Package: stunnel4 Version: 3:4.29-1 Severity: important If stunnel is used in client mode, it does not verify that the hostname of the destination host actually matches the common name in the certificate it provides. This makes MITM much easier, because an attacker could use a valid certificate for one of his domains that was signed by a trusted CA to impersonate any destination host.
This does not affect verify level 3 because only specific host certificates are allowed on this level. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages stunnel4 depends on: ii adduser 3.112 add and remove users and groups ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libssl0.9.8 0.9.8k-8 SSL shared libraries ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra ii netbase 4.40 Basic TCP/IP networking system ii openssl 0.9.8k-8 Secure Socket Layer (SSL) binary a ii perl-modules 5.10.1-11 Core Perl modules stunnel4 recommends no packages. Versions of packages stunnel4 suggests: pn logcheck-database <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org