Debian has issued an advisory on February 14:
Patched packages uploaded for Mageia 2 and Cauldron.
Updated openconnect packages fix security vulnerability:
A stack-based buffer overflow flaw was found in the way OpenConnect, a client
for Cisco's "AnyConnect" VPN, performed processing of certain host names,
paths, or cookie lists, received from the VPN gateway. A remote VPN gateway
could provide a specially-crafted host name, path or cookie list that, when
processed by the openconnect client would lead to openconnect executable
Updated packages in core/updates_testing:
"The program openconnect connects to Cisco "AnyConnect" VPN servers"
Expecting the connection to fail as it's attempting to connect to apache.
Just testing with..
# openconnect -v localhost
Attempting to connect to 127.0.0.1:443
SSL negotiation with localhost
Server certificate verify failed: self signed certificate
Certificate from VPN server "localhost" failed verification.
Reason: self signed certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on localhost
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 18 Feb 2013 11:21:04 GMT
Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2)
Last-Modified: Wed, 02 May 2012 21:31:48 GMT
HTTP body length: (131)
Unknown response from server
Failed to obtain WebVPN cookie
Testing complete mga2 64
The patch for this is pretty invasive, so if we could find someone with access to a VPN server to test that this actually works, that would be good.
Do you know of anyone?
Tested with a url found on redhat bugzilla
# openconnect -v vpn.playdom.com
Connects ok, answering yes to accept the self signed cert and only fails user authentication, due to not having a valid login.
Tested ok mga2 32
Advisory & srpm in comment 0
Could sysadmin please push from core/updates_testing to core/updates