SUSE-SU-2024:0317-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2024/suse-su-20240317-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:0317-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2024:0317-1
Related
Published
2024-02-02T09:35:06Z
Modified
2025-05-08T17:28:48.942529Z
Upstream
  • CVE-2018-20319
Summary
Security update for openconnect
Details

This update for openconnect fixes the following issues:

  • Update to release 9.12:

    • Explicitly reject overly long tun device names.
    • Increase maximum input size from stdin (#579).
    • Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
    • Fix stray (null) in URL path after Pulse authentication (4023bd95).
    • Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475).
    • Fix case sensitivity in GPST header matching (!474).

  • Update to release 9.10:

    • Fix external browser authentication with KDE plasma-nm < 5.26.
    • Always redirect stdout to stderr when spawning external browser.
    • Increase default queue length to 32 packets.
    • Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array.
    • Handle idiosyncratic variation in search domain separators for all protocols
    • Support region selection field for Pulse authentication
    • Support modified configuration packet from Pulse 9.1R16 servers
    • Allow hidden form fields to be populated or converted to text fields on the command line
    • Support yet another strange way of encoding challenge-based 2FA for GlobalProtect
    • Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments
    • Parrot a GlobalProtect server's software version, if present, as the client version (!333)
    • Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).
    • Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).
    • Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
    • Support simultaneous IPv6 and Legacy IP ('dual-stack') for Fortinet .
    • Support 'FTM-push' token mode for Fortinet VPNs .
    • Send IPv6-compatible version string in Pulse IF/T session establishment
    • Add --no-external-auth option to not advertise external-browser authentication
    • Many small improvements in server response parsing, and better logging messages and documentation.

  • Update to release 9.01:

    • Add support for AnyConnect 'Session Token Re-use Anchor Protocol' (STRAP)
    • Add support for AnyConnect 'external browser' SSO mode
    • Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20
    • Support Cisco's multiple-certificate authentication
    • Revert GlobalProtect default route handling change from v8.20
    • Suppo split-exclude routes for Fortinet
    • Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect

  • Update to release 8.20:

    • Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.
    • Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19
    • Support Juniper login forms containing both password and 2FA token
    • Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto
    • Allow protocols to delay tunnel setup and shutdown (!117)
    • Support for GlobalProtect IPv6
    • SIGUSR1now causes OpenConnect to log detailed connection information and statistics
    • Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint
    • Demangle default routes sent as split routes by GlobalProtect
    • Support more Juniper login forms, including some SSO forms
    • Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header
    • Add support for PPP-based protocols, currently over TLS only.
    • Add support for two PPP-based protocols, F5 with --protocol=f5 and Fortinet with --protocol=fortinet.
    • Add support for Array Networks SSL VPN.
    • Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM.

  • Import the latest version of the vpnc-script (bsc#1140772)

    • This brings a lot of improvements for non-trivial network setups, IPv6 etc

  • Build with --without-gnutls-version-check

  • Update to version 8.10:

    • Install bash completion script to ${datadir}/bash-completion/completions/openconnect.
    • Improve compatibility of csd-post.sh trojan.
    • Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823, bsc#1171862, gl#openconnect/openconnect!108).

  • Introduce subpackage for bash-completion

  • Update to 8.09:

    • Add bash completion support.
    • Give more helpful error in case of Pulse servers asking for TNCC.
    • Sanitize non-canonical Legacy IP network addresses.
    • Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105 bsc#1170452).
    • Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91)
    • Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.
    • GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms.
    • Work around PKCS#11 tokens which forget to set CKFLOGINREQUIRED.

  • Update to 8.0.8:

    • Fix check of pin-sha256: public key hashes to be case sensitive
    • Don't give non-functioning stderr to CSD trojan scripts.
    • Fix crash with uninitialised OIDC token.

  • Update to 8.0.7:

    • Don't abort Pulse connection when server-provided certificate MD5 doesn't match.
    • Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks.
    • Don't abort connection if CSD wrapper script returns non-zero (for now).
    • Make --passtos work for protocols that use ESP, in addition to DTLS.
    • Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well.

