Bug 25803

Summary: openconnect new security issue CVE-2019-16239
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, joselp, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: openconnect-8.02-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-12-03 18:52:20 CET 
openSUSE has issued an advisory on October 27:
https://lists.opensuse.org/opensuse-updates/2019-10/msg00154.html

The issue is fixed upstream in 8.05.
Comment 1 David Walser 2019-12-03 20:11:44 CET 
Updated package uploaded by David.

Advisory:
========================

Updated openconnect packages fix security vulnerability:

Buffer overflow when a malicious server uses HTTP chunked encoding with crafted
chunk sizes (CVE-2019-16239).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16239
https://lists.opensuse.org/opensuse-updates/2019-10/msg00154.html
========================

Updated packages in core/updates_testing:
========================
openconnect-8.05-1.mga7
libopenconnect5-8.05-1.mga7
libopenconnect-devel-8.05-1.mga7

from openconnect-8.05-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 2 Jose Manuel López 2019-12-04 13:38:51 CET 
I have tried install. All ok in Mga 7 Virtualbox x64

CC: (none) => joselp

Comment 3 Herman Viaene 2019-12-05 16:50:37 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
No experience with VPN
try command anyway (feedback translated fom Dutch):

# openconnect <mydesktop>
POST https://<mydesktop>
Conneted with xxx.yyy.z1.z2:443 (this PC has port 443 open)
SSL align (or tune?) with <mydesktop>
Servercertificaat verificatie failed: subscriber not found

Certificate of VPN-server "<mydesktop>" verification failed.
Reason: subscriber not found
To trust this server in future, you can add this to your command line:
    --servercert pin-sha256:cRXAHq/hyCizsPFP/bbZHe5uS4dL8OfiUr19M0exc7k=
Input 'ja' to accept, 'no' to abort; something else to check: 
X.509 Certificate Information:
        Version: 1
        Serial Number (hex): 0086605022d2ea660f
        Issuer: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost
and more info on the signature
That's as far as I go.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-01-03 21:26:43 CET 
No experience with VPNs here, either. Looked into it a bit with regard to free VPN servers, and all that I found seem to use a different package to set up connections. Further exploration is beyond me.

OKing this based on two clean installs.

Validating. Advisory in Comment 1.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 12:40:30 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-01-05 16:39:44 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0005.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED