Hello community, here is the log from the commit of package openconnect for openSUSE:Factory checked in at 2020-05-26 17:14:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openconnect (Old) and /work/SRC/openSUSE:Factory/.openconnect.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openconnect" Tue May 26 17:14:07 2020 rev:36 rq:807560 version:8.10 Changes: -------- --- /work/SRC/openSUSE:Factory/openconnect/openconnect.changes 2020-05-08 23:01:08.729346704 +0200 +++ /work/SRC/openSUSE:Factory/.openconnect.new.2738/openconnect.changes 2020-05-26 17:14:25.951340643 +0200 @@ -1,0 +2,10 @@ +Fri May 15 18:07:43 UTC 2020 - Martin Hauke <[email protected]> + +- Update to version 8.10: + * Install bash completion script to + ${datadir}/bash-completion/completions/openconnect. + * Improve compatibility of csd-post.sh trojan. + * Fix potential buffer overflow with GnuTLS describing local + certs (CVE-2020-12823). + +------------------------------------------------------------------- @@ -6 +16 @@ -- Update to 8.0.9: +- Update to 8.09: Old: ---- openconnect-8.09.tar.gz openconnect-8.09.tar.gz.sig New: ---- openconnect-8.10.tar.gz openconnect-8.10.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openconnect.spec ++++++ --- /var/tmp/diff_new_pack.QYJvg4/_old 2020-05-26 17:14:26.755342386 +0200 +++ /var/tmp/diff_new_pack.QYJvg4/_new 2020-05-26 17:14:26.755342386 +0200 @@ -18,7 +18,7 @@ %define libname libopenconnect5 Name: openconnect -Version: 8.09 +Version: 8.10 Release: 0 Summary: Open client for Cisco AnyConnect VPN License: LGPL-2.1-or-later @@ -130,9 +130,6 @@ # remove py2 only script due to python2 removal rm %{buildroot}%{_libexecdir}/%{name}/tncc-wrapper.py install -D -m0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openconnect/vpnc-script -# -install -d %{buildroot}%{_datadir}/bash-completion/completions/ -mv %{buildroot}/etc/bash_completion.d/openconnect.bash %{buildroot}%{_datadir}/bash-completion/completions/openconnect.bash find %{buildroot} -type f -name "*.la" -delete -print %find_lang %{name} @@ -173,7 +170,7 @@ %doc %{_docdir}/%{name}/inc/*.tmpl %files bash-completion -%{_datadir}/bash-completion/completions/openconnect.bash +%{_datadir}/bash-completion/completions/openconnect %files lang -f %{name}.lang ++++++ openconnect-8.09.tar.gz -> openconnect-8.10.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/AUTHORS new/openconnect-8.10/AUTHORS --- old/openconnect-8.09/AUTHORS 2020-04-29 15:21:19.000000000 +0200 +++ new/openconnect-8.10/AUTHORS 2020-05-14 17:46:35.000000000 +0200 @@ -1,6 +1,6 @@ - 2570 David Woodhouse <[email protected]> + 2595 David Woodhouse <[email protected]> 273 Kevin Cernekee <[email protected]> - 174 Daniel Lenski <[email protected]> + 182 Daniel Lenski <[email protected]> 89 Nikos Mavrogiannopoulos <[email protected]> 24 Jussi Kukkonen <[email protected]> 17 Adam Piątyszek <[email protected]> @@ -13,6 +13,7 @@ 4 Fengguang Wu <[email protected]> 4 Nikolay Martynov <[email protected]> 3 Dirk Hohndel <[email protected]> + 3 Luca Boccassi <[email protected]> 3 Stuart Henderson <[email protected]> 3 Ľubomír Carik <[email protected]> 2 Björn Ketelaars <[email protected]> @@ -68,6 +69,7 @@ 1 Paul Donohue <[email protected]> 1 Pouya D. Tafti <[email protected]> 1 Ross Burton <[email protected]> + 1 Sergei Trofimovich <[email protected]> 1 Stefan Becker <[email protected]> 1 Steven Allen <[email protected]> 1 Steven Ihde <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/Makefile.am new/openconnect-8.10/Makefile.am --- old/openconnect-8.09/Makefile.am 2020-04-07 15:26:58.000000000 +0200 +++ new/openconnect-8.10/Makefile.am 2020-05-04 14:50:38.000000000 +0200 @@ -140,10 +140,10 @@ DISTCLEANFILES = $(pkgconfig_DATA) pkglibexec_SCRIPTS = trojans/csd-post.sh trojans/csd-wrapper.sh trojans/tncc-wrapper.py \ - trojans/hipreport.sh trojans/hipreport-android.sh + trojans/hipreport.sh trojans/hipreport-android.sh trojans/tncc-emulate.py -bashcompletiondir = $(sysconfdir)/bash_completion.d -bashcompletion_DATA = bash/openconnect.bash +bashcompletiondir = $(datadir)/bash-completion/completions +bashcompletion_DATA = bash/openconnect # main.c includes version.c openconnect-main.