  • Remove tncc-wrapper.py script as it is python2 only bsc#1157446

  • No need to ship hipreport-android.sh as it is intented for android systems only

  • Update to 8.0.5:

    • Minor fixes to build on specific platforms
    • Includes fix for a buffer overflow with chunked HTTP handling (CVE-2019-16239, bsc#1151178)

  • Use python3 to generate the web data as now it is supported by upstream

  • Update to 8.0.3:

    • Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.
    • Fix recognition of OTP password fields.

  • Update to 8.02:

    • Fix GNU/Hurd build.
    • Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
    • Support split-exclude routes for GlobalProtect.
    • Fix GnuTLS builds without libtasn1.
    • Fix DTLS support with OpenSSL 1.1.1+.
    • Add Cisco-compatible DTLSv1.2 support.
    • Invoke script with reason=attempt-reconnect before doing so.

  • Update to 8.01:

    • Clear form submissions (which may include passwords) before freeing (CVE-2018-20319, bsc#1215669).
    • Allow form responses to be provided on command line.
    • Add support for SSL keys stored in TPM2.
    • Fix ESP rekey when replay protection is disabled.
    • Drop support for GnuTLS older than 3.2.10.
    • Fix --passwd-on-stdin for Windows to not forcibly open console.
    • Fix portability of shell scripts in test suite.
    • Add Google Authenticator TOTP support for Juniper.
    • Add RFC7469 key PIN support for cert hashes.
    • Add protocol method to securely log out the Juniper session.
    • Relax requirements for Juniper hostname packet response to support old gateways.
    • Add API functions to query the supported protocols.
    • Verify ESP sequence numbers and warn even if replay protection is disabled.
    • Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
    • Reorganize listing of command-line options, and include information on supported protocols.
    • SIGTERM cleans up the session similarly to SIGINT.
    • Fix memset_s() arguments.
    • Fix OpenBSD build.

  • Explicitely enable all the features as needed to stop build if something is missing

References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 SP5 / oath-toolkit

Package

Name
oath-toolkit
Purl
pkg:rpm/suse/oath-toolkit&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.2-150000.3.5.1

Ecosystem specific 

{
    "binaries": [
        {
            "liboath0": "2.6.2-150000.3.5.1",
            "oath-toolkit-xml": "2.6.2-150000.3.5.1",
            "liboath-devel": "2.6.2-150000.3.5.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP5 / oath-toolkit

Package

Name
oath-toolkit
Purl
pkg:rpm/suse/oath-toolkit&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.2-150000.3.5.1

Ecosystem specific 

{
    "binaries": [
        {
            "libstoken1": "0.81-150400.13.2.1",
            "stoken": "0.81-150400.13.2.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "oath-toolkit": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "stoken-gui": "0.81-150400.13.2.1",
            "openconnect-doc": "9.12-150400.15.3.1",
            "openconnect": "9.12-150400.15.3.1",
            "openconnect-lang": "9.12-150400.15.3.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP5 / openconnect

Package

Name
openconnect
Purl
pkg:rpm/suse/openconnect&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.12-150400.15.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "libstoken1": "0.81-150400.13.2.1",
            "stoken": "0.81-150400.13.2.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "oath-toolkit": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "stoken-gui": "0.81-150400.13.2.1",
            "openconnect-doc": "9.12-150400.15.3.1",
            "openconnect": "9.12-150400.15.3.1",
            "openconnect-lang": "9.12-150400.15.3.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP5 / stoken

Package

Name
stoken
Purl
pkg:rpm/suse/stoken&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.81-150400.13.2.1

Ecosystem specific 

{
    "binaries": [
        {
            "libstoken1": "0.81-150400.13.2.1",
            "stoken": "0.81-150400.13.2.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "oath-toolkit": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "stoken-gui": "0.81-150400.13.2.1",
            "openconnect-doc": "9.12-150400.15.3.1",
            "openconnect": "9.12-150400.15.3.1",
            "openconnect-lang": "9.12-150400.15.3.1"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 15 SP5 / oath-toolkit

Package

Name
oath-toolkit
Purl
pkg:rpm/suse/oath-toolkit&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.2-150000.3.5.1

Ecosystem specific 

{
    "binaries": [
        {
            "libstoken1": "0.81-150400.13.2.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "openconnect": "9.12-150400.15.3.1",
            "openconnect-lang": "9.12-150400.15.3.1"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 15 SP5 / openconnect

Package

Name
openconnect
Purl
pkg:rpm/suse/openconnect&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.12-150400.15.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "libstoken1": "0.81-150400.13.2.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "openconnect": "9.12-150400.15.3.1",
            "openconnect-lang": "9.12-150400.15.3.1"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 15 SP5 / stoken

Package

Name
stoken
Purl
pkg:rpm/suse/stoken&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.81-150400.13.2.1

Ecosystem specific 

{
    "binaries": [
        {
            "libstoken1": "0.81-150400.13.2.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "openconnect": "9.12-150400.15.3.1",
            "openconnect-lang": "9.12-150400.15.3.1"
        }
    ]
}

openSUSE:Leap 15.5 / oath-toolkit

Package

Name
oath-toolkit
Purl
pkg:rpm/opensuse/oath-toolkit&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.2-150000.3.5.1

Ecosystem specific 

{
    "binaries": [
        {
            "openconnect-lang": "9.12-150400.15.3.1",
            "stoken": "0.81-150400.13.2.1",
            "oath-toolkit": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "liboath0": "2.6.2-150000.3.5.1",
            "openconnect": "9.12-150400.15.3.1",
            "liboath-devel": "2.6.2-150000.3.5.1",
            "pam_oath": "2.6.2-150000.3.5.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "stoken-gui": "0.81-150400.13.2.1",
            "openconnect-doc": "9.12-150400.15.3.1",
            "oath-toolkit-xml": "2.6.2-150000.3.5.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "libstoken1": "0.81-150400.13.2.1"
        }
    ]
}

openSUSE:Leap 15.5 / openconnect

Package

Name
openconnect
Purl
pkg:rpm/opensuse/openconnect&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.12-150400.15.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "openconnect-lang": "9.12-150400.15.3.1",
            "stoken": "0.81-150400.13.2.1",
            "oath-toolkit": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "liboath0": "2.6.2-150000.3.5.1",
            "openconnect": "9.12-150400.15.3.1",
            "liboath-devel": "2.6.2-150000.3.5.1",
            "pam_oath": "2.6.2-150000.3.5.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "stoken-gui": "0.81-150400.13.2.1",
            "openconnect-doc": "9.12-150400.15.3.1",
            "oath-toolkit-xml": "2.6.2-150000.3.5.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "libstoken1": "0.81-150400.13.2.1"
        }
    ]
}

openSUSE:Leap 15.5 / stoken

Package

Name
stoken
Purl
pkg:rpm/opensuse/stoken&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.81-150400.13.2.1

Ecosystem specific 

{
    "binaries": [
        {
            "openconnect-lang": "9.12-150400.15.3.1",
            "stoken": "0.81-150400.13.2.1",
            "oath-toolkit": "2.6.2-150000.3.5.1",
            "stoken-devel": "0.81-150400.13.2.1",
            "openconnect-devel": "9.12-150400.15.3.1",
            "libpskc-devel": "2.6.2-150000.3.5.1",
            "liboath0": "2.6.2-150000.3.5.1",
            "openconnect": "9.12-150400.15.3.1",
            "liboath-devel": "2.6.2-150000.3.5.1",
            "pam_oath": "2.6.2-150000.3.5.1",
            "libopenconnect5": "9.12-150400.15.3.1",
            "stoken-gui": "0.81-150400.13.2.1",
            "openconnect-doc": "9.12-150400.15.3.1",
            "oath-toolkit-xml": "2.6.2-150000.3.5.1",
            "libpskc0": "2.6.2-150000.3.5.1",
            "libstoken1": "0.81-150400.13.2.1"
        }
    ]
}