CVE-2015-3644

NameCVE-2015-3644
DescriptionStunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-3299-1
Debian Bugs785352

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
stunnel4 (PTS)jessie, jessie (lts)3:5.06-2+deb8u1fixed
stretch3:5.39-2fixed
buster3:5.50-3fixed
bullseye3:5.56+dfsg-10fixed
bookworm3:5.68-2+deb12u1fixed
sid, trixie3:5.73-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
stunnel4sourcesqueeze(not affected)
stunnel4sourcewheezy(not affected)
stunnel4sourcejessie3:5.06-2+deb8u1DSA-3299-1
stunnel4source(unstable)3:5.18-1785352

Notes

[wheezy] - stunnel4 <not-affected> (Affects 5.00 through 5.13 with specfic configurations)
[squeeze] - stunnel4 <not-affected> (Affects 5.00 through 5.13 with specfic configurations)
https://www.stunnel.org/CVE-2015-3644.html

Search for package or bug name: Reporting problems