Will there be a security update of stunnel to address vulnerabilities outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789?
Alternatively, will stunnel use updated OpenSSL libraries on the host?
It appears that this is true on Fedora RPM packages.
For Example:
ldd stunnel: ------------ libssl.so.7 => /lib64/libssl.so.7 (0x0000000006a3c000) libcrypto.so.7 => /lib64/libcrypto.so.7 (0x0000000007954000) ------------ rpm -q --requires stunnel ----------------------------------------- ... libcrypto.so.7 ... libssl.so.7 ... -----------------------------------------
rpm -ql openssl | egrep 'libcrypto.so.7|libssl.so.7' ----------------------------------------- /lib/libcrypto.so.7 /lib/libssl.so.7 -----------------------------------------
However, I don't know how to determine whether the same dependency works with Win32 dll's.
For example, could we install "Win32 OpenSSL v0.9.8k Light" from the below link to resolve the vulnerabilities?
http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe
The description says that it "Installs the most commonly used essentials of Win32 OpenSSL v0.9.8k" but it doesn't say exactly what.
Thanks for any insights or suggestions.
Cal Webster