Bug 26624 - openconnect new security issues CVE-2020-12105 and CVE-2020-12823
Summary: openconnect new security issues CVE-2020-12105 and CVE-2020-12823
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-05-14 22:39 CEST by David Walser
Modified: 2020-05-30 23:49 CEST (History)
4 users (show)

See Also:
Source RPM: openconnect-8.05-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-05-14 22:39:51 CEST
SUSE has issued an advisory on May 13:
http://lists.suse.com/pipermail/sle-security-updates/2020-May/006813.html

The issue is fixed upstream in 8.09.
David Walser 2020-05-14 22:40:05 CEST

Status comment: (none) => Fixed upstream in 8.09

Comment 1 David Walser 2020-05-14 23:09:55 CEST
Upstream has released 8.10 today (May 14), fixing CVE-2020-12823:
https://gitlab.com/openconnect/openconnect/-/blob/master/www/changelog.xml

Status comment: Fixed upstream in 8.09 => Fixed upstream in 8.10
Summary: openconnect new security issue CVE-2020-12105 => openconnect new security issues CVE-2020-12105 and CVE-2020-12823
Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2020-05-15 07:28:52 CEST
Fixed for Cauldron!

For mga7 we need latest gnutls >= 3.6.13

configure: error: DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.
Comment 3 David Walser 2020-05-15 16:49:46 CEST
Just patch out that configure check.  We patched the DTLS issue in Bug 26444.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 David GEIGER 2020-05-16 07:59:13 CEST
Done for mga7!
Comment 5 David Walser 2020-05-16 16:24:06 CEST
Advisory:
========================

Updated openconnect packages fix security vulnerabilities:

OpenConnect through 8.08 mishandles negative return values from X509_check_
function calls, which might assist attackers in performing man-in-the-middle
attacks (CVE-2020-12105).

OpenConnect 8.09 has a buffer overflow, causing a denial of service
(application crash) or possibly unspecified other impact, via crafted
certificate data to get_cert_name in gnutls.c (CVE-2020-12823).

The openconnect package has been updated to version 8.10, fixing these issues
and other bugs.  See the upstream changelog for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12823
http://www.infradead.org/openconnect/changelog.html
========================

Updated packages in core/updates_testing:
========================
openconnect-8.10-1.mga7
libopenconnect5-8.10-1.mga7
libopenconnect-devel-8.10-1.mga7

from openconnect-8.10-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 8.10 => (none)
CC: (none) => geiger.david68210

Comment 6 Herman Viaene 2020-05-17 15:21:00 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 25803 for testing (I don't have acccess to a real VPN).
at CLI
# openconnect <mydesktop>
POST https://<mydesktop>
Connected to 192.168.2.1:443
SSL negotiation with mach1
Server certificate verify failed: signer not found

Certificate from VPN server "mach1" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo=
Enter 'yes' to accept, 'no' to abort; anything else to view:  

Here I entered <Spacebar><Enter> and got next feedback:

X.509 Certificate Information:
        Version: 1
        Serial Number (hex): 00e3ee000a2bf5d3c8
        Issuer: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost
        Validity:
                Not Before: Sun Dec 29 13:19:18 UTC 2019
                Not After: Mon Dec 28 13:19:18 UTC 2020
        Subject: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
and more ......
Seems OK, but this is not a real test.
if someone else can confirm at least a clean install, then go ahead and put the OK.

CC: (none) => herman.viaene

Comment 7 David Walser 2020-05-20 04:07:16 CEST
Debian-LTS has issued an advisory for CVE-2020-12823 on May 16:
https://www.debian.org/lts/security/2020/dla-2212
Comment 8 Thomas Andrews 2020-05-30 23:49:40 CEST
Every time I look into trying to use a vpn, my eyes start to hurt, and I have to think about something else for a while. But, I can at least confirm a clean install. Giving this an OK, and validating. Advisory in Comment 5.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.