Bug 9083

Summary: openconnect new security issue CVE-2012-6128
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/538436/
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Source RPM: openconnect-3.15-2.1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-02-15 22:22:28 CET 
Debian has issued an advisory on February 14:
http://www.debian.org/security/2013/dsa-2623

Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated openconnect packages fix security vulnerability:

A stack-based buffer overflow flaw was found in the way OpenConnect, a client
for Cisco's "AnyConnect" VPN, performed processing of certain host names,
paths, or cookie lists, received from the VPN gateway. A remote VPN gateway
could provide a specially-crafted host name, path or cookie list that, when
processed by the openconnect client would lead to openconnect executable
crash (CVE-2012-6128).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6128
https://bugzilla.redhat.com/show_bug.cgi?id=910330
http://www.debian.org/security/2013/dsa-2623
========================

Updated packages in core/updates_testing:
========================
openconnect-3.15-2.2.mga2
libopenconnect1-3.15-2.2.mga2
libopenconnect-devel-3.15-2.2.mga2

from openconnect-3.15-2.2.mga2.src.rpm
Comment 1 claire robinson 2013-02-18 12:51:48 CET 
"The program openconnect connects to Cisco "AnyConnect" VPN servers"


Expecting the connection to fail as it's attempting to connect to apache.
Just testing with..

# openconnect -v localhost
Attempting to connect to 127.0.0.1:443
SSL negotiation with localhost
Server certificate verify failed: self signed certificate

Certificate from VPN server "localhost" failed verification.
Reason: self signed certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on localhost
GET https://localhost/
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 18 Feb 2013 11:21:04 GMT
Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2)
Last-Modified: Wed, 02 May 2012 21:31:48 GMT
ETag: "xxxxx-xx-xxxxxxxxxx"
Accept-Ranges: bytes
Content-Length: 131
Content-Type: text/html
HTTP body length:  (131)
Unknown response from server
Failed to obtain WebVPN cookie

Testing complete mga2 64

Whiteboard: (none) => has_procedure mga2-64-ok

Comment 2 David Walser 2013-02-18 14:43:24 CET 
The patch for this is pretty invasive, so if we could find someone with access to a VPN server to test that this actually works, that would be good.
Comment 3 claire robinson 2013-02-18 16:36:11 CET 
Do you know of anyone?
Comment 4 claire robinson 2013-02-18 17:01:08 CET 
Tested with a url found on redhat bugzilla

# openconnect -v vpn.playdom.com

Connects ok, answering yes to accept the self signed cert and only fails user authentication, due to not having a valid login.
Comment 5 claire robinson 2013-02-18 18:11:45 CET 
Tested ok mga2 32

Validating

Advisory & srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok

Comment 6 Thomas Backlund 2013-02-21 22:02:27 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0060

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED