SUSE-SU-2024:0317-1: moderate: Security update for openconnect
SLE-SECURITY-UPDATES
null at suse.de
Fri Feb 2 12:30:09 UTC 2024
# Security update for openconnect
Announcement ID: SUSE-SU-2024:0317-1
Rating: moderate
References:
* bsc#1140772
* bsc#1157446
* bsc#1170452
* bsc#1171862
* bsc#1215669
* jsc#PED-6742
* jsc#PED-7015
Cross-References:
* CVE-2018-20319
* CVE-2020-12105
* CVE-2020-12823
CVSS scores:
* CVE-2018-20319 ( SUSE ): 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
* CVE-2020-12105 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2020-12105 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2020-12823 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2020-12823 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* Basesystem Module 15-SP5
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Micro 5.5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Workstation Extension 15 SP5
* SUSE Package Hub 15 15-SP5
An update that solves three vulnerabilities, contains two features and has two
security fixes can now be installed.
## Description:
This update for openconnect fixes the following issues:
* Update to release 9.12:
* Explicitly reject overly long tun device names.
* Increase maximum input size from stdin (#579).
* Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
* Fix stray (null) in URL path after Pulse authentication (4023bd95).
* Fix config XML parsing mistake that left GlobalProtect ESP non-working in
v9.10 (!475).
* Fix case sensitivity in GPST header matching (!474).
* Update to release 9.10:
* Fix external browser authentication with KDE plasma-nm < 5.26.
* Always redirect stdout to stderr when spawning external browser.
* Increase default queue length to 32 packets.
* Fix receiving multiple packets in one TLS frame, and single packets split
across multiple TLS frames, for Array.
* Handle idiosyncratic variation in search domain separators for all protocols
* Support region selection field for Pulse authentication
* Support modified configuration packet from Pulse 9.1R16 servers
* Allow hidden form fields to be populated or converted to text fields on the
command line
* Support yet another strange way of encoding challenge-based 2FA for
GlobalProtect
* Add --sni option (and corresponding C and Java API functions) to allow
domain-fronting connections in censored/filtered network environments
* Parrot a GlobalProtect server's software version, if present, as the client
version (!333)
* Fix NULL pointer dereference that has left Android builds broken since v8.20
(!389).
* Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults
(#514, !418).
* Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
* Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet .
* Support "FTM-push" token mode for Fortinet VPNs .
* Send IPv6-compatible version string in Pulse IF/T session establishment
* Add --no-external-auth option to not advertise external-browser
authentication
* Many small improvements in server response parsing, and better logging
messages and documentation.
* Update to release 9.01:
* Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP)
* Add support for AnyConnect "external browser" SSO mode
* Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20
* Support Cisco's multiple-certificate authentication
* Revert GlobalProtect default route handling change from v8.20
* Suppo split-exclude routes for Fortinet
* Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect
* Update to release 8.20:
* Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.
* Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was
4.0.2-19
* Support Juniper login forms containing both password and 2FA token
* Explicitly disable 3DES and RC4, unless enabled with \--allow-insecure-
crypto
* Allow protocols to delay tunnel setup and shutdown (!117)
* Support for GlobalProtect IPv6
* SIGUSR1now causes OpenConnect to log detailed connection information and
statistics
* Allow --servercert to be specified multiple times in order to accept server
certificates matching more than one possible fingerprint
* Demangle default routes sent as split routes by GlobalProtect
* Support more Juniper login forms, including some SSO forms
* Restore compatibility with newer Cisco servers, by no longer sending them
the X-AnyConnect-Platform header
* Add support for PPP-based protocols, currently over TLS only.
* Add support for two PPP-based protocols, F5 with \--protocol=f5 and Fortinet
with --protocol=fortinet.
* Add support for Array Networks SSL VPN.
* Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and
hardware TPM.
* Import the latest version of the vpnc-script (bsc#1140772)
* This brings a lot of improvements for non-trivial network setups, IPv6 etc
* Build with --without-gnutls-version-check
* Update to version 8.10:
* Install bash completion script to ${datadir}/bash-
completion/completions/openconnect.
* Improve compatibility of csd-post.sh trojan.
* Fix potential buffer overflow with GnuTLS describing local certs
(CVE-2020-12823, bsc#1171862, gl#openconnect/openconnect!108).
* Introduce subpackage for bash-completion
* Update to 8.09:
* Add bash completion support.
* Give more helpful error in case of Pulse servers asking for TNCC.
* Sanitize non-canonical Legacy IP network addresses.
* Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105
bsc#1170452).
* Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py
as well. (!91)
* Disable Nagle's algorithm for TLS sockets, to improve interactivity when
tunnel runs over TCP rather than UDP.
* GlobalProtect: more resilient handling of periodic HIP check and login
arguments, and predictable naming of challenge forms.
* Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED.
* Update to 8.0.8:
* Fix check of pin-sha256: public key hashes to be case sensitive
* Don't give non-functioning stderr to CSD trojan scripts.
* Fix crash with uninitialised OIDC token.
* Update to 8.0.7:
* Don't abort Pulse connection when server-provided certificate MD5 doesn't
match.
* Fix off-by-one in check for bad GnuTLS versions, and add build and run time
checks.
* Don't abort connection if CSD wrapper script returns non-zero (for now).
* Make --passtos work for protocols that use ESP, in addition to DTLS.
* Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py
as well.
* Remove tncc-wrapper.py script as it is python2 only bsc#1157446
* No need to ship hipreport-android.sh as it is intented for android systems
only
* Update to 8.0.5:
* Minor fixes to build on specific platforms
* Includes fix for a buffer overflow with chunked HTTP handling
(CVE-2019-16239, bsc#1151178)
* Use python3 to generate the web data as now it is supported by upstream
* Update to 8.0.3:
* Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.
* Fix recognition of OTP password fields.
* Update to 8.02:
* Fix GNU/Hurd build.
* Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
* Support split-exclude routes for GlobalProtect.
* Fix GnuTLS builds without libtasn1.
* Fix DTLS support with OpenSSL 1.1.1+.
* Add Cisco-compatible DTLSv1.2 support.
* Invoke script with reason=attempt-reconnect before doing so.
* Update to 8.01:
* Clear form submissions (which may include passwords) before freeing
(CVE-2018-20319, bsc#1215669).
* Allow form responses to be provided on command line.
* Add support for SSL keys stored in TPM2.
* Fix ESP rekey when replay protection is disabled.
* Drop support for GnuTLS older than 3.2.10.
* Fix --passwd-on-stdin for Windows to not forcibly open console.
* Fix portability of shell scripts in test suite.
* Add Google Authenticator TOTP support for Juniper.
* Add RFC7469 key PIN support for cert hashes.
* Add protocol method to securely log out the Juniper session.
* Relax requirements for Juniper hostname packet response to support old
gateways.
* Add API functions to query the supported protocols.
* Verify ESP sequence numbers and warn even if replay protection is disabled.
* Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
* Reorganize listing of command-line options, and include information on
supported protocols.
* SIGTERM cleans up the session similarly to SIGINT.
* Fix memset_s() arguments.
* Fix OpenBSD build.
* Explicitely enable all the features as needed to stop build if something is
missing
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-317=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-317=1
* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-317=1
* SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-317=1
* SUSE Linux Enterprise Workstation Extension 15 SP5
zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-317=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* openconnect-debuginfo-9.12-150400.15.3.1
* stoken-debuginfo-0.81-150400.13.2.1
* openconnect-9.12-150400.15.3.1
* stoken-debugsource-0.81-150400.13.2.1
* openconnect-debugsource-9.12-150400.15.3.1
* libstoken1-0.81-150400.13.2.1
* stoken-gui-0.81-150400.13.2.1
* stoken-devel-0.81-150400.13.2.1
* stoken-gui-debuginfo-0.81-150400.13.2.1
* libstoken1-debuginfo-0.81-150400.13.2.1
* stoken-0.81-150400.13.2.1
* libopenconnect5-9.12-150400.15.3.1
* openconnect-devel-9.12-150400.15.3.1
* libopenconnect5-debuginfo-9.12-150400.15.3.1
* openSUSE Leap 15.4 (noarch)
* openconnect-bash-completion-9.12-150400.15.3.1
* openconnect-lang-9.12-150400.15.3.1
