File _patchinfo of Package patchinfo.31395
<patchinfo incident="31395">
<issue tracker="bnc" id="1170452">VUL-0: CVE-2020-12105: openconnect: improper handling of negative return values from X509_check_ function calls might allow MITM attacks</issue>
<issue tracker="bnc" id="1157446">openconnect 8.06 ships python2 script</issue>
<issue tracker="bnc" id="1171862">VUL-0: CVE-2020-12823: openconnect: buffer overflow, causing a denial of service (application crash) or possibly unspecified other impact, via crafted certificate data to get_cert_name in gnutls.c.</issue>
<issue tracker="bnc" id="1140772">openconnect: please update vpnc-script</issue>
<issue tracker="bnc" id="1215669">VUL-1: CVE-2018-20319: openconnect: information leak</issue>
<issue tracker="cve" id="2018-20319"/>
<issue tracker="cve" id="2020-12105"/>
<issue tracker="cve" id="2020-12823"/>
<issue tracker="fate" id="325553"/>
<issue tracker="jsc" id="PED-6742"/>
<issue tracker="jsc" id="PED-7015"/>
<packager>amanzini</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for openconnect</summary>
<description>This update for openconnect fixes the following issues:
- Update to release 9.12:
* Explicitly reject overly long tun device names.
* Increase maximum input size from stdin (#579).
* Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
* Fix stray (null) in URL path after Pulse authentication (4023bd95).
* Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475).
* Fix case sensitivity in GPST header matching (!474).
- Update to release 9.10:
* Fix external browser authentication with KDE plasma-nm < 5.26.
* Always redirect stdout to stderr when spawning external browser.
* Increase default queue length to 32 packets.
* Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array.
* Handle idiosyncratic variation in search domain separators for all protocols
* Support region selection field for Pulse authentication
* Support modified configuration packet from Pulse 9.1R16 servers
* Allow hidden form fields to be populated or converted to text fields on the command line
* Support yet another strange way of encoding challenge-based 2FA for GlobalProtect
* Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments
* Parrot a GlobalProtect server's software version, if present, as the client version (!333)
* Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).
* Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).
* Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
* Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet .
* Support "FTM-push" token mode for Fortinet VPNs .
* Send IPv6-compatible version string in Pulse IF/T session establishment
* Add --no-external-auth option to not advertise external-browser authentication
* Many small improvements in server response parsing, and better logging messages and documentation.
- Update to release 9.01:
* Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP)
* Add support for AnyConnect "external browser" SSO mode
* Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20
* Support Cisco's multiple-certificate authentication
* Revert GlobalProtect default route handling change from v8.20
* Suppo split-exclude routes for Fortinet
* Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect
- Update to release 8.20:
* Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.
* Emulated a newer version of GlobalProtect official clients,
5.1.5-8; was 4.0.2-19
* Support Juniper login forms containing both password and 2FA
token
* Explicitly disable 3DES and RC4, unless enabled with
--allow-insecure-crypto
* Allow protocols to delay tunnel setup and shutdown (!117)
* Support for GlobalProtect IPv6
* SIGUSR1now causes OpenConnect to log detailed connection
information and statistics
* Allow --servercert to be specified multiple times in order to
accept server certificates matching more than one possible
fingerprint
* Demangle default routes sent as split routes by GlobalProtect
* Support more Juniper login forms, including some SSO forms
* Restore compatibility with newer Cisco servers, by no longer
sending them the X-AnyConnect-Platform header
* Add support for PPP-based protocols, currently over TLS only.
* Add support for two PPP-based protocols, F5 with
--protocol=f5 and Fortinet with --protocol=fortinet.
* Add support for Array Networks SSL VPN.
* Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases
for swtpm and hardware TPM.
- Import the latest version of the vpnc-script (bsc#1140772)
* This brings a lot of improvements for non-trivial network setups, IPv6 etc
- Build with --without-gnutls-version-check
- Update to version 8.10:
* Install bash completion script to
${datadir}/bash-completion/completions/openconnect.
* Improve compatibility of csd-post.sh trojan.
* Fix potential buffer overflow with GnuTLS describing local
certs (CVE-2020-12823, bsc#1171862,
gl#openconnect/openconnect!108).
- Introduce subpackage for bash-completion
- Update to 8.09:
* Add bash completion support.
* Give more helpful error in case of Pulse servers asking for
TNCC.
* Sanitize non-canonical Legacy IP network addresses.
* Fix OpenSSL validation for trusted but invalid certificates
(CVE-2020-12105 bsc#1170452).
* Convert tncc-wrapper.py to Python 3, and include modernized
tncc-emulate.py as well. (!91)
* Disable Nagle's algorithm for TLS sockets, to improve
interactivity when tunnel runs over TCP rather than UDP.
* GlobalProtect: more resilient handling of periodic HIP check
and login arguments, and predictable naming of challenge forms.
* Work around PKCS#11 tokens which forget to set
CKF_LOGIN_REQUIRED.
- Update to 8.0.8:
* Fix check of pin-sha256: public key hashes to be case sensitive
* Don't give non-functioning stderr to CSD trojan scripts.
* Fix crash with uninitialised OIDC token.
- Update to 8.0.7:
* Don't abort Pulse connection when server-provided certificate
MD5 doesn't match.
* Fix off-by-one in check for bad GnuTLS versions, and add build
and run time checks.
* Don't abort connection if CSD wrapper script returns non-zero
(for now).
* Make --passtos work for protocols that use ESP, in addition
to DTLS.
* Convert tncc-wrapper.py to Python 3, and include modernized
tncc-emulate.py as well.
- Remove tncc-wrapper.py script as it is python2 only bsc#1157446
- No need to ship hipreport-android.sh as it is intented for
android systems only
- Update to 8.0.5:
* Minor fixes to build on specific platforms
* Includes fix for a buffer overflow with chunked HTTP handling
(CVE-2019-16239, bsc#1151178)
- Use python3 to generate the web data as now it is supported
by upstream
- Update to 8.0.3:
* Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.
* Fix recognition of OTP password fields.
- Update to 8.02:
* Fix GNU/Hurd build.
* Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
* Support split-exclude routes for GlobalProtect.
* Fix GnuTLS builds without libtasn1.
* Fix DTLS support with OpenSSL 1.1.1+.
* Add Cisco-compatible DTLSv1.2 support.
* Invoke script with reason=attempt-reconnect before doing so.
- Update to 8.01:
* Clear form submissions (which may include passwords) before
freeing (CVE-2018-20319, bsc#1215669).
* Allow form responses to be provided on command line.
* Add support for SSL keys stored in TPM2.
* Fix ESP rekey when replay protection is disabled.
* Drop support for GnuTLS older than 3.2.10.
* Fix --passwd-on-stdin for Windows to not forcibly open console.
* Fix portability of shell scripts in test suite.
* Add Google Authenticator TOTP support for Juniper.
* Add RFC7469 key PIN support for cert hashes.
* Add protocol method to securely log out the Juniper session.
* Relax requirements for Juniper hostname packet response to support old gateways.
* Add API functions to query the supported protocols.
* Verify ESP sequence numbers and warn even if replay protection is disabled.
* Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
* Reorganize listing of command-line options, and include information on supported protocols.
* SIGTERM cleans up the session similarly to SIGINT.
* Fix memset_s() arguments.
* Fix OpenBSD build.
- Explicitely enable all the features as needed to stop build if
something is missing
</description>
</patchinfo>
