SUSE has issued an advisory on May 13:
The issue is fixed upstream in 8.09.
Fixed upstream in 8.09
Upstream has released 8.10 today (May 14), fixing CVE-2020-12823:
Fixed upstream in 8.09 =>
Fixed upstream in 8.10Summary:
openconnect new security issue CVE-2020-12105 =>
openconnect new security issues CVE-2020-12105 and CVE-2020-12823Version:
Fixed for Cauldron!
For mga7 we need latest gnutls >= 3.6.13
configure: error: DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.
Just patch out that configure check. We patched the DTLS issue in Bug 26444.
Done for mga7!
Updated openconnect packages fix security vulnerabilities:
OpenConnect through 8.08 mishandles negative return values from X509_check_
function calls, which might assist attackers in performing man-in-the-middle
OpenConnect 8.09 has a buffer overflow, causing a denial of service
(application crash) or possibly unspecified other impact, via crafted
certificate data to get_cert_name in gnutls.c (CVE-2020-12823).
The openconnect package has been updated to version 8.10, fixing these issues
and other bugs. See the upstream changelog for details.
Updated packages in core/updates_testing:
Fixed upstream in 8.10 =>
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 25803 for testing (I don't have acccess to a real VPN).
# openconnect <mydesktop>
Connected to 192.168.2.1:443
SSL negotiation with mach1
Server certificate verify failed: signer not found
Certificate from VPN server "mach1" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
Enter 'yes' to accept, 'no' to abort; anything else to view:
Here I entered <Spacebar><Enter> and got next feedback:
X.509 Certificate Information:
Serial Number (hex): 00e3ee000a2bf5d3c8
Issuer: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost
Not Before: Sun Dec 29 13:19:18 UTC 2019
Not After: Mon Dec 28 13:19:18 UTC 2020
Subject: EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
and more ......
Seems OK, but this is not a real test.
if someone else can confirm at least a clean install, then go ahead and put the OK.
Debian-LTS has issued an advisory for CVE-2020-12823 on May 16:
Every time I look into trying to use a vpn, my eyes start to hurt, and I have to think about something else for a while. But, I can at least confirm a clean install. Giving this an OK, and validating. Advisory in Comment 5.