Debian has issued an advisory on June 16: http://www.debian.org/security/2012/dsa-2495 Fedora had also issued an advisory on April 27 before it was assigned a CVE: http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079747.html The CVE says the issue was in 3.18, but it was actually fixed in 3.18: http://www.infradead.org/openconnect/changelog.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291 According to cvedetails, it was fixed in this commit: http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/14cae65318d3ef1f7d449e463b72b6934e82f1c2 http://www.cvedetails.com/cve/CVE-2012-3291/
CC: (none) => balcaen.johnWhiteboard: (none) => MGA2TOO, MGA1TOO
John has built an update for Mageia 2. Cauldron and Mageia 1 still pending. Built so far: openconnect-3.15-2.1.mga2 libopenconnect1-3.15-2.1.mga2 libopenconnect-devel-3.15-2.1.mga2 from openconnect-3.15-2.1.mga2.src.rpm
Now built for Cauldron and Mageia 1. Per John's instructions, waiting for confirmation from Jehane that they work before pushing to QA. Built for Mageia 1: openconnect-3.02-1.1.mga1 openconnect-static-devel-3.02-1.1.mga1 from openconnect-3.02-1.1.mga1.src.rpm
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Jehane doesn't have access to Mageia 1 now, so pushing to QA. Advisory: ======================== Updated openconnect packages fix security vulnerability: Heap-based buffer overflow in OpenConnect before 3.18 allows remote servers to cause a denial of service via a crafted greeting banner (CVE-2012-3291). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291 http://www.infradead.org/openconnect/changelog.html http://www.debian.org/security/2012/dsa-2495 ======================== Updated packages in core/updates_testing: ======================== openconnect-3.02-1.1.mga1 openconnect-static-devel-3.02-1.1.mga1 openconnect-3.15-2.1.mga2 libopenconnect1-3.15-2.1.mga2 libopenconnect-devel-3.15-2.1.mga2 from SRPMS: openconnect-3.02-1.1.mga1.src.rpm openconnect-3.15-2.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
In the absence of an Anyconnect server to try this out with, the only testing I can do is to try to connect to an Anyconnect server on the internet and get as far as the username/password challenge. # /usr/sbin/openconnect anyconnect.bathspa.ac.uk Attempting to connect to 194.81.81.15:443 SSL negotiation with anyconnect.bathspa.ac.uk Connected to HTTPS on anyconnect.bathspa.ac.uk GET https://anyconnect.bathspa.ac.uk/ Got HTTP response: HTTP/1.0 302 Object Moved SSL negotiation with anyconnect.bathspa.ac.uk Connected to HTTPS on anyconnect.bathspa.ac.uk GET https://anyconnect.bathspa.ac.uk/+webvpn+/index.html Please enter your username and password. Username: validated on mga2 x86_64
CC: (none) => derekjennWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK
validated on mga1-64, mga1-32, mga2-32 update validated Cpuld sysadmin please push openconnect-3.02-1.1.mga1.src.rpm and openconnect-3.15-2.1.mga2.src.rpm from core/updates/testing to core/updates Advisory: ======================== Updated openconnect packages fix security vulnerability: Heap-based buffer overflow in OpenConnect before 3.18 allows remote servers to cause a denial of service via a crafted greeting banner (CVE-2012-3291). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291 http://www.infradead.org/openconnect/changelog.html http://www.debian.org/security/2012/dsa-2495
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA2-64-OK => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0156
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED