Replacing openssl and the certs should be an effective patch. You can always check by running ldd against the stunnel binary to confirm it is linking to a specific SSL library.
There is also some consideration that you must assume systems were compromised and snooped and change all passwords as well... Regards, KAM
Koenraad Lelong stunnel@ace-electronics.be wrote:
op 10-04-14 12:15, Koenraad Lelong schreef:
op 08-04-14 16:58, Burak Say schreef:
Hello,
When do you think you can release a patch to use OpenSSL 1.0.1g
instead
of 1.0.1f?
Hi,
I would like to know if I'm safe when I installed the latest openssl-libraries comming from ubuntu (for 12.04LTS). Or do I need to update stunnel also ? The ubuntu package for the latest stunnel seems unavailable right now.
Regards,
Koenraad.
I just thought of looking in the package-manager. This says stunnel depends on libssl1.0.0 (installed 1.0.1-4ubuntu5.12) and on openssl (installed 1.0.1-4ubuntu5.12). So I presume I can generate new certificates.
Koenraad.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users