CVE-2013-1762

Published: 8 March 2013

stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow.

Priority

Status

Package	Release	Status
stunnel4 Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Released (3:4.29-1+squeeze1build0.10.04.1)
	oneiric	Ignored (end of life)
	precise	Released (3:4.42-1ubuntu0.1)
	quantal	Released (3:4.53-1ubuntu0.1)
	raring	Ignored (end of life)
	saucy	Not vulnerable (3:4.53-1.1)
	upstream	Released (4.55,3:4.53-1.1)

References

https://www.stunnel.org/CVE-2013-1762.html
https://www.cve.org/CVERecord?id=CVE-2013-1762
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1150150
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702267

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›