CVE-2014-0016

NameCVE-2014-0016
Descriptionstunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
stunnel4 (PTS)jessie, jessie (lts)3:5.06-2+deb8u1fixed
stretch3:5.39-2fixed
buster3:5.50-3fixed
bullseye3:5.56+dfsg-10fixed
bookworm3:5.68-2+deb12u1fixed
sid, trixie3:5.72-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
stunnel4source(unstable)(not affected)

Notes

- stunnel4 <not-affected> (Debian package compiled with --with-threads=pthread)
Search for package or bug name: Reporting problems