Bug 160218 - security/stunnel is vulnerable to CVE-2011-2940
security/stunnel is vulnerable to CVE-2011-2940
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: roam
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-26 18:40 UTC by loon
Modified: 2011-09-08 11:19 UTC (History)
0 users

See Also:


Attachments
patch-4.42 (1.63 KB, text/plain)
2011-09-07 19:59 UTC, jhein
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description loon 2011-08-26 18:40:00 UTC
heap corruption vulnerability in versions 4.40 and 4.41 of strace.
It may possibly be leveraged to perform DoS or remote code execution attacks.

Fix: 

Update to 4.42 which is now available as of 8/18/2011
How-To-Repeat: N/A
Comment 1 Mark Linimon freebsd_committer 2011-08-26 18:40:54 UTC
Responsible Changed
From-To: freebsd-bugs->roam

Make this a ports PR and assign.
Comment 2 loon 2011-08-26 21:54:16 UTC
Would just like to make a correction the Description section i submitted:

heap corruption vulnerability in versions 4.40 and 4.41 of strace.
It may possibly be leveraged to perform DoS or remote code execution attacks.

should read

heap corruption vulnerability in versions 4.40 and 4.41 of stunnel.
It may possibly be leveraged to perform DoS or remote code execution attacks.

strace was on the mind at the time, sorry about that.
Comment 3 jkckforty 2011-08-27 03:34:02 UTC
jkckforty@hotmail.com

digger11
Comment 4 jhein 2011-09-07 19:59:33 UTC
I've been using 4.42 for a few days now without any problems - mostly
for accessing gmail's imaps service.

Here's the patch...
Comment 5 roam 2011-09-07 23:15:08 UTC
On Wed, Sep 07, 2011 at 12:59:33PM -0600, John Hein wrote:
> I've been using 4.42 for a few days now without any problems - mostly
> for accessing gmail's imaps service.
> 
> Here's the patch...


I am actually about to update the port to the just-released 4.43 :)
However, there is still a minor problem that I have to iron out;
it should be done by tomorrow.

Thanks for your work and your patience, and sorry for taking so long!

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net roam@FreeBSD.org peter@packetscale.com
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
This sentence no verb.
Comment 6 dfilter freebsd_committer 2011-09-08 10:54:01 UTC
roam        2011-09-08 09:53:47 UTC

  FreeBSD ports repository

  Modified files:
    security/stunnel     Makefile distinfo 
    security/stunnel/files patch-doc::stunnel.8 
  Log:
  Update to stunnel-4.43 which is not vulnerable to the security
  problem described in the PR.
  
  PR:             160218
  Reported by:    Cory McIntire <loon@lolunix.org>
  
  Revision  Changes    Path
  1.104     +1 -1      ports/security/stunnel/Makefile
  1.59      +2 -2      ports/security/stunnel/distinfo
  1.2       +2 -2      ports/security/stunnel/files/patch-doc::stunnel.8
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 7 roam freebsd_committer 2011-09-08 11:19:04 UTC
State Changed
From-To: open->closed

Fixed by the update to stunnel-4.43.