Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
patchinfo.31395
_patchinfo
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _patchinfo of Package patchinfo.31395
<patchinfo incident="31395"> <issue tracker="bnc" id="1170452">VUL-0: CVE-2020-12105: openconnect: improper handling of negative return values from X509_check_ function calls might allow MITM attacks</issue> <issue tracker="bnc" id="1157446">openconnect 8.06 ships python2 script</issue> <issue tracker="bnc" id="1171862">VUL-0: CVE-2020-12823: openconnect: buffer overflow, causing a denial of service (application crash) or possibly unspecified other impact, via crafted certificate data to get_cert_name in gnutls.c.</issue> <issue tracker="bnc" id="1140772">openconnect: please update vpnc-script</issue> <issue tracker="bnc" id="1215669">VUL-1: CVE-2018-20319: openconnect: information leak</issue> <issue tracker="cve" id="2018-20319"/> <issue tracker="cve" id="2020-12105"/> <issue tracker="cve" id="2020-12823"/> <issue tracker="fate" id="325553"/> <issue tracker="jsc" id="PED-6742"/> <issue tracker="jsc" id="PED-7015"/> <packager>amanzini</packager> <rating>moderate</rating> <category>security</category> <summary>Security update for openconnect</summary> <description>This update for openconnect fixes the following issues: - Update to release 9.12: * Explicitly reject overly long tun device names. * Increase maximum input size from stdin (#579). * Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58). * Fix stray (null) in URL path after Pulse authentication (4023bd95). * Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475). * Fix case sensitivity in GPST header matching (!474). - Update to release 9.10: * Fix external browser authentication with KDE plasma-nm < 5.26. * Always redirect stdout to stderr when spawning external browser. * Increase default queue length to 32 packets. * Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array. * Handle idiosyncratic variation in search domain separators for all protocols * Support region selection field for Pulse authentication * Support modified configuration packet from Pulse 9.1R16 servers * Allow hidden form fields to be populated or converted to text fields on the command line * Support yet another strange way of encoding challenge-based 2FA for GlobalProtect * Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments * Parrot a GlobalProtect server's software version, if present, as the client version (!333) * Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389). * Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418). * Support F5 VPNs which encode authentication forms only in JSON, not in HTML. * Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet . * Support "FTM-push" token mode for Fortinet VPNs . * Send IPv6-compatible version string in Pulse IF/T session establishment * Add --no-external-auth option to not advertise external-browser authentication * Many small improvements in server response parsing, and better logging messages and documentation. - Update to release 9.01: * Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP) * Add support for AnyConnect "external browser" SSO mode * Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20 * Support Cisco's multiple-certificate authentication * Revert GlobalProtect default route handling change from v8.20 * Suppo split-exclude routes for Fortinet * Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect - Update to release 8.20: * Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. * Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19 * Support Juniper login forms containing both password and 2FA token * Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto * Allow protocols to delay tunnel setup and shutdown (!117) * Support for GlobalProtect IPv6 * SIGUSR1now causes OpenConnect to log detailed connection information and statistics * Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint * Demangle default routes sent as split routes by GlobalProtect * Support more Juniper login forms, including some SSO forms * Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header * Add support for PPP-based protocols, currently over TLS only. * Add support for two PPP-based protocols, F5 with --protocol=f5 and Fortinet with --protocol=fortinet. * Add support for Array Networks SSL VPN. * Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM. - Import the latest version of the vpnc-script (bsc#1140772) * This brings a lot of improvements for non-trivial network setups, IPv6 etc - Build with --without-gnutls-version-check - Update to version 8.10: * Install bash completion script to ${datadir}/bash-completion/completions/openconnect. * Improve compatibility of csd-post.sh trojan. * Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823, bsc#1171862, gl#openconnect/openconnect!108). - Introduce subpackage for bash-completion - Update to 8.09: * Add bash completion support. * Give more helpful error in case of Pulse servers asking for TNCC. * Sanitize non-canonical Legacy IP network addresses. * Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105 bsc#1170452). * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91) * Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP. * GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms. * Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED. - Update to 8.0.8: * Fix check of pin-sha256: public key hashes to be case sensitive * Don't give non-functioning stderr to CSD trojan scripts. * Fix crash with uninitialised OIDC token. - Update to 8.0.7: * Don't abort Pulse connection when server-provided certificate MD5 doesn't match. * Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks. * Don't abort connection if CSD wrapper script returns non-zero (for now). * Make --passtos work for protocols that use ESP, in addition to DTLS. * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. - Remove tncc-wrapper.py script as it is python2 only bsc#1157446 - No need to ship hipreport-android.sh as it is intented for android systems only - Update to 8.0.5: * Minor fixes to build on specific platforms * Includes fix for a buffer overflow with chunked HTTP handling (CVE-2019-16239, bsc#1151178) - Use python3 to generate the web data as now it is supported by upstream - Update to 8.0.3: * Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384. * Fix recognition of OTP password fields. - Update to 8.02: * Fix GNU/Hurd build. * Discover vpnc-script in default packaged location on FreeBSD/OpenBSD. * Support split-exclude routes for GlobalProtect. * Fix GnuTLS builds without libtasn1. * Fix DTLS support with OpenSSL 1.1.1+. * Add Cisco-compatible DTLSv1.2 support. * Invoke script with reason=attempt-reconnect before doing so. - Update to 8.01: * Clear form submissions (which may include passwords) before freeing (CVE-2018-20319, bsc#1215669). * Allow form responses to be provided on command line. * Add support for SSL keys stored in TPM2. * Fix ESP rekey when replay protection is disabled. * Drop support for GnuTLS older than 3.2.10. * Fix --passwd-on-stdin for Windows to not forcibly open console. * Fix portability of shell scripts in test suite. * Add Google Authenticator TOTP support for Juniper. * Add RFC7469 key PIN support for cert hashes. * Add protocol method to securely log out the Juniper session. * Relax requirements for Juniper hostname packet response to support old gateways. * Add API functions to query the supported protocols. * Verify ESP sequence numbers and warn even if replay protection is disabled. * Add support for PAN GlobalProtect VPN protocol (--protocol=gp). * Reorganize listing of command-line options, and include information on supported protocols. * SIGTERM cleans up the session similarly to SIGINT. * Fix memset_s() arguments. * Fix OpenBSD build. - Explicitely enable all the features as needed to stop build if something is missing </description> </patchinfo>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor