| Summary: | openconnect new security issue CVE-2012-3291 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | balcaen.john, derekjenn, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK | ||
| Source RPM: | openconnect-3.15-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-06-18 20:42:23 CEST
David Walser
2012-06-18 20:42:41 CEST
CC:
(none) =>
balcaen.john John has built an update for Mageia 2. Cauldron and Mageia 1 still pending. Built so far: openconnect-3.15-2.1.mga2 libopenconnect1-3.15-2.1.mga2 libopenconnect-devel-3.15-2.1.mga2 from openconnect-3.15-2.1.mga2.src.rpm Now built for Cauldron and Mageia 1. Per John's instructions, waiting for confirmation from Jehane that they work before pushing to QA. Built for Mageia 1: openconnect-3.02-1.1.mga1 openconnect-static-devel-3.02-1.1.mga1 from openconnect-3.02-1.1.mga1.src.rpm Version:
Cauldron =>
2 Jehane doesn't have access to Mageia 1 now, so pushing to QA. Advisory: ======================== Updated openconnect packages fix security vulnerability: Heap-based buffer overflow in OpenConnect before 3.18 allows remote servers to cause a denial of service via a crafted greeting banner (CVE-2012-3291). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291 http://www.infradead.org/openconnect/changelog.html http://www.debian.org/security/2012/dsa-2495 ======================== Updated packages in core/updates_testing: ======================== openconnect-3.02-1.1.mga1 openconnect-static-devel-3.02-1.1.mga1 openconnect-3.15-2.1.mga2 libopenconnect1-3.15-2.1.mga2 libopenconnect-devel-3.15-2.1.mga2 from SRPMS: openconnect-3.02-1.1.mga1.src.rpm openconnect-3.15-2.1.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs In the absence of an Anyconnect server to try this out with, the only testing I can do is to try to connect to an Anyconnect server on the internet and get as far as the username/password challenge. # /usr/sbin/openconnect anyconnect.bathspa.ac.uk Attempting to connect to 194.81.81.15:443 SSL negotiation with anyconnect.bathspa.ac.uk Connected to HTTPS on anyconnect.bathspa.ac.uk GET https://anyconnect.bathspa.ac.uk/ Got HTTP response: HTTP/1.0 302 Object Moved SSL negotiation with anyconnect.bathspa.ac.uk Connected to HTTPS on anyconnect.bathspa.ac.uk GET https://anyconnect.bathspa.ac.uk/+webvpn+/index.html Please enter your username and password. Username: validated on mga2 x86_64 CC:
(none) =>
derekjenn validated on mga1-64, mga1-32, mga2-32 update validated Cpuld sysadmin please push openconnect-3.02-1.1.mga1.src.rpm and openconnect-3.15-2.1.mga2.src.rpm from core/updates/testing to core/updates Advisory: ======================== Updated openconnect packages fix security vulnerability: Heap-based buffer overflow in OpenConnect before 3.18 allows remote servers to cause a denial of service via a crafted greeting banner (CVE-2012-3291). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291 http://www.infradead.org/openconnect/changelog.html http://www.debian.org/security/2012/dsa-2495 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0156 Status:
NEW =>
RESOLVED |