Security update for stunnel SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0409-1 Final 1 1 2021-03-14T14:10:42Z current 2021-03-14T14:10:42Z 2021-03-14T14:10:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for stunnel This update for stunnel fixes the following issues: - Security fix: [bsc#1177580, bsc#1182529, CVE-2021-20230] * 'redirect' option does not properly handle 'verifyChain = yes' This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-409 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XVLGFTQ3NKK4IRG4YXB6DPOVNR7D5IAU/ E-Mail link for openSUSE-SU-2021:0409-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177580 SUSE Bug 1177580 https://bugzilla.suse.com/1182529 SUSE Bug 1182529 https://www.suse.com/security/cve/CVE-2021-20230/ SUSE CVE CVE-2021-20230 page openSUSE Leap 15.2 stunnel-5.57-lp152.2.6.1 stunnel-doc-5.57-lp152.2.6.1 stunnel-5.57-lp152.2.6.1 as a component of openSUSE Leap 15.2 stunnel-doc-5.57-lp152.2.6.1 as a component of openSUSE Leap 15.2 A flaw was found in stunnel before 5.57, where it improperly validates client certificates when it is configured to use both redirect and verifyChain options. This flaw allows an attacker with a certificate signed by a Certificate Authority, which is not the one accepted by the stunnel server, to access the tunneled service instead of being redirected to the address specified in the redirect option. The highest threat from this vulnerability is to confidentiality. CVE-2021-20230 openSUSE Leap 15.2:stunnel-5.57-lp152.2.6.1 openSUSE Leap 15.2:stunnel-doc-5.57-lp152.2.6.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XVLGFTQ3NKK4IRG4YXB6DPOVNR7D5IAU/ https://www.suse.com/security/cve/CVE-2021-20230.html CVE-2021-20230 https://bugzilla.suse.com/1177580 SUSE Bug 1177580 https://bugzilla.suse.com/1182529 SUSE Bug 1182529