* openconnect-doc-9.12-150400.15.3.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* oath-toolkit-debugsource-2.6.2-150000.3.5.1
* openconnect-9.12-150400.15.3.1
* pam_oath-2.6.2-150000.3.5.1
* stoken-debugsource-0.81-150400.13.2.1
* pam_oath-debuginfo-2.6.2-150000.3.5.1
* libopenconnect5-9.12-150400.15.3.1
* oath-toolkit-debuginfo-2.6.2-150000.3.5.1
* liboath0-2.6.2-150000.3.5.1
* openconnect-debuginfo-9.12-150400.15.3.1
* libpskc-devel-2.6.2-150000.3.5.1
* liboath0-debuginfo-2.6.2-150000.3.5.1
* libstoken1-0.81-150400.13.2.1
* libstoken1-debuginfo-0.81-150400.13.2.1
* liboath-devel-2.6.2-150000.3.5.1
* openconnect-devel-9.12-150400.15.3.1
* libpskc0-2.6.2-150000.3.5.1
* openconnect-debugsource-9.12-150400.15.3.1
* stoken-gui-0.81-150400.13.2.1
* stoken-debuginfo-0.81-150400.13.2.1
* stoken-0.81-150400.13.2.1
* stoken-gui-debuginfo-0.81-150400.13.2.1
* stoken-devel-0.81-150400.13.2.1
* oath-toolkit-2.6.2-150000.3.5.1
* libpskc0-debuginfo-2.6.2-150000.3.5.1
* libopenconnect5-debuginfo-9.12-150400.15.3.1
* openSUSE Leap 15.5 (noarch)
* openconnect-lang-9.12-150400.15.3.1
* oath-toolkit-xml-2.6.2-150000.3.5.1
* openconnect-doc-9.12-150400.15.3.1
* Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* oath-toolkit-debugsource-2.6.2-150000.3.5.1
* liboath0-debuginfo-2.6.2-150000.3.5.1
* oath-toolkit-debuginfo-2.6.2-150000.3.5.1
* liboath0-2.6.2-150000.3.5.1
* liboath-devel-2.6.2-150000.3.5.1
* Basesystem Module 15-SP5 (noarch)
* oath-toolkit-xml-2.6.2-150000.3.5.1
* SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
* oath-toolkit-debugsource-2.6.2-150000.3.5.1
* openconnect-debuginfo-9.12-150400.15.3.1
* stoken-debuginfo-0.81-150400.13.2.1
* openconnect-9.12-150400.15.3.1
* libpskc-devel-2.6.2-150000.3.5.1
* libpskc0-2.6.2-150000.3.5.1
* libstoken1-0.81-150400.13.2.1
* openconnect-debugsource-9.12-150400.15.3.1
* stoken-debugsource-0.81-150400.13.2.1
* stoken-devel-0.81-150400.13.2.1
* libpskc0-debuginfo-2.6.2-150000.3.5.1
* stoken-gui-0.81-150400.13.2.1
* stoken-gui-debuginfo-0.81-150400.13.2.1
* oath-toolkit-2.6.2-150000.3.5.1
* oath-toolkit-debuginfo-2.6.2-150000.3.5.1
* libstoken1-debuginfo-0.81-150400.13.2.1
* stoken-0.81-150400.13.2.1
* libopenconnect5-9.12-150400.15.3.1
* openconnect-devel-9.12-150400.15.3.1
* libopenconnect5-debuginfo-9.12-150400.15.3.1
* SUSE Package Hub 15 15-SP5 (noarch)
* openconnect-lang-9.12-150400.15.3.1
* openconnect-doc-9.12-150400.15.3.1
* SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
* oath-toolkit-debugsource-2.6.2-150000.3.5.1
* openconnect-debuginfo-9.12-150400.15.3.1
* stoken-debuginfo-0.81-150400.13.2.1
* openconnect-9.12-150400.15.3.1
* libpskc-devel-2.6.2-150000.3.5.1
* libpskc0-2.6.2-150000.3.5.1
* libstoken1-0.81-150400.13.2.1
* openconnect-debugsource-9.12-150400.15.3.1
* stoken-debugsource-0.81-150400.13.2.1
* stoken-devel-0.81-150400.13.2.1
* libpskc0-debuginfo-2.6.2-150000.3.5.1
* oath-toolkit-debuginfo-2.6.2-150000.3.5.1
* libstoken1-debuginfo-0.81-150400.13.2.1
* libopenconnect5-9.12-150400.15.3.1
* openconnect-devel-9.12-150400.15.3.1
* libopenconnect5-debuginfo-9.12-150400.15.3.1
* SUSE Linux Enterprise Workstation Extension 15 SP5 (noarch)
* openconnect-lang-9.12-150400.15.3.1
## References:
* https://www.suse.com/security/cve/CVE-2018-20319.html
* https://www.suse.com/security/cve/CVE-2020-12105.html
* https://www.suse.com/security/cve/CVE-2020-12823.html
* https://bugzilla.suse.com/show_bug.cgi?id=1140772
* https://bugzilla.suse.com/show_bug.cgi?id=1157446
* https://bugzilla.suse.com/show_bug.cgi?id=1170452
* https://bugzilla.suse.com/show_bug.cgi?id=1171862
* https://bugzilla.suse.com/show_bug.cgi?id=1215669
* https://jira.suse.com/browse/PED-6742
* https://jira.suse.com/browse/PED-7015
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240202/ad7c3ccf/attachment.htm>
More information about the sle-security-updates
mailing list