SUSE has issued an advisory on May 13: http://lists.suse.com/pipermail/sle-security-updates/2020-May/006813.html The issue is fixed upstream in 8.09.
Status comment: (none) => Fixed upstream in 8.09
Upstream has released 8.10 today (May 14), fixing CVE-2020-12823: https://gitlab.com/openconnect/openconnect/-/blob/master/www/changelog.xml
Summary: openconnect new security issue CVE-2020-12105 => openconnect new security issues CVE-2020-12105 and CVE-2020-12823Version: 7 => CauldronWhiteboard: (none) => MGA7TOOAssignee: bugsquad => geiger.david68210Status comment: Fixed upstream in 8.09 => Fixed upstream in 8.10
Fixed for Cauldron! For mga7 we need latest gnutls >= 3.6.13 configure: error: DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.
Just patch out that configure check. We patched the DTLS issue in Bug 26444.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Done for mga7!
Advisory: ======================== Updated openconnect packages fix security vulnerabilities: OpenConnect through 8.08 mishandles negative return values from X509_check_ function calls, which might assist attackers in performing man-in-the-middle attacks (CVE-2020-12105). OpenConnect 8.09 has a buffer overflow, causing a denial of service (application crash) or possibly unspecified other impact, via crafted certificate data to get_cert_name in gnutls.c (CVE-2020-12823). The openconnect package has been updated to version 8.10, fixing these issues and other bugs. See the upstream changelog for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12823 http://www.infradead.org/openconnect/changelog.html ======================== Updated packages in core/updates_testing: ======================== openconnect-8.10-1.mga7 libopenconnect5-8.10-1.mga7 libopenconnect-devel-8.10-1.mga7 from openconnect-8.10-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugsStatus comment: Fixed upstream in 8.10 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 25803 for testing (I don't have acccess to a real VPN). at CLI # openconnect <mydesktop> POST https://<mydesktop> Connected to 192.168.2.1:443 SSL negotiation with mach1 Server certificate verify failed: signer not found Certificate from VPN server "mach1" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert pin-sha256:lQTW7XKLrPuHit3Kpdh+tTSYK/HmL+hr7gBymvEXpEo= Enter 'yes' to accept, 'no' to abort; anything else to view: Here I entered <Spacebar><Enter> and got next feedback: X.509 Certificate Information: Version: 1 Serial Number (hex): 00e3ee000a2bf5d3c8 Issuer: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost Validity: Not Before: Sun Dec 29 13:19:18 UTC 2019 Not After: Mon Dec 28 13:19:18 UTC 2020 Subject: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) and more ...... Seems OK, but this is not a real test. if someone else can confirm at least a clean install, then go ahead and put the OK.
CC: (none) => herman.viaene
Debian-LTS has issued an advisory for CVE-2020-12823 on May 16: https://www.debian.org/lts/security/2020/dla-2212
Every time I look into trying to use a vpn, my eyes start to hurt, and I have to think about something else for a while. But, I can at least confirm a clean install. Giving this an OK, and validating. Advisory in Comment 5.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0251.html
Status: NEW => RESOLVEDResolution: (none) => FIXED