Debian Bug report logs -
#959428
openconnect: CVE-2020-12105
Reported by: Luca Boccassi <bluca@debian.org>
Date: Sat, 2 May 2020 10:33:02 UTC
Severity: normal
Found in version openconnect/7.07-1
Fixed in version 8.09-1
Done: Luca Boccassi <bluca@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 10:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luca Boccassi <bluca@debian.org>
:
New Bug report received and forwarded. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 10:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openconnect
Version: 6.00-2
Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
Not sure what's the oldest version affected, asked on
https://security-tracker.debian.org/tracker/CVE-2020-12105
--
Kind regards,
Luca Boccassi
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 12:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luca Boccassi <bluca@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 12:45:04 GMT) (full text, mbox, link).
Message #10 received at 959428@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: notfound -1 6.00-2
Control: close -1
On Sat, 02 May 2020 11:29:34 +0100 Luca Boccassi <bluca@debian.org>
wrote:
> Package: openconnect
> Version: 6.00-2
>
> Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
> Not sure what's the oldest version affected, asked on
> https://security-tracker.debian.org/tracker/CVE-2020-12105
I checked and upstream confirmed, Debian is not vulnerable in any
version as the defect only affects builds with OpenSSL, but we use
GNUTLS all the way back to old-old-stable.
https://gitlab.com/openconnect/openconnect/-/merge_requests/96
Dear Security Team,
At your earliest convenience, please mark
https://security-tracker.debian.org/tracker/CVE-2020-12105 as not-
affected for all Debian releases.
Thanks!
--
Kind regards,
Luca Boccassi
[signature.asc (application/pgp-signature, inline)]
No longer marked as found in versions openconnect/6.00-2.
Request was from Luca Boccassi <bluca@debian.org>
to 959428-submit@bugs.debian.org
.
(Sat, 02 May 2020 12:45:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Luca Boccassi <bluca@debian.org>
to 959428-submit@bugs.debian.org
.
(Sat, 02 May 2020 12:45:05 GMT) (full text, mbox, link).
Notification sent
to Luca Boccassi <bluca@debian.org>
:
Bug acknowledged by developer.
(Sat, 02 May 2020 12:45:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 12:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 12:54:03 GMT) (full text, mbox, link).
Message #21 received at 959428@bugs.debian.org (full text, mbox, reply):
Hi Luca,
On Sat, May 02, 2020 at 01:41:53PM +0100, Luca Boccassi wrote:
> Control: notfound -1 6.00-2
> Control: close -1
>
> On Sat, 02 May 2020 11:29:34 +0100 Luca Boccassi <bluca@debian.org>
> wrote:
> > Package: openconnect
> > Version: 6.00-2
> >
> > Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
> > Not sure what's the oldest version affected, asked on
> > https://security-tracker.debian.org/tracker/CVE-2020-12105
>
> I checked and upstream confirmed, Debian is not vulnerable in any
> version as the defect only affects builds with OpenSSL, but we use
> GNUTLS all the way back to old-old-stable.
>
> https://gitlab.com/openconnect/openconnect/-/merge_requests/96
>
> Dear Security Team,
>
> At your earliest convenience, please mark
> https://security-tracker.debian.org/tracker/CVE-2020-12105 as not-
> affected for all Debian releases.
Thanks!
I have marked it now as unimportant (the source affected, but does not
affect the binary packages as we use GnuTLS). Will take up to an hour
until the CVE entry is updated on security-tracker.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 13:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to David Woodhouse <dwmw2@infradead.org>
:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 13:09:03 GMT) (full text, mbox, link).
Message #26 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Which means since 7.07 in July 2016.
On 2 May 2020 11:29:34 BST, Luca Boccassi <bluca@debian.org> wrote:
>Package: openconnect
>Version: 6.00-2
>
>Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
>Not sure what's the oldest version affected, asked on
>https://security-tracker.debian.org/tracker/CVE-2020-12105
>
>--
>Kind regards,
>Luca Boccassi
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 13:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to David Woodhouse <dwmw2@infradead.org>
:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 13:09:04 GMT) (full text, mbox, link).
Message #31 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Since that code (for OpenSSL 1.0.2+) was first added in https://gitlab.com/openconnect/openconnect/-/commit/674881cbb078937d84c9b16219b52d7b56623ba7
On 2 May 2020 11:29:34 BST, Luca Boccassi <bluca@debian.org> wrote:
>Package: openconnect
>Version: 6.00-2
>
>Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
>Not sure what's the oldest version affected, asked on
>https://security-tracker.debian.org/tracker/CVE-2020-12105
>
>--
>Kind regards,
>Luca Boccassi
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 13:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to David Woodhouse <dwmw2@infradead.org>
:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 13:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 13:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to David Woodhouse <dwmw2@infradead.org>
:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 13:09:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@debian.org>
:
Bug#959428
; Package openconnect
.
(Sat, 02 May 2020 13:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luca Boccassi <bluca@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mike Miller <mtmiller@debian.org>
.
(Sat, 02 May 2020 13:15:04 GMT) (full text, mbox, link).
Message #46 received at 959428@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: -1 found 7.07-1
Control: -1 fixed 8.09-1
On Sat, 2020-05-02 at 13:17 +0100, David Woodhouse wrote:
> Which means since 7.07 in July 2016.
>
> On 2 May 2020 11:29:34 BST, Luca Boccassi <bluca@debian.org> wrote:
> > Package: openconnect
> > Version: 6.00-2
> >
> > Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105
> > Not sure what's the oldest version affected, asked on
> > https://security-tracker.debian.org/tracker/CVE-2020-12105
Yep - we never built with libssl so we are ok in Debian/Ubuntu. I'll
record the versions as the sources are vulnerable, just in the off-
chance some downstream uses libssl for whatever reason.
--
Kind regards,
Luca Boccassi
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions openconnect/7.07-1 and reopened.
Request was from Luca Boccassi <bluca@debian.org>
to control@bugs.debian.org
.
(Sat, 02 May 2020 13:27:03 GMT) (full text, mbox, link).
Marked as fixed in versions 8.09-1.
Request was from Luca Boccassi <bluca@debian.org>
to control@bugs.debian.org
.
(Sat, 02 May 2020 13:27:03 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Luca Boccassi <bluca@debian.org>
to control@bugs.debian.org
.
(Sat, 02 May 2020 13:51:04 GMT) (full text, mbox, link).
Notification sent
to Luca Boccassi <bluca@debian.org>
:
Bug acknowledged by developer.
(Sat, 02 May 2020 13:51:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun May 3 10:19:34 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.