Advisories » MGASA-2020-0251

Updated openconnect packages fix security vulnerability

Publication date: 10 Jun 2020
Modification date: 10 Jun 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-12105 , CVE-2020-12823

Description

Updated openconnect packages fix security vulnerabilities:

OpenConnect through 8.08 mishandles negative return values from
X509_check_ function calls, which might assist attackers in performing
man-in-the-middle attacks (CVE-2020-12105).

OpenConnect 8.09 has a buffer overflow, causing a denial of service
(application crash) or possibly unspecified other impact, via crafted
certificate data to get_cert_name in gnutls.c (CVE-2020-12823).

The openconnect package has been updated to version 8.10, fixing these
issues and other bugs.  See the upstream changelog for details.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26624
• http://www.infradead.org/openconnect/changelog.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12105
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12823

SRPMS

7/core

• openconnect-8.10-1.mga7