Hello community, here is the log from the commit of package openconnect.13364 for openSUSE:Leap:15.2:Update checked in at 2020-07-21 16:38:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/openconnect.13364 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.openconnect.13364.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openconnect.13364" Tue Jul 21 16:38:02 2020 rev:1 rq:821653 version:7.08 Changes: -------- New Changes file: --- /dev/null 2020-07-16 02:54:20.700682797 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.openconnect.13364.new.3592/openconnect.changes 2020-07-21 16:38:10.619781642 +0200 @@ -0,0 +1,512 @@ +------------------------------------------------------------------- +Mon Jun 22 01:43:20 UTC 2020 - Jonathan Kang <[email protected]> + +- Add openconnect-CVE-2020-12823.patch: gnutls: prevent buffer + overflow in get_cert_name(bsc#1171862, CVE-2020-12823, + gl#openconnect/openconnect!108). + +------------------------------------------------------------------- +Wed May 6 06:55:06 UTC 2020 - Jonathan Kang <[email protected]> + +- Add openconnect-CVE-2020-12105.patch: Use OpenSSL X509_check_host() + and X509_check_ip() correctly(bsc#1170452, CVE-2020-12105). + +------------------------------------------------------------------- +Thu Sep 19 00:49:04 UTC 2019 - Jonathan Kang <[email protected]> + +- Add openconnect-CVE-2019-16239.patch: Fix buffer overflow with + chunked HTTP handling(bsc#1151178, CVE-2019-16239). + +------------------------------------------------------------------- +Tue Apr 3 15:12:37 UTC 2018 - [email protected] + +- Add BuildRequires pkgconfig(libpcsclite/libpskc) to enable + liboath (TOTP/HOTP) and yubikey support. + +------------------------------------------------------------------- +Fri Dec 8 15:13:54 UTC 2017 - [email protected] + +- Add explicit python2-base and python2-xml BuildRequires: the + buildsystem checks for python2 and disables building the + documentation if not found. Buildinf the documentation in plus + depends on the xml modules. + So far we relied on other packages pulling in python2 for us. + +------------------------------------------------------------------- +Mon Sep 25 01:48:32 UTC 2017 - [email protected] + +- Drop vpnc dependency by including vpnc-script from vpnc package + (fate#323497). + +------------------------------------------------------------------- +Fri Dec 16 15:40:34 UTC 2016 - [email protected] + +- update to version 7.08 (bsc#1056389) + * Add SHA256 support for server cert hashes. + * Enable DHE ciphers for Cisco DTLS. + * Increase initial oNCP configuration buffer size. + * Improve support for point-to-point routing on Windows. + * Check for non-resumed DTLS sessions which may indicate a MiTM attack. + * Fix compatibility with Pulse Secure 8.2R5. + * Support DTLS automatic negotiation. + * Support --key-password for GnuTLS PKCS#11 PIN. + * Support automatic DTLS MTU detection with OpenSSL. + * Update OpenSSL to allow TLSv1.2, improve compatibility options. + * Remove --no-cert-check option. It was being (mis)used. + * Fix OpenSSL support for PKCS#11 EC keys without public key. + * Fix polling/retry on "tun" socket when buffers full. + * Fix AnyConnect server-side MTU setting. + * Fix ESP replay detection. + * Add certificate torture test suite. + * Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL. + * Fix integer overflow issues with ESP packet replay detection. + * Add --pass-tos option as in OpenVPN. + * Support role selection form in Juniper VPN. + * Support DER-format certificates, add certificate format torture tests. + * For OpenSSL >= 1.0.2, fix certificate validation when only an + intermediate CA is specified with the --cafile option. + * Support Juniper "Pre Sign-in Message". +- dropped juniper-fix-for-upstream-sources.patch, upstreamed + +------------------------------------------------------------------- +Tue Oct 4 20:45:52 UTC 2016 - [email protected] + +- Upgraded to 7.07, included fix for Juniper vpn + +------------------------------------------------------------------- +Tue Oct 04 15:36:27 UTC 2016 - [email protected] + +- Update to version 7.0.7 + * More fixes for OpenSSL 1.1 build. + * Support Juniper "Post Sign-in Message". + * Add --protocol option. + * Fix ChaCha20-Poly1305 cipher suite to reflect final standard. + * Add ability to disable IPv6 support via library API. + * Set groups appropriately when using setuid(). + * Automatic DTLS MTU detection. + * Support SSL client certificate authentication with Juniper servers. + * Revamp SSL certificate validation for OpenSSL and stop supporting OpenSSL older than 0.9.8. + * Fix handling of multiple DNS search domains with Network Connect. + * Fix handling of large configuration packets for Network Connect. + * Enable SNI when built with OpenSSL (1.0.1g or later). + * Add --resolve and --local-hostname options to command line. + +- juniper-fix-for-upstream-sources.patch included to fix upgraded Juniper servers + * Submitted to upstream, not yet included in release + + +------------------------------------------------------------------- +Tue Mar 17 16:28:11 UTC 2015 - [email protected] + +- Update to version 7.0.6 + * Fix openconnect.pc breakage after liboath removal. + * Refactor Juniper Network Connect receive loop. + * Fix some memory leaks. + * Add Bosnian translation. + +------------------------------------------------------------------- +Wed Mar 11 15:47:53 UTC 2015 - [email protected] + +- Update to version 7.0.5 + * Fix alignment issue which broke LZS compression on ARM etc. + * Support HTTP authentication to servers, not just proxies. + * Add SHA256/SHA512 support for OATH. + * Remove liboath dependency. + * Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2. + * Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711). + * Fix build with OpenSSL HEAD (OpenSSL 1.1.x). + * Preliminary support for Juniper SSL VPN. + +------------------------------------------------------------------- +Mon Jan 26 13:22:04 UTC 2015 - [email protected] + +- Update to Version 7.04 + * Change default behaviour to enable only stateless compression. + * Add --compression argument and openconnect_set_compression_mode(). + * Add support for LZS compression + * Add support for LZ4 compression +- Add liblz4-devel dependency for LZ4 compression support. + +------------------------------------------------------------------- +Wed Jan 14 11:46:54 UTC 2015 - [email protected] + +- Update to Version 7.03 + * Clean up handling of incoming packets. + * Fix issue with two-stage (i.e. NetworkManager) connection to + servers with trick DNS (rh#1179681). + * Stop using static variables for received packets. + +------------------------------------------------------------------- +Fri Dec 19 14:26:18 UTC 2014 - [email protected] + +- Update to Version 7.02 + * Add PKCS#11 support for OpenSSL. + * Fix handling of select options in openconnect_set_option_value(). + +------------------------------------------------------------------- +Wed Dec 10 15:16:32 UTC 2014 - [email protected] + +- Update to Version 7.01 + * Try harder to find a PKCS#11 key to match a given certificate. + * Handle 'Connection: close' from proxies correctly. + * Warn when MTU is set too low (<1280) to permit IPv6 connectivity. + * Add support for X-CSTP-DynDNS, to trigger DNS lookup on each reconnec + +------------------------------------------------------------------- +Thu Dec 4 15:46:56 UTC 2014 - [email protected] + +- Update to Version 7.00 + * Add support for GnuTLS 3.4 system: keys including Windows certificate store. + * Add support for HOTP/TOTP keys from Yubikey NEO devices. + * Add ---no-system-trust option to disable default certificate authorities. + * Improve libiconv and libintl detection. + * Stop calling setenv() from library functions. + * Support utun driver on OS X. + * Change library API so string ownership is never transferred. + * Support new NDIS6 TAP-Windows driver shipped with OpenVPN 2.3.4. + * Support using PSKC (RFC6030) token files for HOTP/TOTP tokens. + * Support for updating HOTP token storage when token is used. + * Support for reading OTP token data from a file. + * Add full character set handling for legacy non-UTF8 systems (including Windows). + * Fix legacy (i.e. not XML POST) submission of non-ASCII form entries (even in UTF-8 locales). + * Avoid retrying without XML POST, when we failed to even reach the server. + * Fix off-by-one in parameter substitution in error messages. + * Improve reporting when GSSAPI auth requested but not compiled in. + * Fix parsing of split include routes on Windows. + * Fix crash on invocation with --token-mode but no --token-secret. + +------------------------------------------------------------------- +Tue Jul 15 14:09:29 UTC 2014 - [email protected] + +- Add token support via stoken + +------------------------------------------------------------------- +Wed Jul 9 15:53:30 UTC 2014 - [email protected] + +- Update to Version 6.00 + * Support SOCKS proxy authentication (password, GSSAPI). + * Support HTTP proxy authentication (Basic, Digest, NTLM and GSSAPI). + * Download XML profile in XML POST mode. + * Fix a couple of bugs involving DTLS rekeying. + * Fix