openSUSE Security Update: update for openconnect ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1072-1 Rating: moderate References: #767616 Cross-References: CVE-2012-3291 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This openconnect update to version 3.20 includes several security and bug fixes. - fix bnc#767616 - fix for CVE-2012-3291 - make vpnc mandatory during build, following upstream changes - package documentation in a -doc package - Update to version 3.20 * Cope with non-keepalive HTTP response on authentication success. * Fix progress callback with incorrect cbdata which caused KDE crash. - Update to version 3.19 * Enable native TPM support when built with GnuTLS. * Enable PKCS#11 token support when built with GnuTLS. * Eliminate all SSL library exposure through libopenconnect. * Parse split DNS information, provide $CISCO_SPLIT_DNS environment variable to vpnc-script. * Attempt to provide new-style MTU information to server (on Linux only, unless specified on command line). * Allow building against GnuTLS, including DTLS support. * Add --with-pkgconfigdir= option to configure for FreeBSD's benefit (fd#48743). - Update to version 3.18 * Fix autohate breakage with --disable-nls... hopefully. * Fix buffer overflow in banner handling. - Update to version 3.17 * Work around time() brokenness on Solaris. * Fix interface plumbing on Solaris 10. * Provide asprintf() function for (unpatched) Solaris 10. * Make vpnc-script mandatory, like it is for vpnc * Don't set Legacy IP address on tun device; let vpnc-script do it. * Detect OpenSSL even without pkg-config. * Stop building static library by default. * Invoke vpnc-script with "pre-init" reason to load tun module if necessary. - Update to version 3.16 * Fix build failure on Debian/kFreeBSD and Hurd. * Fix memory leak of deflated packets. * Fix memory leak of zlib state on CSTP reconnect. * Eliminate memcpy() calls on packets from DTLS and tunnel device. * Use I_LINK instead of I_PLINK on Solaris to plumb interface for Legacy IP. * Plumb interface for IPv6 on Solaris, instead of expecting vpnc-script to do it. * Refer to vpnc-script and help web pages in openconnect output. * Fix potential crash when processing libproxy results. * Be more conservative in detecting libproxy without pkg-config. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-529 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): openconnect-3.20-2.4.1 openconnect-debuginfo-3.20-2.4.1 openconnect-debugsource-3.20-2.4.1 openconnect-devel-3.20-2.4.1 openconnect-doc-3.20-2.4.1 - openSUSE 12.2 (noarch): openconnect-lang-3.20-2.4.1 References: http://support.novell.com/security/cve/CVE-2012-3291.html https://bugzilla.novell.com/767616