.com/errata/RHSA-2021:0619
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running stunnel check for an updated version of the software for
their operating system.
This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: stunnel security update
Advisory ID: RHSA-2021:0620-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0620
Issue date: 2021-02-22
CVE Names: CVE-2021-20230
=====================================================================
1. Summary:
An update for stunnel is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over an encrypted connection (encrypted
using SSL or TLS) or to provide an encrypted means of connecting to
services that do not natively support encryption.
Security Fix(es):
* stunnel: client certificate not correctly verified when redirect and
verifyChain options are used (CVE-2021-20230)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1925226 - CVE-2021-20230 stunnel: client certificate not correctly verified when redirect and verifyChain options are used
6. Package List:
Red Hat Enterprise Linux BaseOS EUS (v. 8.1):
Source:
stunnel-5.48-6.el8_1.src.rpm
aarch64:
stunnel-5.48-6.el8_1.aarch64.rpm
stunnel-debuginfo-5.48-6.el8_1.aarch64.rpm
stunnel-debugsource-5.48-6.el8_1.aarch64.rpm
ppc64le:
stunnel-5.48-6.el8_1.ppc64le.rpm
stunnel-debuginfo-5.48-6.el8_1.ppc64le.rpm
stunnel-debugsource-5.48-6.el8_1.ppc64le.rpm
s390x:
stunnel-5.48-6.el8_1.s390x.rpm
stunnel-debuginfo-5.48-6.el8_1.s390x.rpm
stunnel-debugsource-5.48-6.el8_1.s390x.rpm
x86_64:
stunnel-5.48-6.el8_1.x86_64.rpm
stunnel-debuginfo-5.48-6.el8_1.x86_64.rpm
stunnel-debugsource-5.48-6.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-20230
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYDOHQtzjgjWX9erEAQiX5w//fSp7muESFK0MFGna8G7hlPxBPiX3MGaT
ccN+guyedREQKDkJbzcGj0IKmoajDZbiaE6DjpxqV3sUUZhI0yM3f3YHqBlLTZAa
OulNwCZwOhmixUOVdm+9vG1xyPXFm7D5IiiGF8Cfkb5jheD5NhL1ZzVXVuNm2Sup
2EcR0Iv6OwRdVbJWlgYqrrKSzpCRsbssvzDM1erjqirrGx6VdYM6TB8EjXMZpqBi
5g3ajGiEKo3IJduvv6sk6lYtfr7qCU6zeZE1K3+Jn+PMurACKGQcb6UW/7IxEOY6
zaN4NWFBm0CrQSAzjqA/Cie7yK5c6RM3AGC231DjWSJwcL9gCstTTX8UGx/ci9J1
3x18RVpUJJ+6ulI2blp+oslYGVeIsuKFiF6ffUm5KNPQjQqDIHaRC3j5d6aL0LVA
I16mUyVUb6xQ0hLgHZqYWBlbrWs1Pmv1mhlOfmUn+fSWBpWv8Dq6iY8zBrQXz9d5
suIna+6YhXPpvEmt57N4X59X37tNRaCm7XX8Q59gwMTYE/kdwYpzEfwd8pW3/vlQ
8TLWYpP2If/X+98XWHFvvdP8bbEWOjfAXQxs52znSNlYz0blzw/aUqfm14IqkNg8
HBnfdHxPZh/xon6GozoLhh67DT/aK/FGE3LHKbt3RQQBoBc1OYhMwLZWAPwsYt6Q
/ohUy1hMz1I=
=evFH
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: stunnel security update
Advisory ID: RHSA-2021:0618-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0618
Issue date: 2021-02-22
CVE Names: CVE-2021-20230
=====================================================================
1. Summary:
An update for stunnel is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over an encrypted connection (encrypted
using SSL or TLS) or to provide an encrypted means of connecting to
services that do not natively support encryption.
Security Fix(es):
* stunnel: client certificate not correctly verified when redirect and
verifyChain options are used (CVE-2021-20230)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1925226 - CVE-2021-20230 stunnel: client certificate not correctly verified when redirect and verifyChain options are used
6. Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
stunnel-5.56-5.el8_3.src.rpm
aarch64:
stunnel-5.56-5.el8_3.aarch64.rpm
stunnel-debuginfo-5.56-5.el8_3.aarch64.rpm
stunnel-debugsource-5.56-5.el8_3.aarch64.rpm
ppc64le:
stunnel-5.56-5.el8_3.ppc64le.rpm
stunnel-debuginfo-5.56-5.el8_3.ppc64le.rpm
stunnel-debugsource-5.56-5.el8_3.ppc64le.rpm
s390x:
stunnel-5.56-5.el8_3.s390x.rpm
stunnel-debuginfo-5.56-5.el8_3.s390x.rpm
stunnel-debugsource-5.56-5.el8_3.s390x.rpm
x86_64:
stunnel-5.56-5.el8_3.x86_64.rpm
stunnel-debuginfo-5.56-5.el8_3.x86_64.rpm
stunnel-debugsource-5.56-5.el8_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-20230
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYDOHXdzjgjWX9erEAQgJHA//XO6gs71FL1/5O9e3ckFV4QkIKF8Z2d+f
rQwSmpcelOEYGV5q56EF7cZV7MhunQcXVia8gBXdZMSA9liPBNR7b3VXgYrmPHgk
/6nU/2IkvxT6GwZBchAO0DQlXvD7TUZGQmoI0llmvHBrj93BG3WeoSi4hQIauBLZ
tuGhH8euKCNwX/XJJ+7V5t7JjWDE5FzGFMcfw6i/DO6hhn47f1IOeUz+TH3iXRpd
uvE1aF9TMcctKn3jQj7w/7Uf0UCpBpOa32SKKRmjMrtExmHSTJJ3tM7c0xgGEg35
w4h6PEeUHc5x4aWM9fNZcWaPAyPgNPj925DMYRVlVM2L6O3HiNPojwnZNSHJ9YS5
MYeTQikLN7Gbkt+MM1JOusLn00oOxgmYXEjTnaallKwDrWw5U2SwuH333ISRmlvb
Mm+0j+G/91flDDxg1kCIeC39eSnn7sAcn6CucJV52HLgQbevtEwKSpnrqlg/TWh7
c02PGOoGK7hVKGTxddMrMT/PxIfCKzonJhvqn+pxujb6T8c5cl6HC+cJEEfaNl9e
AzaI5/0d9jx4I46A7azHlp35vW5a+CbNq0mocN7JRW3QgqXZgrghgazeCs5lOBte
RCWzLdPHbwjohTfu2lxymvzUb9aU9HlQnnCyeGLPuUnafaHCkyDeW/OjtY2jeV5r
rsEhsbXmB+4=
=Zo9I
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: stunnel security update
Advisory ID: RHSA-2021:0619-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0619
Issue date: 2021-02-22
CVE Names: CVE-2021-20230
=====================================================================
1. Summary:
An update for stunnel is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64
3. Description:
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over an encrypted connection (encrypted
using SSL or TLS) or to provide an encrypted means of connecting to
services that do not natively support encryption.
