CVE-2015-3644

NameCVE-2015-3644
DescriptionStunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3299-1
NVD severitymedium (attack range: remote)
Debian Bugs785352

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
stunnel4 (PTS)wheezy3:4.53-1.1fixed
jessie (security), jessie3:5.06-2+deb8u1fixed
stretch3:5.39-2fixed
buster, sid3:5.44-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
stunnel4source(unstable)3:5.18-1medium785352
stunnel4sourcejessie3:5.06-2+deb8u1mediumDSA-3299-1
stunnel4sourcesqueeze(not affected)
stunnel4sourcewheezy(not affected)

Notes

[wheezy] - stunnel4 <not-affected> (Affects 5.00 through 5.13 with specfic configurations)
[squeeze] - stunnel4 <not-affected> (Affects 5.00 through 5.13 with specfic configurations)
https://www.stunnel.org/CVE-2015-3644.html

Search for package or bug name: Reporting problems