$(OBJEXT): version.c diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/Makefile.in new/openconnect-8.10/Makefile.in --- old/openconnect-8.09/Makefile.in 2020-04-29 15:21:11.000000000 +0200 +++ new/openconnect-8.10/Makefile.in 2020-05-14 17:46:28.000000000 +0200 @@ -737,10 +737,10 @@ 2>/dev/null) DISTCLEANFILES = $(pkgconfig_DATA) pkglibexec_SCRIPTS = trojans/csd-post.sh trojans/csd-wrapper.sh trojans/tncc-wrapper.py \ - trojans/hipreport.sh trojans/hipreport-android.sh + trojans/hipreport.sh trojans/hipreport-android.sh trojans/tncc-emulate.py -bashcompletiondir = $(sysconfdir)/bash_completion.d -bashcompletion_DATA = bash/openconnect.bash +bashcompletiondir = $(datadir)/bash-completion/completions +bashcompletion_DATA = bash/openconnect DISTHOOK = 1 ACLOCAL_AMFLAGS = -I m4 all: config.h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/android/Makefile new/openconnect-8.10/android/Makefile --- old/openconnect-8.09/android/Makefile 2018-02-27 09:24:36.000000000 +0100 +++ new/openconnect-8.10/android/Makefile 2020-05-14 15:36:24.000000000 +0200 @@ -10,15 +10,18 @@ # # It should also be fairly simple to extend this to cross-compile for any target -NDK := /opt/android-sdk-linux_x86/android-ndk-r16b -ARCH := arm +# Last tested with https://dl.google.com/android/repository/android-ndk-r21b-linux-x86_64.zip + + +NDK := /opt/android-sdk-linux_x86/android-ndk-r21b +ARCH := x86_64 +API_LEVEL := 23 EXTRA_CFLAGS := # You should be able to just 'make ARCH=x86' and it should DTRT. ifeq ($(ARCH),arm) TRIPLET := arm-linux-androideabi -API_LEVEL := 14 EXTRA_CFLAGS := -march=armv7-a -mthumb endif ifeq ($(ARCH),arm64) @@ -27,11 +30,9 @@ endif ifeq ($(ARCH),x86) TRIPLET := i686-linux-android -API_LEVEL := 14 endif ifeq ($(ARCH),x86_64) TRIPLET := x86_64-linux-android -API_LEVEL := 21 endif TOPDIR := $(shell pwd) @@ -88,9 +89,9 @@ # # Build libxml2 with minimal configuration for OpenConnect # -LIBXML2_VER := 2.9.7 +LIBXML2_VER := 2.9.10 LIBXML2_TAR := libxml2-$(LIBXML2_VER).tar.gz -LIBXML2_SHA := f63c5e7d30362ed28b38bfa1ac6313f9a80230720b7fb6c80575eeab3ff5900c +LIBXML2_SHA := aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f LIBXML2_SRC := sources/libxml2-$(LIBXML2_VER) LIBXML2_BUILD := $(TRIPLET)/libxml2 @@ -136,9 +137,9 @@ # # Build GNU MP # -GMP_VER := 6.1.2 +GMP_VER := 6.2.0 GMP_TAR := gmp-$(GMP_VER).tar.xz -GMP_SHA := 87b565e89a9a684fe4ebeeddb8399dce2599f9c9049854ca8c0dfbdea0e21912 +GMP_SHA := 258e6cd51b3fbdfc185c716d55f82c08aff57df0c6fbd143cf6ed561267a1526 GMP_SRC := sources/gmp-$(GMP_VER) GMP_BUILD := $(TRIPLET)/gmp @@ -170,9 +171,9 @@ # # Build nettle # -NETTLE_VER := 3.4 +NETTLE_VER := 3.5.1 NETTLE_TAR := nettle-$(NETTLE_VER).tar.gz -NETTLE_SHA := ae7a42df026550b85daca8389b6a60ba6313b0567f374392e54918588a411e94 +NETTLE_SHA := 75cca1998761b02e16f2db56da52992aef622bf55a3b45ec538bc2eedadc9419 NETTLE_SRC := sources/nettle-$(NETTLE_VER) NETTLE_BUILD := $(TRIPLET)/nettle @@ -203,9 +204,9 @@ # # Build GnuTLS # -GNUTLS_VER := 3.5.17 +GNUTLS_VER := 3.6.13 GNUTLS_TAR := gnutls-$(GNUTLS_VER).tar.xz -GNUTLS_SHA := 86b142afef587c118d63f72ccf307f3321dbc40357aae528202b65d913d20919 +GNUTLS_SHA := 32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38 GNUTLS_SRC := sources/gnutls-$(GNUTLS_VER) GNUTLS_BUILD := $(TRIPLET)/gnutls @@ -228,15 +229,14 @@ $(GNUTLS_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(GNUTLS_SRC)/configure $(NETTLE_DEPS) mkdir -p $(GNUTLS_BUILD) cd $(GNUTLS_BUILD) && ../../$(GNUTLS_SRC)/configure $(CONFIGURE_ARGS) \ - AUTOGEN=/bin/true \ - --disable-threads --disable-tests --without-zlib --disable-nls \ + AUTOGEN=/bin/false \ + --disable-threads --disable-tests --disable-nls \ --disable-doc --disable-openssl-compatibility --disable-cxx \ - --disable-openssl-compatibility --disable-ocsp \ - --disable-openpgp-authentication --disable-anon-authentication \ + --disable-openssl-compatibility --disable-ocsp --disable-tools \ + --disable-anon-authentication --with-included-libtasn1 \ --enable-psk-authentication --disable-srp-authentication \ --disable-dtls-srtp-support --enable-dhe --enable-ecdhe \ - --disable-rsa-export --with-included-libtasn1 \ - --with-included-unistring --without-p11-kit + --with-included-unistring --without-p11-kit --disable-guile $(GNUTLS_BUILD)/lib/libgnutls.la: $(GNUTLS_BUILD)/Makefile $(MAKE) -C $(GNUTLS_BUILD) @@ -324,9 +324,9 @@ # # Build liblz4 # -LZ4_VER := 1.8.1.2 +LZ4_VER := 1.9.2 LZ4_TAR := lz4-v$(LZ4_VER).tar.gz -LZ4_SHA := 12f3a9e776a923275b2dc78ae138b4967ad6280863b77ff733028ce89b8123f9 +LZ4_SHA := 658ba6191fa44c92280d4aa2c271b0f4fbc0e34d249578dd05e50e76d0e5efcc LZ4_DIR := $(TRIPLET)/lz4-$(LZ4_VER) $(LZ4_TAR): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/android/fetch.sh new/openconnect-8.10/android/fetch.sh --- old/openconnect-8.09/android/fetch.sh 2018-02-27 09:24:36.000000000 +0100 +++ new/openconnect-8.10/android/fetch.sh 2020-05-14 15:36:24.000000000 +0200 @@ -29,9 +29,9 @@ nettle_MIRROR_1=http://ftp.gnu.org/gnu/nettle nettle_MIRROR_2=http://gd.tuwien.ac.at/gnu/gnusrc/nettle -gnutls_MIRROR_0=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5 -gnutls_MIRROR_1=http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/gnutls/v3.5 -gnutls_MIRROR_2=http://gd.tuwien.ac.at/pub/gnupg/gnutls/v3.5 +gnutls_MIRROR_0=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6 +gnutls_MIRROR_1=http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/gnutls/v3.6 +gnutls_MIRROR_2=http://gd.tuwien.ac.at/pub/gnupg/gnutls/v3.6 stoken_MIRROR_0=http://sourceforge.net/projects/stoken/files stoken_SUFFIX_0=/download diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/auth-globalprotect.c new/openconnect-8.10/auth-globalprotect.c --- old/openconnect-8.09/auth-globalprotect.c 2020-04-22 16:44:12.000000000 +0200 +++ new/openconnect-8.10/auth-globalprotect.c 2020-05-14 15:36:24.000000000 +0200 @@ -299,7 +299,8 @@ { .opt="portal-userauthcookie", .show=1}, { .opt="portal-prelogonuserauthcookie", .show=1}, { .unknown=1 }, - { .unknown=1 }, /* have seen value of "4" in some logs */ + { .opt="usually-equals-4", .show=1 }, /* newer servers send "4" here, meaning unknown */ + { .opt="usually-equals-unknown", .show=1 }, /* newer servers send "unknown" here */ }; static const int gp_login_nargs = (sizeof(gp_login_args)/sizeof(*gp_login_args)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/auth-juniper.c new/openconnect-8.10/auth-juniper.c --- old/openconnect-8.09/auth-juniper.c 2020-04-22 16:44:12.000000000 +0200 +++ new/openconnect-8.10/auth-juniper.c 2020-05-14 15:36:24.000000000 +0200 @@ -132,7 +132,8 @@ xmlnode_get_prop(node, "name", &opt->name); if (opt->name && (!strcmp(opt->name, submit_button) || !strcmp(opt->name, "sn-postauth-proceed") || - !strcmp(opt->name, "sn-preauth-proceed"))) { + !strcmp(opt->name, "sn-preauth-proceed") || + !strcmp(opt->name, "secidactionEnter"))) { /* Use this as the 'Submit' action for the form, by implicitly adding it as a hidden option. */ xmlnode_get_prop(node, "value", &opt->_value); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/bash/openconnect new/openconnect-8.10/bash/openconnect --- old/openconnect-8.09/bash/openconnect 1970-01-01 01:00:00.000000000 +0100 +++ new/openconnect-8.10/bash/openconnect 2020-05-04 14:50:38.000000000 +0200 @@ -0,0 +1,116 @@ +# +# Bash completion for OpenConnect +# +# Copyright © David Woodhouse <[email protected]> +# +# Author: David Woodhouse <[email protected]> +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public License +# version 2.1, as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. + + +# Consider a command line like the following: +# +# openconnect -c --authenticate\ -k -k "'"'"'.pem --authgroup 'foo +# bar' --o\s linux-64 myserver +# +# There is absolutely no way I want to attempt parsing that in C and +# attempting to come up with the correct results as bash would do. +# That is just designing for failure; we'll never get it right. +# +# Yet if we use 'complete -C openconnect openconnect' and allow the +# program to do completions all by itself, that's what bash expects +# it to do. All that's passed into the program is $COMP_LINE and +# some other metadata. +# +# So instead we use bash to help us. In a completion *function* we +# are given the ${COMP_WORDS[]} array which has actually been parsed +# correctly. We still want openconnect itself to be able to do the +# result generation, so just prepend --autocomplete to the args. +# +# For special cases like filenames and hostnames, we want to invoke +# compgen, again to avoid reinventing the wheel badly. So define +# special cases HOSTNAME, FILENAME as the autocomplete results, +# to be handled as special cases. In those cases we also use +# ${COMP_WORDS[$COMP_CWORD]}) as the string to bew completed, +# pristine from bash instead of having been passed through the +# program itself. Thus, we see correct completions along the lines +# of +# +# $ ls foo\ * +# 'foo bar.pem' 'foo bar.xml' 'foo baz.crt' +# $ openconnect -c ./fo<TAB> +# +# ... partially completes to: +# +# $ openconnect -c ./foo\ ba +# +# ... and a second <TAB> shows: +# +# foo bar.pem foo baz.crt +# +# Likewise, +# +# $ touch '"'"'".pem +# $ openconnect -c '"'<TAB> +# +# ...completes to: +# +# $ openconnect -c \"\'.pem +# +# This does fall down if I create a filename with a newline in it, +# but even tab-completion for 'ls' falls over in that case. +# +# The main problem with this approach is that we can't easily map +# $COMP_POINT to the precise character on the line at which TAB was +# being pressed, which may not be the *end*. + + +_complete_openconnect () { + local cur + _get_comp_words_by_ref cur + # But if we do this, then our COMPREPLY isn't interpreted according to it. + #_get_comp_words_by_ref-n =: -w COMP_WORDS -i COMP_CWORD cur + COMP_WORDS[0]="--autocomplete" + local IFS=$'\n' + COMPREPLY=( $(COMP_CWORD=$COMP_CWORD openconnect "${COMP_WORDS[@]}") ) + local FILTERPAT="${COMPREPLY[1]}" + local PREFIX="${COMPREPLY[2]}" + local COMP_WORD=${cur#${PREFIX}} + case "${COMPREPLY[0]}" in + FILENAME) + compopt -o filenames + COMPREPLY=( $( compgen -A file -ofilenames -o plusdirs -X "${FILTERPAT}" -- "${COMP_WORD}") ) + COMPREPLY=( "${COMPREPLY[@]/#/${PREFIX}}" ) + ;; + + EXECUTABLE) + compopt -o filenames + COMPREPLY=( $( compgen -A command -ofilenames -o plusdirs -- "${COMP_WORD}") ) + COMPREPLY=( "${COMPREPLY[@]/#/${PREFIX}}" ) + ;; + + HOSTNAME) + compopt +o filenames + COMPREPLY=( $( compgen -A hostname -P "${PREFIX}" -- "${COMP_WORD}") ) + ;; + + USERNAME) + compopt +o filenames + COMPREPLY=( $( compgen -A user -P "${PREFIX}" -- "${COMP_WORD}") ) + ;; + + *) + compopt +o filenames + ;; + + esac +} + +complete -F _complete_openconnect openconnect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/bash/openconnect.bash new/openconnect-8.10/bash/openconnect.bash --- old/openconnect-8.09/bash/openconnect.bash 2020-04-22 16:44:12.000000000 +0200 +++ new/openconnect-8.10/bash/openconnect.bash 1970-01-01 01:00:00.000000000 +0100 @@ -1,116 +0,0 @@ -# -# Bash completion for OpenConnect -# -# Copyright © David Woodhouse <[email protected]> -# -# Author: David Woodhouse <[email protected]> -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public License -# version 2.1, as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. - - -# Consider a command line like the following: -# -# openconnect -c --authenticate\ -k -k "'"'"'.pem --authgroup 'foo -# bar' --o\s linux-64 myserver -# -# There is absolutely no way I want to attempt parsing that in C and -# attempting to come up with the correct results as bash would do. -# That is just designing for failure; we'll never get it right. -# -# Yet if we use 'complete -C openconnect openconnect' and allow the -# program to do completions all by itself, that's what bash expects -# it to do. All that's passed into the program is $COMP_LINE and -# some other metadata. -# -# So instead we use bash to help us. In a completion *function* we -# are given the ${COMP_WORDS[]} array which has actually been parsed -# correctly. We still want openconnect itself to be able to do the -# result generation, so just prepend --autocomplete to the args. -# -# For special cases like filenames and hostnames, we want to invoke -# compgen, again to avoid reinventing the wheel badly. So define -# special cases HOSTNAME, FILENAME as the autocomplete results, -# to be handled as special cases. In those cases we also use -# ${COMP_WORDS[$COMP_CWORD]}) as the string to bew completed, -# pristine from bash instead of having been passed through the -# program itself. Thus, we see correct completions along the lines -# of -# -# $ ls foo\ * -# 'foo bar.pem' 'foo bar.xml' 'foo baz.crt' -# $ openconnect -c ./fo<TAB> -# -# ... partially completes to: -# -# $ openconnect -c ./foo\ ba -# -# ... and a second <TAB> shows: -# -# foo bar.pem foo baz.crt -# -# Likewise, -# -# $ touch '"'"'".pem -# $ openconnect -c '"'<TAB> -# -# ...completes to: -# -# $ openconnect -c \"\'.pem -# -# This does fall down if I create a filename with a newline in it, -# but even tab-completion for 'ls' falls over in that case. -# -# The main problem with this approach is that we can't easily map -# $COMP_POINT to the precise character on the line at which TAB was -# being pressed, which may not be the *end*. - - -_complete_openconnect () { - local cur - _get_comp_words_by_ref cur - # But if we do this, then our COMPREPLY isn't interpreted according to it. - #_get_comp_words_by_ref-n =: -w COMP_WORDS -i COMP_CWORD cur - COMP_WORDS[0]="--autocomplete" - local IFS=$'\n' - COMPREPLY=( $(COMP_CWORD=$COMP_CWORD /home/dwmw/git/openconnect/gtls-ibm/openconnect "${COMP_WORDS[@]}") ) - local FILTERPAT="${COMPREPLY[1]}" - local PREFIX="${COMPREPLY[2]}" - local COMP_WORD=${cur#${PREFIX}} - case "${COMPREPLY[0]}" in - FILENAME) - compopt -o filenames - COMPREPLY=( $( compgen -A file -ofilenames -o plusdirs -X "${FILTERPAT}" -- "${COMP_WORD}") ) - COMPREPLY=( "${COMPREPLY[@]/#/${PREFIX}}" ) - ;; - - EXECUTABLE) - compopt -o filenames - COMPREPLY=( $( compgen -A command -ofilenames -o plusdirs -- "${COMP_WORD}") ) - COMPREPLY=( "${COMPREPLY[@]/#/${PREFIX}}" ) - ;; - - HOSTNAME) - compopt +o filenames - COMPREPLY=( $( compgen -A hostname -P "${PREFIX}" -- "${COMP_WORD}") ) - ;; - - USERNAME) - compopt +o filenames - COMPREPLY=( $( compgen -A user -P "${PREFIX}" -- "${COMP_WORD}") ) - ;; - - *) - compopt +o filenames - ;; - - esac -} - -complete -F _complete_openconnect openconnect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/configure new/openconnect-8.10/configure --- old/openconnect-8.09/configure 2020-04-29 15:21:11.000000000 +0200 +++ new/openconnect-8.10/configure 2020-05-14 17:46:29.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for openconnect 8.09. +# Generated by GNU Autoconf 2.69 for openconnect 8.10. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='openconnect' PACKAGE_TARNAME='openconnect' -PACKAGE_VERSION='8.09' -PACKAGE_STRING='openconnect 8.09' +PACKAGE_VERSION='8.10' +PACKAGE_STRING='openconnect 8.10' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1498,7 +1498,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures openconnect 8.09 to adapt to many kinds of systems. +\`configure' configures openconnect 8.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1568,7 +1568,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of openconnect 8.09:";; + short | recursive ) echo "Configuration of openconnect 8.10:";; esac cat <<\_ACEOF @@ -1767,7 +1767,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -openconnect configure 8.09 +openconnect configure 8.10 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2132,7 +2132,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by openconnect $as_me 8.09, which was +It was created by openconnect $as_me 8.10, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3218,7 +3218,7 @@ # Define the identity of the package. PACKAGE='openconnect' - VERSION='8.09' + VERSION='8.10' cat >>confdefs.h <<_ACEOF @@ -19165,7 +19165,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by openconnect $as_me 8.09, which was +This file was extended by openconnect $as_me 8.10, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19231,7 +19231,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -openconnect config.status 8.09 +openconnect config.status 8.10 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/configure.ac new/openconnect-8.10/configure.ac --- old/openconnect-8.09/configure.ac 2020-04-29 15:21:06.000000000 +0200 +++ new/openconnect-8.10/configure.ac 2020-05-14 17:46:24.000000000 +0200 @@ -1,4 +1,4 @@ -AC_INIT(openconnect, 8.09) +AC_INIT(openconnect, 8.10) AC_CONFIG_HEADERS([config.h]) PKG_PROG_PKG_CONFIG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/gnutls.c new/openconnect-8.10/gnutls.c --- old/openconnect-8.09/gnutls.c 2020-04-21 22:11:35.000000000 +0200 +++ new/openconnect-8.10/gnutls.c 2020-05-14 17:45:43.000000000 +0200 @@ -546,12 +546,19 @@ static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen) { + /* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will + * update the length argument to the required size, and return + * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original + * length variable. */ + size_t nl = namelen; if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, - 0, 0, name, &namelen) && - gnutls_x509_crt_get_dn(cert, name, &namelen)) { - name[namelen-1] = 0; - snprintf(name, namelen-1, "<unknown>"); - return -EINVAL; + 0, 0, name, &nl)) { + nl = namelen; + if (gnutls_x509_crt_get_dn(cert, name, &nl)) { + name[namelen-1] = 0; + snprintf(name, namelen-1, "<unknown>"); + return -EINVAL; + } } return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/gpst.c new/openconnect-8.10/gpst.c --- old/openconnect-8.09/gpst.c 2020-04-22 16:44:12.000000000 +0200 +++ new/openconnect-8.10/gpst.c 2020-05-14 15:36:24.000000000 +0200 @@ -984,7 +984,7 @@ return ret; } else { /* in child: run HIP script */ - char *hip_argv[32]; + const char *hip_argv[32]; int i = 0; close(pipefd[0]); /* The duplicated fd does not have O_CLOEXEC */ @@ -994,20 +994,20 @@ exit(1); hip_argv[i++] = openconnect_utf8_to_legacy(vpninfo, vpninfo->csd_wrapper); - hip_argv[i++] = (char *)"--cookie"; + hip_argv[i++] = "--cookie"; hip_argv[i++] = vpninfo->cookie; if (vpninfo->ip_info.addr) { - hip_argv[i++] = (char *)"--client-ip"; - hip_argv[i++] = (char *)vpninfo->ip_info.addr; + hip_argv[i++] = "--client-ip"; + hip_argv[i++] = vpninfo->ip_info.addr; } if (vpninfo->ip_info.addr6) { - hip_argv[i++] = (char *)"--client-ipv6"; - hip_argv[i++] = (char *)vpninfo->ip_info.addr6; + hip_argv[i++] = "--client-ipv6"; + hip_argv[i++] = vpninfo->ip_info.addr6; } - hip_argv[i++] = (char *)"--md5"; + hip_argv[i++] = "--md5"; hip_argv[i++] = vpninfo->csd_token; hip_argv[i++] = NULL; - execv(hip_argv[0], hip_argv); + execv(hip_argv[0], (char **)hip_argv); out: vpn_progress(vpninfo, PRG_ERR, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/po/uk.po new/openconnect-8.10/po/uk.po --- old/openconnect-8.09/po/uk.po 2020-04-29 15:16:25.000000000 +0200 +++ new/openconnect-8.10/po/uk.po 2020-04-30 18:46:44.000000000 +0200 @@ -8,8 +8,8 @@ msgstr "" "Project-Id-Version: network-manager-openconnect\n" "Report-Msgid-Bugs-To: [email protected]\n" -"POT-Creation-Date: 2020-04-29 14:13+0100\n" -"PO-Revision-Date: 2020-04-05 08:51+0300\n" +"POT-Creation-Date: 2020-04-30 09:17+0100\n" +"PO-Revision-Date: 2020-04-30 09:08+0300\n" "Last-Translator: Yuri Chornoivan <[email protected]>\n" "Language-Team: Ukrainian <[email protected]>\n" "Language: uk\n" @@ -181,7 +181,7 @@ #: auth-juniper.c:312 msgid "Failed to send command to TNCC\n" -msgstr "" +msgstr "Не вдалося надіслати команду до TNCC\n" #: auth-juniper.c:374 msgid "TNCC support not implemented yet on Windows\n" @@ -226,7 +226,7 @@ #: auth-juniper.c:504 #, c-format msgid "Got reauth interval from TNCC: %d seconds\n" -msgstr "" +msgstr "Отримано інтервал reauth від TNCC: %d секунд\n" #: auth-juniper.c:517 #, c-format @@ -3232,6 +3232,8 @@ #, c-format msgid "Unhandled autocomplete for option %d '--%s'. Please report.\n" msgstr "" +"Непридатне до обробки автодоповнення для параметра %d «--%s». Будь ласка, " +"повідомте про ваду розробникам.\n" #: main.c:1414 #, c-format @@ -4690,6 +4692,9 @@ "Pulse server requested Host Checker; not yet supported\n" "Try Juniper mode (--protocol=nc)\n" msgstr "" +"Сервером Pulse надіслано запит щодо засобу перевірки вузла (Host Checker); " +"це ще не реалізовано\n" +"Спробуйте режим Juniper (--protocol=nc)\n" #: pulse.c:1839 msgid "Unhandled Pulse authentication packet, or authentication failure\n" @@ -4827,22 +4832,27 @@ msgid "" "WARNING: Split include \"%s\" has host bits set, replacing with \"%s/%d\".\n" msgstr "" +"УВАГА: для включення поділу «%s» встановлено біти вузла, замінюємо їх на «%s/" +"%d».\n" #: script.c:165 #, c-format msgid "" "WARNING: Split exclude \"%s\" has host bits set, replacing with \"%s/%d\".\n" msgstr "" +"УВАГА: для виключення поділу «%s» встановлено біти вузла, замінюємо їх на " +"«%s/%d».\n" #: script.c:272 #, c-format msgid "Ignoring legacy network because address \"%s\" is invalid.\n" -msgstr "" +msgstr "Ігноруємо застарілу мережу, оскільки адреса «%s» є некоректною.\n" #: script.c:277 #, c-format msgid "Ignoring legacy network because netmask \"%s\" is invalid.\n" msgstr "" +"Ігноруємо застарілу мережу, оскільки маска мережі «%s» є некоректною.\n" #: script.c:553 script.c:601 #, c-format @@ -4869,7 +4879,7 @@ #: ssl.c:194 msgid "Failed setsockopt(TCP_NODELAY) on TLS socket:" -msgstr "" +msgstr "Помилка setsockopt(TCP_NODELAY) на сокеті TLS:" #: ssl.c:248 #, c-format diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/script.c new/openconnect-8.10/script.c --- old/openconnect-8.09/script.c 2020-04-29 15:16:25.000000000 +0200 +++ new/openconnect-8.10/script.c 2020-04-30 18:46:44.000000000 +0200 @@ -270,7 +270,7 @@ if (!inet_aton(vpninfo->ip_info.addr, &addr)) vpn_progress(vpninfo, PRG_ERR, _("Ignoring legacy network because address \"%s\" is invalid.\n"), - vpninfo->ip_info.netmask); + vpninfo->ip_info.addr); else if (!inet_aton(vpninfo->ip_info.netmask, &mask)) bad_netmask: vpn_progress(vpninfo, PRG_ERR, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/tests/autocompletion new/openconnect-8.10/tests/autocompletion --- old/openconnect-8.09/tests/autocompletion 2020-04-22 16:44:12.000000000 +0200 +++ new/openconnect-8.10/tests/autocompletion 2020-05-04 14:50:38.000000000 +0200 @@ -25,7 +25,7 @@ OPENCONNECT="${OPENCONNECT:-${top_builddir}/openconnect}" if ! [ -x $OPENCONNECT ]; then - echo "$OPENCONNECT is not exeuctable. Are you cross-compiling for Windows?" + echo "$OPENCONNECT is not executable. Are you cross-compiling for Windows?" exit 77 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/tests/sigterm new/openconnect-8.10/tests/sigterm --- old/openconnect-8.09/tests/sigterm 2018-12-21 13:20:31.000000000 +0100 +++ new/openconnect-8.10/tests/sigterm 2020-05-04 10:59:43.000000000 +0200 @@ -102,7 +102,7 @@ echo " * wait for ${TUNDEV}" TIMEOUT=10 -while ! ${CMDNS1} ip addr list dev ${TUNDEV} &>/dev/null; do +while ! ${CMDNS1} ip link show dev ${TUNDEV} 2>/dev/null | grep -q UP; do TIMEOUT=$(($TIMEOUT - 1)) if [ $TIMEOUT -eq 0 ]; then echo "Timed out waiting for ${TUNDEV}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/trojans/csd-post.sh new/openconnect-8.10/trojans/csd-post.sh --- old/openconnect-8.09/trojans/csd-post.sh 2020-04-06 15:22:49.000000000 +0200 +++ new/openconnect-8.10/trojans/csd-post.sh 2020-05-14 15:36:24.000000000 +0200 @@ -151,7 +151,7 @@ COOKIE_HEADER="Cookie: sdesktop=$TOKEN" CONTENT_HEADER="Content-Type: text/xml" URL="https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml?reusebrowser=1"; -curl $PINNEDPUBKEY -H "$CONTENT_HEADER" -H "$COOKIE_HEADER" --data @$RESPONSE "$URL" > $RESULT +curl $PINNEDPUBKEY -H "$CONTENT_HEADER" -H "$COOKIE_HEADER" -H 'Expect: ' --data-binary @$RESPONSE "$URL" > $RESULT cat $RESULT || : diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/version.c new/openconnect-8.10/version.c --- old/openconnect-8.09/version.c 2020-04-29 15:21:19.000000000 +0200 +++ new/openconnect-8.10/version.c 2020-05-14 17:46:35.000000000 +0200 @@ -1 +1 @@ -const char *openconnect_version_str = "v8.09"; +const char *openconnect_version_str = "v8.10"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/version.sh new/openconnect-8.10/version.sh --- old/openconnect-8.09/version.sh 2020-04-29 15:21:06.000000000 +0200 +++ new/openconnect-8.10/version.sh 2020-05-14 17:46:24.000000000 +0200 @@ -1,6 +1,6 @@ #!/bin/sh -v="v8.09" +v="v8.10" if [ -d ${GIT_DIR:-.git} ] && tag=`git describe --tags`; then v="$tag" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/www/changelog.xml new/openconnect-8.10/www/changelog.xml --- old/openconnect-8.09/www/changelog.xml 2020-04-29 15:21:06.000000000 +0200 +++ new/openconnect-8.10/www/changelog.xml 2020-05-14 17:46:24.000000000 +0200 @@ -18,6 +18,15 @@ <li><i>No changelog entries yet</i></li> </ul><br/> </li> + <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz";>OpenConnect v8.10</a></b> + <i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz.asc";>PGP signature</a>)</i> — 2020-05-14 + <ul> + <li>Install bash completion script to <tt>${datadir}/bash-completion/completions/openconnect</tt>.</li> + <li>Improve compatibility of <tt>csd-post.sh</tt> trojan.</li> + <li>Update Android build dependencies and bump API level to support Android 10.</li> + <li>Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823).</li> + </ul><br/> + </li> <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.09.tar.gz";>OpenConnect v8.09</a></b> <i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.09.tar.gz.asc";>PGP signature</a>)</i> — 2020-04-29 <ul> @@ -25,6 +34,11 @@ <li>Give more helpful error in case of Pulse servers asking for TNCC.