Debian has issued an advisory on February 14: http://www.debian.org/security/2013/dsa-2623 Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated openconnect packages fix security vulnerability: A stack-based buffer overflow flaw was found in the way OpenConnect, a client for Cisco's "AnyConnect" VPN, performed processing of certain host names, paths, or cookie lists, received from the VPN gateway. A remote VPN gateway could provide a specially-crafted host name, path or cookie list that, when processed by the openconnect client would lead to openconnect executable crash (CVE-2012-6128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6128 https://bugzilla.redhat.com/show_bug.cgi?id=910330 http://www.debian.org/security/2013/dsa-2623 ======================== Updated packages in core/updates_testing: ======================== openconnect-3.15-2.2.mga2 libopenconnect1-3.15-2.2.mga2 libopenconnect-devel-3.15-2.2.mga2 from openconnect-3.15-2.2.mga2.src.rpm
"The program openconnect connects to Cisco "AnyConnect" VPN servers" Expecting the connection to fail as it's attempting to connect to apache. Just testing with.. # openconnect -v localhost Attempting to connect to 127.0.0.1:443 SSL negotiation with localhost Server certificate verify failed: self signed certificate Certificate from VPN server "localhost" failed verification. Reason: self signed certificate Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on localhost GET https://localhost/ Got HTTP response: HTTP/1.1 200 OK Date: Mon, 18 Feb 2013 11:21:04 GMT Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2) Last-Modified: Wed, 02 May 2012 21:31:48 GMT ETag: "xxxxx-xx-xxxxxxxxxx" Accept-Ranges: bytes Content-Length: 131 Content-Type: text/html HTTP body length: (131) Unknown response from server Failed to obtain WebVPN cookie Testing complete mga2 64
Whiteboard: (none) => has_procedure mga2-64-ok
The patch for this is pretty invasive, so if we could find someone with access to a VPN server to test that this actually works, that would be good.
Do you know of anyone?
Tested with a url found on redhat bugzilla # openconnect -v vpn.playdom.com Connects ok, answering yes to accept the self signed cert and only fails user authentication, due to not having a valid login.
Tested ok mga2 32 Validating Advisory & srpm in comment 0 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0060
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED