*** This bug is a security vulnerability *** Public security bug reported:
The Juniper protocol lacks a .vpn_close_session function; without logout, the VPN cookie remains active and can be used to restart the session from an unrelated computer. This is a security hazard, especially when passing around OpenConnect logs on the mailing list for development and troubleshooting. Patch is straightforward: http://lists.infradead.org/pipermail /openconnect-devel/2017-January/004161.html (Ubuntu 16.04.1 LTS, openconnect v7.06) ** Affects: openconnect (Ubuntu) Importance: Undecided Status: New ** Patch added: "juniper_logout.patch" https://bugs.launchpad.net/bugs/1655279/+attachment/4802292/+files/juniper_logout.patch ** Information type changed from Private Security to Public Security ** Description changed: - The Juniper protocol lacks a .vpn_close_session function; without logout, the - VPN cookie remains active and can be used to restart the session from an unrelated computer. + The Juniper protocol lacks a .vpn_close_session function; without + logout, the VPN cookie remains active and can be used to restart the + session from an unrelated computer. - This is a security hazard, especially when passing around OpenConnect logs on the - mailing list for development and troubleshooting. + This is a security hazard, especially when passing around OpenConnect + logs on the mailing list for development and troubleshooting. Patch is straightforward: http://lists.infradead.org/pipermail /openconnect-devel/2017-January/004161.html (Ubuntu 16.04.1 LTS, openconnect v7.06) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1655279 Title: OpenConnect does not properly logout from Juniper VPNs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1655279/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
