<div class="container">
<h1>Security update for openconnect</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:0317-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1140772">bsc#1140772</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1157446">bsc#1157446</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1170452">bsc#1170452</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1171862">bsc#1171862</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1215669">bsc#1215669</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-6742">jsc#PED-6742</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-7015">jsc#PED-7015</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2018-20319.html">CVE-2018-20319</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2020-12105.html">CVE-2020-12105</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2020-12823.html">CVE-2020-12823</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-20319</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">2.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-12105</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-12105</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-12823</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-12823</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP5</li>
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Workstation Extension 15 SP5</li>
<li class="list-group-item">SUSE Package Hub 15 15-SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities, contains two features and has two security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for openconnect fixes the following issues:</p>
<ul>
<li>
<p>Update to release 9.12:</p>
</li>
<li>
<p>Explicitly reject overly long tun device names.</p>
</li>
<li>Increase maximum input size from stdin (#579).</li>
<li>Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).</li>
<li>Fix stray (null) in URL path after Pulse authentication (4023bd95).</li>
<li>Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475).</li>
<li>
<p>Fix case sensitivity in GPST header matching (!474).</p>
</li>
<li>
<p>Update to release 9.10:</p>
</li>
<li>
<p>Fix external browser authentication with KDE plasma-nm < 5.26.</p>
</li>
<li>Always redirect stdout to stderr when spawning external browser.</li>
<li>Increase default queue length to 32 packets.</li>
<li>Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array.</li>
<li>Handle idiosyncratic variation in search domain separators for all protocols</li>
<li>Support region selection field for Pulse authentication </li>
<li>Support modified configuration packet from Pulse 9.1R16 servers </li>
<li>Allow hidden form fields to be populated or converted to text fields on the command line</li>
<li>Support yet another strange way of encoding challenge-based 2FA for GlobalProtect</li>
<li>Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments</li>
<li>Parrot a GlobalProtect server's software version, if present, as the client version (!333)</li>
<li>Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).</li>
<li>Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).</li>
<li>Support F5 VPNs which encode authentication forms only in JSON, not in HTML.</li>
<li>Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet .</li>
<li>Support "FTM-push" token mode for Fortinet VPNs .</li>
<li>Send IPv6-compatible version string in Pulse IF/T session establishment</li>
<li>Add --no-external-auth option to not advertise external-browser authentication</li>
<li>
<p>Many small improvements in server response parsing, and better logging messages and documentation.</p>
</li>
<li>
<p>Update to release 9.01:</p>
</li>
<li>
<p>Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP) </p>
</li>
<li>Add support for AnyConnect "external browser" SSO mode</li>
<li>Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20</li>
<li>Support Cisco's multiple-certificate authentication</li>
<li>Revert GlobalProtect default route handling change from v8.20</li>