Security Fix(es):
* stunnel: client certificate not correctly verified when redirect and
verifyChain options are used (CVE-2021-20230)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1925226 - CVE-2021-20230 stunnel: client certificate not correctly verified when redirect and verifyChain options are used
6. Package List:
Red Hat Enterprise Linux BaseOS EUS (v. 8.2):
Source:
stunnel-5.48-6.el8_2.src.rpm
aarch64:
stunnel-5.48-6.el8_2.aarch64.rpm
stunnel-debuginfo-5.48-6.el8_2.aarch64.rpm
stunnel-debugsource-5.48-6.el8_2.aarch64.rpm
ppc64le:
stunnel-5.48-6.el8_2.ppc64le.rpm
stunnel-debuginfo-5.48-6.el8_2.ppc64le.rpm
stunnel-debugsource-5.48-6.el8_2.ppc64le.rpm
s390x:
stunnel-5.48-6.el8_2.s390x.rpm
stunnel-debuginfo-5.48-6.el8_2.s390x.rpm
stunnel-debugsource-5.48-6.el8_2.s390x.rpm
x86_64:
stunnel-5.48-6.el8_2.x86_64.rpm
stunnel-debuginfo-5.48-6.el8_2.x86_64.rpm
stunnel-debugsource-5.48-6.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-20230
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYDOKTtzjgjWX9erEAQh5whAAniQS7NIRQLDondyaE3KhyLb/AFW/gl0a
JnqYms2VscBUrGqoiA1McSHynE2TIhEBv0A4kXlzYxcq3GtICa3KtCHlVeUiVBsx
KZm8sJ1XWfUPchDpvI2wAELsRdcQW+GeLaAIiiy8SW42cbqrjpesKqsmvjQk/UAd
IU9o50x8qqeqbyHy2/ke0Muztj3E+Fze+JzuTdlqtNsev577n2ull1nrxJxn7Gpt
2tSDWn12UWQ+52kO1CgRXRqZxZbNhYBgVkoSypj37AfSwO0k6QrSsnzKCmbldZ5O
iwU+UYsesrKwGranlu7CuOO/pxrNL50SMvQm99HAhiW/kezxqdP6Mvhy0g5XuS6j
RG5IdvqISGr5sevqmancSecG8HlMqLXT+0OgIuHTkd5lD29kYiBTmPwVDtQbaDCh
kQ2/Iat/+VKUY1n5CEuL5WpgTcmEyOeLw5THtoIlGMYTqvvWvvSgVqccFyviTZK1
59Dse/6Ym4dePiNFxWOKw5hAhkkDSY1A0/xFC8xQEkltr/TVSNEhnrVxnHk75Qch
DbTgUQEEFgN2nDSXq0rFFGJBvg+yDJ+Hxob72z437dPtdv6x/l5Ql0h6KanxIHqj
98aHYIp9o5GBYkVlpoIYmDo8fVKkmskm0Z7YtX/B7wJvS2sm/hCSClrj23DYbCer
E7LmVQcsJQw=
=LTzC
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYDRjkuNLKJtyKPYoAQiUwxAApS1DNlEPniHqR24to456MynxbQcdZO7l
6W7z7Hldg+k97xBmsXowcgf06rq2/z1Hn0fTaxfSvcvf+EAtJJLjNlQHKpcnBx0t
umhHqXUdxkvWXDXfHkTNpwP/D7bbkZcHTZj0pz2G4CklDDGqLFSPF4K0pXwSMpr3
BMGy9aS4L8yAzpO8JaSrTYEq6CDJUJ9VMkhui0qT/4KEjTxCR2CF8sKuf7phXFUl
XvpHbtlcFA5GVR4pwHnXcPhrPVBsQZV9Ip/LoSbNAbLYah59oN52WEXnIalKL0C3
mwMfL4jATpEwShWcGm3Cw+ku6TEpnQtO38b0r4BxnQR5yKn7fpXDRdBGALp9/fY9
C9nbiuPjjZmKgoCF7EGrZHtWDXdaIFiCeky/15Ubqs2k7oe7tyWj16zVBsmHUbm6
SXFR82hAABEjJecf+KrtWkQxiWSYQ3M0QMq9b9MuR+O1kx27EdY1d/Rhcfh4igO8
Tc+wmXcLYtND9BDkteXOu1MAIUWHTuPRfZjhbKtvfwQ3qW0/dhHeQRSKwZQ/PWSj
pYM9rCA7ckS5TfWyUxgBAZ1KISJDWmXtBUvEpmeOYZRpg6KibgNl6fqDnnDBBh2N
CecJjNvSYF1L1C4TbD/AsQiXQ3HbN4NNa18UnxwVDhXX/juDvwI+wj0Ke8qCASB6
8P97BLthgxg=
=6Uar
-----END PGP SIGNATURE-----