registry team mailing list archive

[Anders Kaseorg <andersk@xxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: openconnect

Versions of OpenConnect before 2.25 do not verify that the server SSL
certificate matches the server hostname, which enables an attacker to
perform an MITM attack on the connection.  This can be fixed by
upgrading to OpenConnect 2.25.

>From the upstream changelog:

OpenConnect v2.25 — 2010-05-15
• Always validate server certificate, even when no extra --cafile is 
  provided.
• Add --no-cert-check option to avoid certificate validation.
• Check server hostname against its certificate.
• Provide text-mode function for reviewing and accepting "invalid" 
  certificates.
• Fix libproxy detection on NetBSD.

** Affects: openconnect (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: openconnect (Debian)
     Importance: Unknown
         Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #590873
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873

** Also affects: openconnect (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873
   Importance: Unknown
       Status: Unknown

-- 
openconnect < 2.25 does not verify SSL server certificates
https://bugs.launchpad.net/bugs/611449
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.