openSUSE Security Update: update for openconnect ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0979-1 Rating: moderate References: #817152 Cross-References: CVE-2012-6128 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This version update fixes several bugs: - Frequent connection drops fixed (bnc#817152). - Update to version 4.09 * Fix overflow on HTTP request buffers (CVE-2012-6128)(bnc#803347) * Fix connection to servers with round-robin DNS with two-stage auth/connect. * Impose minimum MTU of 1280 bytes. * Fix some harmless issues reported by Coverity. * Improve "Attempting to connect..." message to be explicit when it's connecting to a proxy. - Update to version 4.07 * Fix segmentation fault when invoked with -p argument. * Fix handling of write stalls on CSTP (TCP) socket. - Update to version 4.06 * Fix default CA location for non-Fedora systems with old GnuTLS. * Improve error handing when vpnc-script exits with error. * Handle PKCS#11 tokens which won't list keys without login. - Update to version 4.05 * Use correct CSD script for Mac OS X. * Fix endless loop in PIN cache handling with multiple PKCS#11 tokens. * Fix PKCS#11 URI handling to preserve all attributes. * Don't forget key password on GUI reconnect. * Fix GnuTLS v3 build on OpenBSD. - Update to version 4.04 * Fix GnuTLS password handling for PKCS#8 files. - Update to version 4.03 * Fix --no-proxy option. * Fix handling of requested vs. received MTU settings. * Fix DTLS MTU for GnuTLS 3.0.21 and newer. * Support more ciphers for OpenSSL encrypted PEM keys, with GnuTLS. * Fix GnuTLS compatibilty issue with servers that insist on TLSv1.0 or non-AES ciphers (RH#836558). - Update to version 4.02 * Fix build failure due to unconditional inclusion of <gnutls/dtls.h>. - Update to version 4.01 * Add support for OpenSSL's odd encrypted PKCS#1 files, for GnuTLS. * Fix repeated passphrase retry for OpenSSL. * Add keystore support for Android. * Support TPM, and also additional checks on PKCS#11 certs, even with GnuTLS 2.12. * Fix library references to OpenSSL's ERR_print_errors_cb() when built against GnuTLS v2.12. - Update to version 4.00 * Add support for OpenSSL's odd encrypted PKCS#1 files, for GnuTLS. * Fix repeated passphrase retry for OpenSSL. * Add keystore support for Android. * Support TPM, and also additional checks on PKCS#11 certs, even with GnuTLS 2.12. * Fix library references to OpenSSL's ERR_print_errors_cb() when built against GnuTLS v2.12. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-429 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): openconnect-4.08-3.4.1 openconnect-debuginfo-4.08-3.4.1 openconnect-debugsource-4.08-3.4.1 openconnect-devel-4.08-3.4.1 openconnect-doc-4.08-3.4.1 - openSUSE 12.3 (noarch): openconnect-lang-4.08-3.4.1 References: http://support.novell.com/security/cve/CVE-2012-6128.html https://bugzilla.novell.com/817152