[go: up one dir, main page]
|
|
Log in / Subscribe / Register

stunnel: private key leak

Package(s):stunnel CVE #(s):CVE-2014-0016
Created:April 1, 2014 Updated:March 29, 2015
Description: From the Mageia advisory:

A flaw was found in the way stunnel, a socket wrapper which can provide SSL support to ordinary applications, performed (re)initialization of PRNG after fork. When accepting a new connection, the server forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but seeds the PRNG with the output of time(NULL). The most important consequence is that servers using EC (ECDSA) or DSA certificates may under certain conditions leak their private key.

Alerts:
Mandriva MDVSA-2015:096 stunnel 2015-03-28
Gentoo 201408-14 stunnel 2014-08-29
Mageia MGASA-2014-0144 stunnel 2014-03-31
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds