Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

openconnect: CVE-2020-12105

Related Vulnerabilities: CVE-2020-12105  

Source

Debian Bug report logs - #959428
openconnect: CVE-2020-12105

version graph

Package: openconnect; Maintainer for openconnect is Mike Miller <mtmiller@debian.org>; Source for openconnect is src:openconnect (PTS, buildd, popcon).

Reported by: Luca Boccassi <bluca@debian.org>

Date: Sat, 2 May 2020 10:33:02 UTC

Severity: normal

Found in version openconnect/7.07-1

Fixed in version 8.09-1

Done: Luca Boccassi <bluca@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 10:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Luca Boccassi <bluca@debian.org>:
New Bug report received and forwarded. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 10:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <bluca@debian.org>
To: submit@bugs.debian.org
Subject: openconnect: CVE-2020-12105
Date: Sat, 02 May 2020 11:29:34 +0100
[Message part 1 (text/plain, inline)]
Package: openconnect
Version: 6.00-2

Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
Not sure what's the oldest version affected, asked on 
https://security-tracker.debian.org/tracker/CVE-2020-12105

-- 
Kind regards,
Luca Boccassi

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 12:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Luca Boccassi <bluca@debian.org>:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 12:45:04 GMT) (full text, mbox, link).

Message #10 received at 959428@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <bluca@debian.org>
To: 959428@bugs.debian.org
Cc: security@debian.org
Subject: Re: openconnect: CVE-2020-12105
Date: Sat, 02 May 2020 13:41:53 +0100
[Message part 1 (text/plain, inline)]
Control: notfound -1 6.00-2
Control: close -1

On Sat, 02 May 2020 11:29:34 +0100 Luca Boccassi <bluca@debian.org>
wrote:
> Package: openconnect
> Version: 6.00-2
> 
> Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
> Not sure what's the oldest version affected, asked on 
> https://security-tracker.debian.org/tracker/CVE-2020-12105

I checked and upstream confirmed, Debian is not vulnerable in any
version as the defect only affects builds with OpenSSL, but we use
GNUTLS all the way back to old-old-stable.

https://gitlab.com/openconnect/openconnect/-/merge_requests/96

Dear Security Team,

At your earliest convenience, please mark 
https://security-tracker.debian.org/tracker/CVE-2020-12105 as not-
affected for all Debian releases.

Thanks!

-- 
Kind regards,
Luca Boccassi

[signature.asc (application/pgp-signature, inline)]

No longer marked as found in versions openconnect/6.00-2. Request was from Luca Boccassi <bluca@debian.org> to 959428-submit@bugs.debian.org. (Sat, 02 May 2020 12:45:05 GMT) (full text, mbox, link).

Marked Bug as done Request was from Luca Boccassi <bluca@debian.org> to 959428-submit@bugs.debian.org. (Sat, 02 May 2020 12:45:05 GMT) (full text, mbox, link).

Notification sent to Luca Boccassi <bluca@debian.org>:
Bug acknowledged by developer. (Sat, 02 May 2020 12:45:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 12:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 12:54:03 GMT) (full text, mbox, link).

Message #21 received at 959428@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Luca Boccassi <bluca@debian.org>
Cc: 959428@bugs.debian.org, security@debian.org
Subject: Re: openconnect: CVE-2020-12105
Date: Sat, 2 May 2020 14:51:04 +0200
Hi Luca,

On Sat, May 02, 2020 at 01:41:53PM +0100, Luca Boccassi wrote:
> Control: notfound -1 6.00-2
> Control: close -1
> 
> On Sat, 02 May 2020 11:29:34 +0100 Luca Boccassi <bluca@debian.org>
> wrote:
> > Package: openconnect
> > Version: 6.00-2
> > 
> > Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
> > Not sure what's the oldest version affected, asked on 
> > https://security-tracker.debian.org/tracker/CVE-2020-12105
> 
> I checked and upstream confirmed, Debian is not vulnerable in any
> version as the defect only affects builds with OpenSSL, but we use
> GNUTLS all the way back to old-old-stable.
> 
> https://gitlab.com/openconnect/openconnect/-/merge_requests/96
> 
> Dear Security Team,
> 
> At your earliest convenience, please mark 
> https://security-tracker.debian.org/tracker/CVE-2020-12105 as not-
> affected for all Debian releases.

Thanks!

I have marked it now as unimportant (the source affected, but does not
affect the binary packages as we use GnuTLS). Will take up to an hour
until the CVE entry is updated on security-tracker.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 13:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to David Woodhouse <dwmw2@infradead.org>:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 13:09:03 GMT) (full text, mbox, link).

Message #26 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>
To: Luca Boccassi <bluca@debian.org>,959428@bugs.debian.org,submit@bugs.debian.org
Subject: Re: Bug#959428: openconnect: CVE-2020-12105
Date: Sat, 02 May 2020 13:17:49 +0100
[Message part 1 (text/plain, inline)]
Which means since 7.07 in July 2016.

On 2 May 2020 11:29:34 BST, Luca Boccassi <bluca@debian.org> wrote:
>Package: openconnect
>Version: 6.00-2
>
>Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
>Not sure what's the oldest version affected, asked on 
>https://security-tracker.debian.org/tracker/CVE-2020-12105
>
>-- 
>Kind regards,
>Luca Boccassi

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 13:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to David Woodhouse <dwmw2@infradead.org>:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 13:09:04 GMT) (full text, mbox, link).

Message #31 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>
To: Luca Boccassi <bluca@debian.org>,959428@bugs.debian.org,submit@bugs.debian.org
Subject: Re: Bug#959428: openconnect: CVE-2020-12105
Date: Sat, 02 May 2020 13:14:34 +0100
[Message part 1 (text/plain, inline)]
Since that code (for OpenSSL 1.0.2+) was first added in https://gitlab.com/openconnect/openconnect/-/commit/674881cbb078937d84c9b16219b52d7b56623ba7

On 2 May 2020 11:29:34 BST, Luca Boccassi <bluca@debian.org> wrote:
>Package: openconnect
>Version: 6.00-2
>
>Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
>Not sure what's the oldest version affected, asked on 
>https://security-tracker.debian.org/tracker/CVE-2020-12105
>
>-- 
>Kind regards,
>Luca Boccassi

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 13:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to David Woodhouse <dwmw2@infradead.org>:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 13:09:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 13:09:07 GMT) (full text, mbox, link).

Acknowledgement sent to David Woodhouse <dwmw2@infradead.org>:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 13:09:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>:
Bug#959428; Package openconnect. (Sat, 02 May 2020 13:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Luca Boccassi <bluca@debian.org>:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>. (Sat, 02 May 2020 13:15:04 GMT) (full text, mbox, link).

Message #46 received at 959428@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <bluca@debian.org>
To: David Woodhouse <dwmw2@infradead.org>, 959428@bugs.debian.org
Subject: Re: Bug#959428: openconnect: CVE-2020-12105
Date: Sat, 02 May 2020 14:10:13 +0100
[Message part 1 (text/plain, inline)]
Control: -1 found 7.07-1
Control: -1 fixed 8.09-1

On Sat, 2020-05-02 at 13:17 +0100, David Woodhouse wrote:
> Which means since 7.07 in July 2016.
> 
> On 2 May 2020 11:29:34 BST, Luca Boccassi <bluca@debian.org> wrote:
> > Package: openconnect
> > Version: 6.00-2
> > 
> > Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
> > Not sure what's the oldest version affected, asked on 
> > https://security-tracker.debian.org/tracker/CVE-2020-12105

Yep - we never built with libssl so we are ok in Debian/Ubuntu. I'll
record the versions as the sources are vulnerable, just in the off-
chance some downstream uses libssl for whatever reason.

-- 
Kind regards,
Luca Boccassi

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions openconnect/7.07-1 and reopened. Request was from Luca Boccassi <bluca@debian.org> to control@bugs.debian.org. (Sat, 02 May 2020 13:27:03 GMT) (full text, mbox, link).

Marked as fixed in versions 8.09-1. Request was from Luca Boccassi <bluca@debian.org> to control@bugs.debian.org. (Sat, 02 May 2020 13:27:03 GMT) (full text, mbox, link).

Marked Bug as done Request was from Luca Boccassi <bluca@debian.org> to control@bugs.debian.org. (Sat, 02 May 2020 13:51:04 GMT) (full text, mbox, link).

Notification sent to Luca Boccassi <bluca@debian.org>:
Bug acknowledged by developer. (Sat, 02 May 2020 13:51:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun May 3 10:19:34 2020; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started