← Back to CVEs
CVE-2014-0016
N/ADescription
stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.
CVE Details
CVSS v3.1 ScoreN/A
Published3/24/2014
Last Modified4/12/2025
Sourcenvd
Honeypot Sightings0
Affected Products
stunnel:stunnel
Weaknesses (CWE)
CWE-332
References
http://www.openwall.com/lists/oss-security/2014/03/05/1(secalert@redhat.com)
http://www.securityfocus.com/bid/65964(secalert@redhat.com)
https://bugzilla.redhat.com/attachment.cgi?id=870826&action=diff(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=1072180(secalert@redhat.com)
https://www.stunnel.org/sdf_ChangeLog.html(secalert@redhat.com)
http://www.openwall.com/lists/oss-security/2014/03/05/1(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/65964(af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/attachment.cgi?id=870826&action=diff(af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=1072180(af854a3a-2127-422b-91ae-364da2661108)
https://www.stunnel.org/sdf_ChangeLog.html(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.