On Tue, May 19, 2020 at 10:02:46AM +0100, Luca Boccassi wrote:
> On Thu, 14 May 2020 22:57:44 +0100 Luca Boccassi <
> [email protected]
> > wrote:
> > On Thu, 2020-05-14 at 18:50 +0100, Luca Boccassi wrote:
> > > Package: openconnect
> > > Version: 6.00-1
> > > Severity: important
> > > Tags: security
> > >
> > > Openconnect is affected by a buffer overflow in certificate handling,
> > > that goes back at least to 6.00-1 (old-old-stable).
> > >
> > > Fixed upstream by:
> > >
> > >
> https://gitlab.com/openconnect/openconnect/-/merge_requests/108
>
> >
> > Dear security team,
> >
> > I uploaded to old-old-stable on request from the LTS team. How would
> > you like to handle stable and old-stable?
>
> Ping. Should I do an upload to security-master for buster-security and
> stretch-security?
It's not really clear to me why this was assigned a CVE ID, this doesn't
appear to cross any reasonable trust boundary. Certificates need to come
from a trusted source, otherwise you have many other insecurities at hand.
This appears to be "just a bug" (which would seem to reach the bar for
being fixed in a point update), but I can't see why this would need a DSA.
I might totally miss something, ofc. So please correct me if I'm wrong :-)
Cheers,
Moritz
