Will there be a security update of stunnel to address vulnerabilities outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789?
Alternatively, will stunnel use updated OpenSSL libraries on the host?
It appears that this is true on Fedora RPM packages.
For Example:
ldd stunnel: ------------ libssl.so.7 => /lib64/libssl.so.7 (0x0000000006a3c000) libcrypto.so.7 => /lib64/libcrypto.so.7 (0x0000000007954000) ------------ rpm -q --requires stunnel ----------------------------------------- ... libcrypto.so.7 ... libssl.so.7 ... -----------------------------------------
rpm -ql openssl | egrep 'libcrypto.so.7|libssl.so.7' ----------------------------------------- /lib/libcrypto.so.7 /lib/libssl.so.7 -----------------------------------------
However, I don't know how to determine whether the same dependency works with Win32 dll's.
For example, could we install "Win32 OpenSSL v0.9.8k Light" from the below link to resolve the vulnerabilities?
http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe
The description says that it "Installs the most commonly used essentials of Win32 OpenSSL v0.9.8k" but it doesn't say exactly what.
Thanks for any insights or suggestions.
Cal Webster
On Tue, Apr 07, 2009 at 01:19:17PM -0400, Cal Webster wrote:
Will there be a security update of stunnel to address vulnerabilities outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789?
Alternatively, will stunnel use updated OpenSSL libraries on the host?
It appears that this is true on Fedora RPM packages.
This is true in any *nix system.
However, I don't know how to determine whether the same dependency works with Win32 dll's.
This *should* work, as that is pretty much the whole point of shared libraries. I have no actual knowledge of windows DLLs, though, so there might be some obscure reason why it does not. I would recommend you trace (somehow) exactly what on-disk DLLs stunnel is loading and make sure your update replaces those.
On Tue, 2009-04-07 at 11:11 -0700, Rodrigo Gallardo wrote:
On Tue, Apr 07, 2009 at 01:19:17PM -0400, Cal Webster wrote:
Will there be a security update of stunnel to address vulnerabilities outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789?
Alternatively, will stunnel use updated OpenSSL libraries on the host?
It appears that this is true on Fedora RPM packages.
This is true in any *nix system.
Well, it *should* be true of any *modern* Unix/Linux system, provided the OpenSSL libraries are dynamically linked. Some applications are statically linked so they would not reference new libraries in that case. I can't afford to assume much where I work. We have OS's as far back as AT&T Unix System IV.
However, I don't know how to determine whether the same dependency works with Win32 dll's.
This *should* work, as that is pretty much the whole point of shared libraries. I have no actual knowledge of windows DLLs, though, so there might be some obscure reason why it does not. I would recommend you trace (somehow) exactly what on-disk DLLs stunnel is loading and make sure your update replaces those.
I finally figured it out on my own. The following is for the benefit of anyone else following this thread.
The OpenSSL libraries that Win32 Stunnel 4.26 uses are placed in the install directory, C:\Program Files\stunnel by default. The file properties do not contain any version information like most DLL's. However, I was able to determine the version from the stunnel log.
A look in the stunnel log (if it's configured) will show something like this:
2009.03.10 15:40:43 LOG5[1240:1236]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008
To update the OpenSSL libraries you must download and install two programs:
"Microsoft Visual C++ 2008 Redistributables" - vcredist_x86.exe http://www.microsoft.com/downloads/details.aspx?FamilyID=9b2da534-3e03-4391-...
"Win32 OpenSSL v0.9.8k Light" - Win32OpenSSL_Light-0_9_8k.exe http://www.slproweb.com/products/Win32OpenSSL.html
After installing OpenSSL Light you need to copy the two DLL's libeay32.dll and libssl32.dll from C:\OpenSSL, where the installer puts them, into the stunnel install directory to replace the originals. At this point you can uninstall OpenSSL unless you've got something else you need it for. If you don't replace the older versions in the stunnel install dir the new libraries will not be used.
Do not uninstall the Visual C++ Redistributables, though. The new OpenSSL libraries need MSVCR90.dll that it provides.
After a restart and starting the stunnel service you can check the log again to see that it's using the new libraries. You should see an entry like this:
2009.04.07 19:03:01 LOG5[700:476]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8k 25 Mar 2009
Cheers!
Cal
-
Cal Webster -
Rodrigo Gallardo