<li>Suppo split-exclude routes for Fortinet</li>
<li>
<p>Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect</p>
</li>
<li>
<p>Update to release 8.20:</p>
</li>
<li>
<p>Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.</p>
</li>
<li>Emulated a newer version of GlobalProtect official clients,
5.1.5-8; was 4.0.2-19</li>
<li>Support Juniper login forms containing both password and 2FA
token</li>
<li>Explicitly disable 3DES and RC4, unless enabled with
--allow-insecure-crypto</li>
<li>Allow protocols to delay tunnel setup and shutdown (!117)</li>
<li>Support for GlobalProtect IPv6</li>
<li>SIGUSR1now causes OpenConnect to log detailed connection
information and statistics</li>
<li>Allow --servercert to be specified multiple times in order to
accept server certificates matching more than one possible
fingerprint</li>
<li>Demangle default routes sent as split routes by GlobalProtect</li>
<li>Support more Juniper login forms, including some SSO forms</li>
<li>Restore compatibility with newer Cisco servers, by no longer
sending them the X-AnyConnect-Platform header</li>
<li>Add support for PPP-based protocols, currently over TLS only.</li>
<li>Add support for two PPP-based protocols, F5 with
--protocol=f5 and Fortinet with --protocol=fortinet.</li>
<li>Add support for Array Networks SSL VPN.</li>
<li>
<p>Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases
for swtpm and hardware TPM.</p>
</li>
<li>
<p>Import the latest version of the vpnc-script (bsc#1140772)</p>
</li>
<li>
<p>This brings a lot of improvements for non-trivial network setups, IPv6 etc</p>
</li>
<li>
<p>Build with --without-gnutls-version-check</p>
</li>
<li>
<p>Update to version 8.10:</p>
</li>
<li>
<p>Install bash completion script to
${datadir}/bash-completion/completions/openconnect.</p>
</li>
<li>Improve compatibility of csd-post.sh trojan.</li>
<li>
<p>Fix potential buffer overflow with GnuTLS describing local
certs (CVE-2020-12823, bsc#1171862,
gl#openconnect/openconnect!108).</p>
</li>
<li>
<p>Introduce subpackage for bash-completion</p>
</li>
<li>
<p>Update to 8.09:</p>
</li>
<li>
<p>Add bash completion support.</p>
</li>
<li>Give more helpful error in case of Pulse servers asking for
TNCC.</li>
<li>Sanitize non-canonical Legacy IP network addresses.</li>
<li>Fix OpenSSL validation for trusted but invalid certificates
(CVE-2020-12105 bsc#1170452).</li>
<li>Convert tncc-wrapper.py to Python 3, and include modernized
tncc-emulate.py as well. (!91)</li>
<li>Disable Nagle's algorithm for TLS sockets, to improve
interactivity when tunnel runs over TCP rather than UDP.</li>
<li>GlobalProtect: more resilient handling of periodic HIP check
and login arguments, and predictable naming of challenge forms.</li>
<li>
<p>Work around PKCS#11 tokens which forget to set
CKF_LOGIN_REQUIRED.</p>
</li>
<li>
<p>Update to 8.0.8:</p>
</li>
<li>
<p>Fix check of pin-sha256: public key hashes to be case sensitive</p>
</li>
<li>Don't give non-functioning stderr to CSD trojan scripts.</li>
<li>
<p>Fix crash with uninitialised OIDC token.</p>
</li>
<li>
<p>Update to 8.0.7:</p>
</li>
<li>
<p>Don't abort Pulse connection when server-provided certificate
MD5 doesn't match.</p>
</li>
<li>Fix off-by-one in check for bad GnuTLS versions, and add build
and run time checks.</li>
<li>Don't abort connection if CSD wrapper script returns non-zero
(for now).</li>
<li>Make --passtos work for protocols that use ESP, in addition
to DTLS.</li>
<li>
<p>Convert tncc-wrapper.py to Python 3, and include modernized
tncc-emulate.py as well.</p>
</li>
<li>
<p>Remove tncc-wrapper.py script as it is python2 only bsc#1157446</p>
</li>
<li>
<p>No need to ship hipreport-android.sh as it is intented for
android systems only</p>
</li>
<li>
<p>Update to 8.0.5:</p>
</li>
<li>
<p>Minor fixes to build on specific platforms</p>
</li>
<li>
<p>Includes fix for a buffer overflow with chunked HTTP handling
(CVE-2019-16239, bsc#1151178) </p>
</li>
<li>
<p>Use python3 to generate the web data as now it is supported
by upstream</p>
</li>
<li>
<p>Update to 8.0.3:</p>
