Hi Peter, Moritz, all, On Thu, Mar 06, 2014 at 05:41:54PM +0200, Peter Pentchev wrote: > package stunnel4 > owner 740802 ! > tag 740802 + pending > kthxbye > > Hi, > > Thanks for reporting this! I saw it independently in Michal Trojnara's > announcement of stunnel-5.00, but it's good to have it in the BTS, too. > > I've backported the fix from stunnel-5.00 to the Git repository of the > Debian package of stunnel, it will be part of the next upload that will > happen soon (once I clean up the packaging a bit more, update to a more > recent upstream release and put a package up for sponsoring). > > However, I think that in this particular case we may demote the bug's > severity a bit - although it does pose a serious problem for stunnel > used in the fork model, the Debian package uses the pthreads model and > is thus not affected at all by the bug or the fix. Would you agree with > this assessment? > > I've added the patch anyway for the benefit of people who use the Debian > source package as a baseline for building their own instances of > stunnel. With the above in mind, should I build a package of stunnel > as-is in the Git repository right now (still needs a bit more cleanup, > quite outdated version, etc) and put it up for sponsorship with a high > urgency, or should I change the bug's severity and upload the > "refreshed" stunnel package in a couple of days?
I agree, you can downgrade the severity for this. As you say, stunnel4 in Debian is configured with --with-threads=pthread, so not with the fork model. This affect only user who are going to build a custom binary package with changed configure settings; We usualy count this as "not-affected" (security-tracker is now updated[1]). [1] https://security-tracker.debian.org/tracker/CVE-2014-0016 Hope that helps, Regards, Salvatore
signature.asc
Description: Digital signature
