Bug#590873: marked as done (openconnect < 2.25 does not verify SSL server certificates)

Sun, 29 Aug 2010 03:33:23 -0700 

Your message dated Sun, 29 Aug 2010 10:32:11 +0000
with message-id <e1opfbl-00068j...@franck.debian.org>
and subject line Bug#590873: fixed in openconnect 2.25-0.1
has caused the Debian Bug report #590873,
regarding openconnect < 2.25 does not verify SSL server certificates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
590873: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: openconnect
Version: 2.22-1.1
Severity: grave
Tags: security fixed-upstream

Versions of OpenConnect before 2.25 do not verify that the server SSL 
certificate matches the server hostname, which enables an attacker to 
perform an MITM attack on the connection.  This can be fixed by upgrading 
to OpenConnect 2.25.

From the upstream changelog:

OpenConnect v2.25 — 2010-05-15
• Always validate server certificate, even when no extra --cafile is 
  provided.
• Add --no-cert-check option to avoid certificate validation.
• Check server hostname against its certificate.
• Provide text-mode function for reviewing and accepting "invalid" 
  certificates.
• Fix libproxy detection on NetBSD.

--- End Message ---
--- Begin Message --- 
Source: openconnect
Source-Version: 2.25-0.1

We believe that the bug you reported is fixed in the latest version of
openconnect, which is due to be installed in the Debian FTP archive:

openconnect_2.25-0.1.diff.gz
  to main/o/openconnect/openconnect_2.25-0.1.diff.gz
openconnect_2.25-0.1.dsc
  to main/o/openconnect/openconnect_2.25-0.1.dsc
openconnect_2.25-0.1_i386.deb
  to main/o/openconnect/openconnect_2.25-0.1_i386.deb
openconnect_2.25.orig.tar.gz
  to main/o/openconnect/openconnect_2.25.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 590...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated openconnect package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 28 Aug 2010 11:21:16 +0100
Source: openconnect
Binary: openconnect
Architecture: source i386
Version: 2.25-0.1
Distribution: unstable
Urgency: low
Maintainer: Ross Burton <r...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description: 
 openconnect - Open client for Cisco AnyConnect VPN
Closes: 566188 590873
Changes: 
 openconnect (2.25-0.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * New upstream release (Closes: #566188)
     - always verify SSL server certificates (Closes: #590873)
Checksums-Sha1: 
 fba8238de998a5437b74bd56442d546178db8f38 1115 openconnect_2.25-0.1.dsc
 d819ae60d14dfc16854957d4f04451e9505c4207 75723 openconnect_2.25.orig.tar.gz
 37f59796fe177878a9395d143627c82436e62f9b 2210 openconnect_2.25-0.1.diff.gz
 2bbc317e869b44df2a7850b0aad73632e62ddcc7 71884 openconnect_2.25-0.1_i386.deb
Checksums-Sha256: 
 a42762bf6813ac0a486f1f436aadc831913fee27f2c59be3d634d6d700788c6a 1115 
openconnect_2.25-0.1.dsc
 6990f00e1df83b00941fe06d5b9c670b26804517043457f13be617bf07bad553 75723 
openconnect_2.25.orig.tar.gz
 39112bc12cfdf0a40bf5e4182d7db86b87467b3f192e405d51d3442745c70828 2210 
openconnect_2.25-0.1.diff.gz
 ac41efb359bd7c91fe5d908abce6fc5016cd161300ef71858027f5309b59ff27 71884 
openconnect_2.25-0.1_i386.deb
Files: 
 a6adf4daf8aca9623e4f7373d04ab21c 1115 net optional openconnect_2.25-0.1.dsc
 796a32b611ee6210a5367eb9684d6778 75723 net optional 
openconnect_2.25.orig.tar.gz
 97d5e3f3a87caa869e3860856a9bf6fd 2210 net optional openconnect_2.25-0.1.diff.gz
 9a841485746ec9be5eb10bce96f616ff 71884 net optional 
openconnect_2.25-0.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFMeOWyYzuFKFF44qURArXyAJ90BEHjNvVTXyRLLv3NGMsrLREOvQCg2apd
3umbv0lnbESyS47EFMRnNc0=
=GhRn
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to