</li>
<li>
<p>Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.</p>
</li>
<li>
<p>Fix recognition of OTP password fields.</p>
</li>
<li>
<p>Update to 8.02:</p>
</li>
<li>
<p>Fix GNU/Hurd build.</p>
</li>
<li>Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.</li>
<li>Support split-exclude routes for GlobalProtect.</li>
<li>Fix GnuTLS builds without libtasn1.</li>
<li>Fix DTLS support with OpenSSL 1.1.1+.</li>
<li>Add Cisco-compatible DTLSv1.2 support.</li>
<li>
<p>Invoke script with reason=attempt-reconnect before doing so.</p>
</li>
<li>
<p>Update to 8.01:</p>
</li>
<li>
<p>Clear form submissions (which may include passwords) before
freeing (CVE-2018-20319, bsc#1215669).</p>
</li>
<li>Allow form responses to be provided on command line.</li>
<li>Add support for SSL keys stored in TPM2.</li>
<li>Fix ESP rekey when replay protection is disabled.</li>
<li>Drop support for GnuTLS older than 3.2.10.</li>
<li>Fix --passwd-on-stdin for Windows to not forcibly open console.</li>
<li>Fix portability of shell scripts in test suite.</li>
<li>Add Google Authenticator TOTP support for Juniper.</li>
<li>Add RFC7469 key PIN support for cert hashes.</li>
<li>Add protocol method to securely log out the Juniper session.</li>
<li>Relax requirements for Juniper hostname packet response to support old gateways.</li>
<li>Add API functions to query the supported protocols.</li>
<li>Verify ESP sequence numbers and warn even if replay protection is disabled.</li>
<li>Add support for PAN GlobalProtect VPN protocol (--protocol=gp).</li>
<li>Reorganize listing of command-line options, and include information on supported protocols.</li>
<li>SIGTERM cleans up the session similarly to SIGINT.</li>
<li>Fix memset_s() arguments.</li>
<li>
<p>Fix OpenBSD build.</p>
</li>
<li>
<p>Explicitely enable all the features as needed to stop build if
something is missing</p>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch SUSE-2024-317=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-317=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-317=1</code>
</li>
<li class="list-group-item">
SUSE Package Hub 15 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-317=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Workstation Extension 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-317=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>openconnect-debuginfo-9.12-150400.15.3.1</li>
<li>stoken-debuginfo-0.81-150400.13.2.1</li>
<li>openconnect-9.12-150400.15.3.1</li>
<li>stoken-debugsource-0.81-150400.13.2.1</li>
<li>openconnect-debugsource-9.12-150400.15.3.1</li>
<li>libstoken1-0.81-150400.13.2.1</li>
<li>stoken-gui-0.81-150400.13.2.1</li>
<li>stoken-devel-0.81-150400.13.2.1</li>
<li>stoken-gui-debuginfo-0.81-150400.13.2.1</li>
<li>libstoken1-debuginfo-0.81-150400.13.2.1</li>
<li>stoken-0.81-150400.13.2.1</li>
<li>libopenconnect5-9.12-150400.15.3.1</li>
<li>openconnect-devel-9.12-150400.15.3.1</li>
<li>libopenconnect5-debuginfo-9.12-150400.15.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.4 (noarch)
<ul>
<li>openconnect-bash-completion-9.12-150400.15.3.1</li>
<li>openconnect-lang-9.12-150400.15.3.1</li>
<li>openconnect-doc-9.12-150400.15.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>oath-toolkit-debugsource-2.6.2-150000.3.5.1</li>
<li>openconnect-9.12-150400.15.3.1</li>
<li>pam_oath-2.6.2-150000.3.5.1</li>
<li>stoken-debugsource-0.81-150400.13.2.1</li>
<li>pam_oath-debuginfo-2.6.2-150000.3.5.1</li>
<li>libopenconnect5-9.12-150400.15.3.1</li>
<li>oath-toolkit-debuginfo-2.6.2-150000.3.5.1</li>
<li>liboath0-2.6.2-150000.3.5.1</li>
<li>openconnect-debuginfo-9.12-150400.15.3.1</li>
<li>libpskc-devel-2.6.2-150000.3.5.1</li>
<li>liboath0-debuginfo-2.6.2-150000.3.5.1</li>
<li>libstoken1-0.81-150400.13.2.1</li>
<li>libstoken1-debuginfo-0.81-150400.13.2.1</li>
<li>liboath-devel-2.6.2-150000.3.5.1</li>
<li>openconnect-devel-9.12-150400.15.3.1</li>
<li>libpskc0-2.6.2-150000.3.5.1</li>
<li>openconnect-debugsource-9.12-150400.15.3.1</li>
<li>stoken-gui-0.81-150400.13.2.1</li>