problems seen when building or connecting without DTLS enabled. + * Fix tun error handling on Windows hosts. + * Skip password prompts when using PKCS#8 and PKCS#12 certificates with + empty passwords. + * Fix several minor memory leaks and error paths. + * Update several Android dependencies, and make the download process more + robust. ++++ 315 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.openconnect.13364.new.3592/openconnect.changes New: ---- openconnect-7.08.tar.gz openconnect-CVE-2019-16239.patch openconnect-CVE-2020-12105.patch openconnect-CVE-2020-12823.patch openconnect.changes openconnect.spec vpnc-script ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openconnect.spec ++++++ # # spec file for package openconnect # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: openconnect Version: 7.08 Release: 0 Summary: Open client for Cisco AnyConnect VPN License: LGPL-2.1-or-later Group: Productivity/Networking/Security Url: http://www.infradead.org/openconnect.html Source0: ftp://ftp.infradead.org/pub/%{name}/%{name}-%{version}.tar.gz Source1: vpnc-script # PATCH-FIX-SLE openconnect-CVE-2019-16239.patch bsc#1151178, CVE-2019-16239 [email protected] -- Fix buffer overflow with chunked HTTP handling. Patch0: openconnect-CVE-2019-16239.patch # PATCH-FIX-UPSTREAM openconnect-CVE-2020-12105.patch bsc#1170452, CVE-2020-12105 [email protected] -- Use OpenSSL X509_check_host() and X509_check_ip() correctly. Patch1: openconnect-CVE-2020-12105.patch # PATCH-FIX-UPSTREAM openconnect-CVE-2020-12823.patch bsc#1171862, CVE-2020-12823, gl#openconnect/openconnect!108 [email protected] -- gnutls: prevent buffer overflow in get_cert_name. Patch2: openconnect-CVE-2020-12823.patch BuildRequires: libgnutls-devel %if 0%{?suse_version} >= 1320 BuildRequires: liblz4-devel %endif BuildRequires: libproxy-devel BuildRequires: libtomcrypt-devel BuildRequires: pkg-config BuildRequires: stoken-devel BuildRequires: pkgconfig(libpcsclite) BuildRequires: pkgconfig(libpskc) # == docs == BuildRequires: groff-full BuildRequires: python2-base BuildRequires: python2-xml # == docs == BuildRequires: pkgconfig(dbus-1) BuildRequires: pkgconfig(gconf-2.0) BuildRequires: pkgconfig(gtk+-2.0) BuildRequires: pkgconfig(libxml-2.0) BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package provides a client for Cisco's "AnyConnect" VPN, which uses HTTPS and DTLS protocols. AnyConnect is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others. %package devel Summary: Development files and headers for %{name} Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Recommends: pkg-config %description devel This package provides a client for Cisco's "AnyConnect" VPN, which uses HTTPS and DTLS protocols. AnyConnect is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others. This packages provides development files and headers needed to build packages against openconnect %package doc Summary: Documentation for %{name} Group: Development/Libraries/C and C++ Recommends: %{name} = %{version} %description doc This package provides a client for Cisco's "AnyConnect" VPN, which uses HTTPS and DTLS protocols. AnyConnect is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others. This packages provides documentation and help files for openconnect %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %lang_package %build %configure --docdir=%{_docdir}/%{name}/ --with-vpnc-script=/etc/openconnect/vpnc-script make %install %make_install mkdir -p %{buildroot}/%{_sysconfdir}/openconnect cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/openconnect/ rm %{buildroot}%{_libdir}/libopenconnect.la %find_lang %{name} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %clean rm -rf %{buildroot} %files %defattr(-,root,root) %{_libdir}/libopenconnect.so.* %{_mandir}/man8/* %{_sbindir}/openconnect %dir %{_sysconfdir}/openconnect %attr(0755,root,root) %{_sysconfdir}/openconnect/vpnc-script %files devel %defattr(-,root,root) %{_includedir}/openconnect.h %{_libdir}/libopenconnect.so %{_libdir}/pkgconfig/openconnect.pc %files doc %defattr(-,root,root) %doc AUTHORS COPYING.LGPL TODO %dir %{_docdir}/%{name} %dir %{_docdir}/%{name}/styles %dir %{_docdir}/%{name}/images %dir %{_docdir}/%{name}/inc %doc %{_docdir}/%{name}/*.html %doc %{_docdir}/%{name}/styles/main.css %doc %{_docdir}/%{name}/images/*.png %doc %{_docdir}/%{name}/images/*.svg %doc %{_docdir}/%{name}/inc/*.tmpl %files lang -f %{name}.lang %defattr(-,root,root) %changelog ++++++ openconnect-CVE-2019-16239.patch ++++++ Index: openconnect-7.08/http.c =================================================================== --- openconnect-7.08.orig/http.c +++ openconnect-7.08/http.c @@ -521,7 +521,8 @@ int process_http_response(struct opencon } else if (bodylen == BODY_CHUNKED) { /* ... else, chunked */ while ((i = vpninfo->ssl_gets(vpninfo, buf, sizeof(buf)))) { - int chunklen, lastchunk = 0; + int lastchunk = 0; + long chunklen; if (i < 0) { vpn_progress(vpninfo, PRG_ERR, @@ -533,6 +534,18 @@ int process_http_response(struct opencon lastchunk = 1; goto skip; } + if (chunklen < 0) { + vpn_progress(vpninfo, PRG_ERR, + _("HTTP chunk length is negative (%ld)\n"), chunklen); + openconnect_close_https(vpninfo, 0); + return -EINVAL; + } + if (chunklen >= INT_MAX) { + vpn_progress(vpninfo, PRG_ERR, + _("HTTP chunk length is too large (%ld)\n"), chunklen); + openconnect_close_https(vpninfo, 0); + return -EINVAL; + } if (buf_ensure_space(body, chunklen + 1)) return buf_error(body); while (chunklen) { ++++++ openconnect-CVE-2020-12105.patch ++++++ >From f07242df8ad6a0fb1a5b5a584ca086f1a429ee0b Mon Sep 17 00:00:00 2001 From: Jordy Zomer <[email protected]> Date: Thu, 23 Apr 2020 13:28:12 +0200 Subject: [PATCH] Use OpenSSL X509_check_host() and X509_check_ip() correctly. These functions return 1 for a successful match, 0 for a failed match, -1 for an internal error, or -2 if the certificate is malformed. OpenConnect has been treating any value other than zero as a success, meaning that an attacker who could get a trusted CA to issue an invalid certificate (on which the ASN.1 decoder fails, for example), could use that to assume *any* identity. This is CVE-2020-12105. https://gitlab.com/openconnect/openconnect/-/merge_requests/96 Signed-off-by: Jordy Zomer <[email protected]> --- openssl.c | 4 ++-- www/changelog.xml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) Index: openconnect-7.08/openssl.c =================================================================== --- openconnect-7.08.orig/openssl.c +++ openconnect-7.08/openssl.c @@ -1394,7 +1394,7 @@ static int match_cert_hostname(struct op { char *matched = NULL; - if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0)) { + if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0) == 1) { if (vpninfo->verbose >= PRG_DEBUG) { char host[80]; int family; @@ -1413,7 +1413,7 @@ static int match_cert_hostname(struct op } return 0; } - if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched)) { + if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched) == 1) { vpn_progress(vpninfo, PRG_DEBUG, _("Matched peer certificate subject name '%s'\n"), matched); ++++++ openconnect-CVE-2020-12823.patch ++++++ >From eef4c1f9d24478aa1d2dd9ac7ec32efb2137f474 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich <[email protected]> Date: Fri, 8 May 2020 10:39:41 -0400 Subject: [PATCH] gnutls: prevent buffer overflow in get_cert_name The test suite for ocserv calls openconnect with a certificate that has a name that is 84 bytes in length. The buffer passed to get_cert_name is currently 80 bytes. The gnutls_x509_crt_get_dn_by_oid function will update the buffer size parameter if the buffer is too small. http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html RETURNS GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the buf_size will be updated with the required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no data in the current index. On success 0 is returned. Use a temporary variable to avoid clobbering the namelen variable that is passed to get_cert_name. Bug: https://bugs.gentoo.org/721570 Signed-off-by: Sergei Trofimovich <[email protected]> Signed-off-by: Mike Gilbert <[email protected]> --- gnutls.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/gnutls.c b/gnutls.c index 36bc82e0..53bf2a43 100644 --- a/gnutls.c +++ b/gnutls.c @@ -546,12 +546,19 @@ static int count_x509_certificates(gnutls_datum_t *datum) static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen) { + /* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will + * update the length argument to the required size, and return + * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original + * length variable. */ + size_t nl = namelen; if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, - 0, 0, name, &namelen) && - gnutls_x509_crt_get_dn(cert, name, &namelen)) { - name[namelen-1] = 0; - snprintf(name, namelen-1, "<unknown>"); - return -EINVAL; + 0, 0, name, &nl)) { + nl = namelen; + if (gnutls_x509_crt_get_dn(cert, name, &nl)) { + name[namelen-1] = 0; + snprintf(name, namelen-1, "<unknown>"); + return -EINVAL; + } } return 0; } -- 2.26.2 ++++++ vpnc-script ++++++ ++++ 760 lines (skipped)
