CVE-2014-0016

Name	CVE-2014-0016
Description	stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
stunnel4 (PTS)	bullseye	3:5.56+dfsg-10	fixed
	bookworm	3:5.68-2+deb12u1	fixed
	sid, trixie	3:5.73-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
stunnel4	source	(unstable)	(not affected)

- stunnel4 <not-affected> (Debian package compiled with --with-threads=pthread)