[stunnel-users] OpenSSL Vulnerabilities
Cal Webster
cwebster at ec.rr.com
Tue Apr 7 19:19:17 CEST 2009
Will there be a security update of stunnel to address vulnerabilities
outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789?
Alternatively, will stunnel use updated OpenSSL libraries on the host?
It appears that this is true on Fedora RPM packages.
For Example:
ldd stunnel:
------------
libssl.so.7 => /lib64/libssl.so.7 (0x0000000006a3c000)
libcrypto.so.7 => /lib64/libcrypto.so.7 (0x0000000007954000)
------------
rpm -q --requires stunnel
-----------------------------------------
...
libcrypto.so.7
...
libssl.so.7
...
-----------------------------------------
rpm -ql openssl | egrep 'libcrypto.so.7|libssl.so.7'
-----------------------------------------
/lib/libcrypto.so.7
/lib/libssl.so.7
-----------------------------------------
However, I don't know how to determine whether the same dependency works
with Win32 dll's.
For example, could we install "Win32 OpenSSL v0.9.8k Light" from the
below link to resolve the vulnerabilities?
http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe
The description says that it "Installs the most commonly used essentials
of Win32 OpenSSL v0.9.8k" but it doesn't say exactly what.
Thanks for any insights or suggestions.
Cal Webster
More information about the stunnel-users
mailing list