Bug 26624

Upstream has released 8.10 today (May 14), fixing CVE-2020-12823:
https://gitlab.com/openconnect/openconnect/-/blob/master/www/changelog.xml

Summary: openconnect new security issue CVE-2020-12105 => openconnect new security issues CVE-2020-12105 and CVE-2020-12823
Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO
Assignee: bugsquad => geiger.david68210
Status comment: Fixed upstream in 8.09 => Fixed upstream in 8.10

Fixed for Cauldron!

For mga7 we need latest gnutls >= 3.6.13

configure: error: DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.

Just patch out that configure check.  We patched the DTLS issue in Bug 26444.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Done for mga7!

Advisory:
========================

Updated openconnect packages fix security vulnerabilities:

OpenConnect through 8.08 mishandles negative return values from X509_check_
function calls, which might assist attackers in performing man-in-the-middle
attacks (CVE-2020-12105).

OpenConnect 8.09 has a buffer overflow, causing a denial of service
(application crash) or possibly unspecified other impact, via crafted
certificate data to get_cert_name in gnutls.c (CVE-2020-12823).

The openconnect package has been updated to version 8.10, fixing these issues
and other bugs.  See the upstream changelog for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12823
http://www.infradead.org/openconnect/changelog.html
========================

Updated packages in core/updates_testing:
========================
openconnect-8.10-1.mga7
libopenconnect5-8.10-1.mga7
libopenconnect-devel-8.10-1.mga7

from openconnect-8.10-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 8.10 => (none)

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 25803 for testing (I don't have acccess to a real VPN).
at CLI
# openconnect <mydesktop>
POST https://<mydesktop>
Connected to 192.168.2.1:443
SSL negotiation with mach1
Server certificate verify failed: signer not found

Certificate from VPN server "mach1" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo=
Enter 'yes' to accept, 'no' to abort; anything else to view:  

Here I entered <Spacebar><Enter> and got next feedback:

X.509 Certificate Information:
        Version: 1
        Serial Number (hex): 00e3ee000a2bf5d3c8
        Issuer: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost
        Validity:
                Not Before: Sun Dec 29 13:19:18 UTC 2019
                Not After: Mon Dec 28 13:19:18 UTC 2020
        Subject: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
and more ......
Seems OK, but this is not a real test.
if someone else can confirm at least a clean install, then go ahead and put the OK.

CC: (none) => herman.viaene

Debian-LTS has issued an advisory for CVE-2020-12823 on May 16:
https://www.debian.org/lts/security/2020/dla-2212

Every time I look into trying to use a vpn, my eyes start to hurt, and I have to think about something else for a while. But, I can at least confirm a clean install. Giving this an OK, and validating. Advisory in Comment 5.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0251.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED