stunnel 5.55-1 is now available in Cygwin. This release includes the following security fixes:
* Fixed a Windows local privilege escalation vulnerability caused insecure OpenSSL cross-compilation defaults. Successful exploitation requires stunnel to be deployed as a Windows service, and user-writable C:\ folder. This vulnerability was discovered and reported by Rich Mirch. * OpenSSL DLLs updated to version 1.1.1c. If you have stunnel installed, you should update to this release right away. Please see the upstream changelog[1] for the full list of fixes and improvements since the previous Cygwin release, 5.50-1. stunnel is a program that allows you to encrypt arbitrary TCP connections inside TLS (Transport Layer Security, the successor to Secure Sockets Layer (SSL)). stunnel can allow you to secure non-TLS-aware daemons and protocols (like POP, IMAP, LDAP, etc) by having stunnel provide the encryption, requiring no changes to the daemon's code. Andrew E. Schulman [1]https://www.stunnel.org/ChangeLog.md.html ******************************************************************* To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Then, run setup and answer all of the questions. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain.com_at_cygwin.com If you need more information on unsubscribing, start reading here: http://cygwin.com/lists.html#subscribe-unsubscribe Please read *all* of the information on unsubscribing that is available starting at this URL. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
