[SECURITY] stunnel 5.55-1

[SECURITY] stunnel 5.55-1

[Andrew Schulman]

stunnel 5.55-1 is now available in Cygwin. This release includes the
following security fixes:

* Fixed a Windows local privilege escalation vulnerability caused insecure
OpenSSL cross-compilation defaults. Successful exploitation requires
stunnel to be deployed as a Windows service, and user-writable C:\ folder.
This vulnerability was discovered and reported by Rich Mirch.

* OpenSSL DLLs updated to version 1.1.1c.

If you have stunnel installed, you should update to this release right
away. Please see the upstream changelog[1] for the full list of fixes and
improvements since the previous Cygwin release, 5.50-1.

stunnel is a program that allows you to encrypt arbitrary TCP connections
inside TLS (Transport Layer Security, the successor to Secure Sockets Layer
(SSL)).  stunnel can allow you to secure non-TLS-aware daemons and
protocols (like POP, IMAP, LDAP, etc) by having stunnel provide the
encryption, requiring no changes to the daemon's code.

Andrew E. Schulman

[1]https://www.stunnel.org/ChangeLog.md.html


*******************************************************************


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com_at_cygwin.com

If you need more information on unsubscribing, start reading here:

http://cygwin.com/lists.html#subscribe-unsubscribe

Please read *all* of the information on unsubscribing that is available
starting at this URL.