GLSA-201408-14 : stunnel: Information disclosure

Medium Nessus Plugin ID 77458


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-201408-14 (stunnel: Information disclosure)

stunnel does not properly update the state of the pseudo-random generator after fork-threading which causes subsequent children with the same process ID to use the same entropy pool. ECDSA and DSA keys, when not used in deterministic mode (RFC6979), rely on random data for its k parameter to not leak private key information.
Impact :

A remote attacker may gain access to private key information from ECDSA or DSA keys.
Workaround :

There is no known workaround at this time.


All stunnel users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/stunnel-5.02'

See Also

Plugin Details

Severity: Medium

ID: 77458

File Name: gentoo_GLSA-201408-14.nasl

Version: $Revision: 1.3 $

Type: local

Published: 2014/08/30

Modified: 2016/05/12

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:stunnel, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/08/29

Reference Information

CVE: CVE-2014-0016

BID: 65964

GLSA: 201408-14