<li>stoken-debuginfo-0.81-150400.13.2.1</li>
<li>stoken-0.81-150400.13.2.1</li>
<li>stoken-gui-debuginfo-0.81-150400.13.2.1</li>
<li>stoken-devel-0.81-150400.13.2.1</li>
<li>oath-toolkit-2.6.2-150000.3.5.1</li>
<li>libpskc0-debuginfo-2.6.2-150000.3.5.1</li>
<li>libopenconnect5-debuginfo-9.12-150400.15.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (noarch)
<ul>
<li>openconnect-lang-9.12-150400.15.3.1</li>
<li>oath-toolkit-xml-2.6.2-150000.3.5.1</li>
<li>openconnect-doc-9.12-150400.15.3.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>oath-toolkit-debugsource-2.6.2-150000.3.5.1</li>
<li>liboath0-debuginfo-2.6.2-150000.3.5.1</li>
<li>oath-toolkit-debuginfo-2.6.2-150000.3.5.1</li>
<li>liboath0-2.6.2-150000.3.5.1</li>
<li>liboath-devel-2.6.2-150000.3.5.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP5 (noarch)
<ul>
<li>oath-toolkit-xml-2.6.2-150000.3.5.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>oath-toolkit-debugsource-2.6.2-150000.3.5.1</li>
<li>openconnect-debuginfo-9.12-150400.15.3.1</li>
<li>stoken-debuginfo-0.81-150400.13.2.1</li>
<li>openconnect-9.12-150400.15.3.1</li>
<li>libpskc-devel-2.6.2-150000.3.5.1</li>
<li>libpskc0-2.6.2-150000.3.5.1</li>
<li>libstoken1-0.81-150400.13.2.1</li>
<li>openconnect-debugsource-9.12-150400.15.3.1</li>
<li>stoken-debugsource-0.81-150400.13.2.1</li>
<li>stoken-devel-0.81-150400.13.2.1</li>
<li>libpskc0-debuginfo-2.6.2-150000.3.5.1</li>
<li>stoken-gui-0.81-150400.13.2.1</li>
<li>stoken-gui-debuginfo-0.81-150400.13.2.1</li>
<li>oath-toolkit-2.6.2-150000.3.5.1</li>
<li>oath-toolkit-debuginfo-2.6.2-150000.3.5.1</li>
<li>libstoken1-debuginfo-0.81-150400.13.2.1</li>
<li>stoken-0.81-150400.13.2.1</li>
<li>libopenconnect5-9.12-150400.15.3.1</li>
<li>openconnect-devel-9.12-150400.15.3.1</li>
<li>libopenconnect5-debuginfo-9.12-150400.15.3.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP5 (noarch)
<ul>
<li>openconnect-lang-9.12-150400.15.3.1</li>
<li>openconnect-doc-9.12-150400.15.3.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
<ul>
<li>oath-toolkit-debugsource-2.6.2-150000.3.5.1</li>
<li>openconnect-debuginfo-9.12-150400.15.3.1</li>
<li>stoken-debuginfo-0.81-150400.13.2.1</li>
<li>openconnect-9.12-150400.15.3.1</li>
<li>libpskc-devel-2.6.2-150000.3.5.1</li>
<li>libpskc0-2.6.2-150000.3.5.1</li>
<li>libstoken1-0.81-150400.13.2.1</li>
<li>openconnect-debugsource-9.12-150400.15.3.1</li>
<li>stoken-debugsource-0.81-150400.13.2.1</li>
<li>stoken-devel-0.81-150400.13.2.1</li>
<li>libpskc0-debuginfo-2.6.2-150000.3.5.1</li>
<li>oath-toolkit-debuginfo-2.6.2-150000.3.5.1</li>
<li>libstoken1-debuginfo-0.81-150400.13.2.1</li>
<li>libopenconnect5-9.12-150400.15.3.1</li>
<li>openconnect-devel-9.12-150400.15.3.1</li>
<li>libopenconnect5-debuginfo-9.12-150400.15.3.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Workstation Extension 15 SP5 (noarch)
<ul>
<li>openconnect-lang-9.12-150400.15.3.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2018-20319.html">https://www.suse.com/security/cve/CVE-2018-20319.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2020-12105.html">https://www.suse.com/security/cve/CVE-2020-12105.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2020-12823.html">https://www.suse.com/security/cve/CVE-2020-12823.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1140772">https://bugzilla.suse.com/show_bug.cgi?id=1140772</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1157446">https://bugzilla.suse.com/show_bug.cgi?id=1157446</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1170452">https://bugzilla.suse.com/show_bug.cgi?id=1170452</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1171862">https://bugzilla.suse.com/show_bug.cgi?id=1171862</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1215669">https://bugzilla.suse.com/show_bug.cgi?id=1215669</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-6742">https://jira.suse.com/browse/PED-6742</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-7015">https://jira.suse.com/browse/PED-7015</a>
</li>
</ul>
</div>