Incoming details.
From $URL: Lukas Kupczyk of the Advanced Research Team at CrowdStrike Intelligence found a buffer overflow in HTTP chunked encoding handling, when the chunk length was mishandled. This is CVE-2019-16239, and has existed since 2008 when I first lamented the fact that I had to do my own HTTP code because none of the existing libraries let me have enough control over the underlying TLS connection. Upstream fix: https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03a4ff7f436c614eb562a8c437614f1911f97a77 commit 03a4ff7f436c614eb562a8c437614f1911f97a77 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2019-09-24 19:26:05 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2019-09-24 19:26:26 +0000 net-vpn/openconnect: bump to 8.05 Bug: https://bugs.gentoo.org/695528 Package-Manager: Portage-2.3.75_p7, Repoman-2.3.17_p49 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-vpn/openconnect/Manifest | 1 + net-vpn/openconnect/openconnect-8.05.ebuild | 160 ++++++++++++++++++++++++++++ 2 files changed, 161 insertions(+)
An automated check of this bug failed - repoman reported dependency errors (11 lines truncated): > dependency.bad net-vpn/openconnect/openconnect-8.05.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['app-crypt/trousers'] > dependency.bad net-vpn/openconnect/openconnect-8.05.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['app-crypt/trousers'] > dependency.bad net-vpn/openconnect/openconnect-8.05.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['app-crypt/trousers']
amd64 stable
x86 stable
ppc64 stable
arm64 stable
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ae1571cbe26190be76b917bf5f450c68c3481d8 commit 7ae1571cbe26190be76b917bf5f450c68c3481d8 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2019-12-09 19:54:14 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2019-12-09 19:54:14 +0000 net-vpn/openconnect: remove old Bug: https://bugs.gentoo.org/695528 Package-Manager: Portage-2.3.80_p5, Repoman-2.3.19_p4 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-vpn/openconnect/Manifest | 6 - net-vpn/openconnect/metadata.xml | 1 - net-vpn/openconnect/openconnect-7.08-r1.ebuild | 162 ------------------------- net-vpn/openconnect/openconnect-8.02.ebuild | 160 ------------------------ net-vpn/openconnect/openconnect-8.03.ebuild | 160 ------------------------ 5 files changed, 489 deletions(-)
Tree is clean.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
GLSA Vote: No Thank you all for you work. Closing as [noglsa].