</li> <li>Sanitize non-canonical Legacy IP network addresses (<a href="https://gitlab.com/openconnect/openconnect/merge_requests/97";>!97</a>)</li> <li>Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105).</li> + <li>Convert <tt>tncc-wrapper.py</tt> to Python 3, and include modernized <tt>tncc-emulate.py</tt> as well. (<a href="https://gitlab.com/openconnect/openconnect/-/issues/91";>!91</a>)</li> + <li>Disable <a href="https://en.wikipedia.org/wiki/Nagle's_algorithm">Nagle's algorithm</a> for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP. (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/89";>!89</a></li> + <li>GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms + (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/95";>!95</a>, <a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/93/";>!93</a>, <a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/90";>!90</a>)</li> + <li>Work around PKCS#11 tokens which forget to set <tt>CKF_LOGIN_REQUIRED</tt> (<a href="https://gitlab.com/openconnect/openconnect/issues/123";>#123</a>).</li> </ul><br/> </li> <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.08.tar.gz";>OpenConnect v8.08</a></b> @@ -33,9 +47,6 @@ <li>Fix check of <tt>pin-sha256:</tt> public key hashes to be case sensitive (<a href="https://gitlab.com/openconnect/openconnect/issues/116";>#116</a>).</li> <li>Don't give non-functioning <tt>stderr</tt> to CSD trojan scripts.</li> <li>Fix crash with uninitialised OIDC token.</li> - <li>GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms</li> - <li>Disable <a href="https://en.wikipedia.org/wiki/Nagle's_algorithm">Nagle's algorithm</a> for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.</li> - <li>Work around PKCS#11 tokens which forget to set <tt>CKF_LOGIN_REQUIRED</tt> (<a href="https://gitlab.com/openconnect/openconnect/issues/123";>#123</a>).</li> </ul><br/> </li> <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.07.tar.gz";>OpenConnect v8.07</a></b> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/www/download.xml new/openconnect-8.10/www/download.xml --- old/openconnect-8.09/www/download.xml 2020-04-29 15:21:06.000000000 +0200 +++ new/openconnect-8.10/www/download.xml 2020-05-14 17:46:24.000000000 +0200 @@ -17,14 +17,14 @@ <p> <!-- latest-release-start --> -The latest release is <a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.09.tar.gz";>OpenConnect v8.09</a> -<i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.09.tar.gz.asc";>PGP signature</a>)</i>, -released on 2020-04-29 with the following changelog:</p> +The latest release is <a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz";>OpenConnect v8.10</a> +<i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz.asc";>PGP signature</a>)</i>, +released on 2020-05-14 with the following changelog:</p> <ul> - <li>Add bash completion support.</li> - <li>Give more helpful error in case of Pulse servers asking for TNCC.</li> - <li>Sanitize non-canonical Legacy IP network addresses (<a href="https://gitlab.com/openconnect/openconnect/merge_requests/97";>!97</a>)</li> - <li>Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105).</li> + <li>Install bash completion script to <tt>${datadir}/bash-completion/completions/openconnect</tt>.</li> + <li>Improve compatibility of <tt>csd-post.sh</tt> trojan.</li> + <li>Update Android build dependencies and bump API level to support Android 10.</li> + <li>Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823).</li> </ul> <!-- latest-release-end --> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-8.09/www/tpm.xml new/openconnect-8.10/www/tpm.xml --- old/openconnect-8.09/www/tpm.xml 2018-10-13 16:12:15.000000000 +0200 +++ new/openconnect-8.10/www/tpm.xml 2020-05-07 11:42:52.000000000 +0200 @@ -46,7 +46,7 @@ based on different TSS libraries.</p> <p><a href="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/";><tt>openssl_tpm2_engine</tt></a> is based on <a href="http://sourceforge.net/projects/ibmtpm20tss/";>IBM's TPM 2.0 TSS</a>, while -<a href="https://github.com/tpm2-software/tpm2-tss-engine";><tt>tss2-tss-engine</tt></a> uses the +<a href="https://github.com/tpm2-software/tpm2-tss-engine";><tt>tpm2-tss-engine</tt></a> uses the <a href="https://github.com/tpm2-software/tpm2-tss";>Intel/TCG stack</a>. OpenConnect can use either ENGINE.</p>
