Bug 6504 - openconnect new security issue CVE-2012-3291
: openconnect new security issue CVE-2012-3291
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-18 20:42 CEST by David Walser
Modified: 2012-07-10 13:55 CEST (History)
4 users (show)

See Also:
Source RPM: openconnect-3.15-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-18 20:42:23 CEST
Debian has issued an advisory on June 16:
http://www.debian.org/security/2012/dsa-2495

Fedora had also issued an advisory on April 27 before it was assigned a CVE:
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079747.html

The CVE says the issue was in 3.18, but it was actually fixed in 3.18:
http://www.infradead.org/openconnect/changelog.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291

According to cvedetails, it was fixed in this commit:
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/14cae65318d3ef1f7d449e463b72b6934e82f1c2
http://www.cvedetails.com/cve/CVE-2012-3291/
Comment 1 David Walser 2012-07-05 02:00:42 CEST
John has built an update for Mageia 2.  Cauldron and Mageia 1 still pending.

Built so far:
openconnect-3.15-2.1.mga2
libopenconnect1-3.15-2.1.mga2
libopenconnect-devel-3.15-2.1.mga2

from openconnect-3.15-2.1.mga2.src.rpm
Comment 2 David Walser 2012-07-05 13:30:04 CEST
Now built for Cauldron and Mageia 1.  Per John's instructions, waiting for confirmation from Jehane that they work before pushing to QA.

Built for Mageia 1:
openconnect-3.02-1.1.mga1
openconnect-static-devel-3.02-1.1.mga1

from openconnect-3.02-1.1.mga1.src.rpm
Comment 3 David Walser 2012-07-10 02:36:15 CEST
Jehane doesn't have access to Mageia 1 now, so pushing to QA.

Advisory:
========================

Updated openconnect packages fix security vulnerability:

Heap-based buffer overflow in OpenConnect before 3.18 allows remote
servers to cause a denial of service via a crafted greeting banner
(CVE-2012-3291).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291
http://www.infradead.org/openconnect/changelog.html
http://www.debian.org/security/2012/dsa-2495
========================

Updated packages in core/updates_testing:
========================
openconnect-3.02-1.1.mga1
openconnect-static-devel-3.02-1.1.mga1
openconnect-3.15-2.1.mga2
libopenconnect1-3.15-2.1.mga2
libopenconnect-devel-3.15-2.1.mga2

from SRPMS:
openconnect-3.02-1.1.mga1.src.rpm
openconnect-3.15-2.1.mga2.src.rpm
Comment 4 Derek Jennings 2012-07-10 11:59:15 CEST
In the absence of an Anyconnect server to try this out with, the only testing I can do is to try to connect to an Anyconnect server on the internet and get as far as the username/password challenge.

# /usr/sbin/openconnect anyconnect.bathspa.ac.uk
Attempting to connect to 194.81.81.15:443
SSL negotiation with anyconnect.bathspa.ac.uk
Connected to HTTPS on anyconnect.bathspa.ac.uk
GET https://anyconnect.bathspa.ac.uk/
Got HTTP response: HTTP/1.0 302 Object Moved
SSL negotiation with anyconnect.bathspa.ac.uk
Connected to HTTPS on anyconnect.bathspa.ac.uk
GET https://anyconnect.bathspa.ac.uk/+webvpn+/index.html
Please enter your username and password.
Username:

validated on mga2 x86_64
Comment 5 Derek Jennings 2012-07-10 12:25:00 CEST
validated on mga1-64, mga1-32,  mga2-32
update validated

Cpuld sysadmin please push openconnect-3.02-1.1.mga1.src.rpm and openconnect-3.15-2.1.mga2.src.rpm  from core/updates/testing to core/updates

Advisory:
========================

Updated openconnect packages fix security vulnerability:

Heap-based buffer overflow in OpenConnect before 3.18 allows remote
servers to cause a denial of service via a crafted greeting banner
(CVE-2012-3291).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291
http://www.infradead.org/openconnect/changelog.html
http://www.debian.org/security/2012/dsa-2495
Comment 6 Thomas Backlund 2012-07-10 13:55:48 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0156

Note You need to log in before you can comment on or make changes to this bug.