Comment 1 Thomas Deutschmann (RETIRED) 2019-09-24 11:52:05 UTC

From $URL:

Lukas Kupczyk of the Advanced Research Team at CrowdStrike Intelligence
found a buffer overflow in HTTP chunked encoding handling, when the
chunk length was mishandled. This is CVE-2019-16239, and has existed
since 2008 when I first lamented the fact that I had to do my own HTTP
code because none of the existing libraries let me have enough control
over the underlying TLS connection.

Upstream fix: https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8

Comment 2 Larry the Git Cow 2019-09-24 19:27:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03a4ff7f436c614eb562a8c437614f1911f97a77

commit 03a4ff7f436c614eb562a8c437614f1911f97a77
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-09-24 19:26:05 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-09-24 19:26:26 +0000

    net-vpn/openconnect: bump to 8.05
    
    Bug: https://bugs.gentoo.org/695528
    Package-Manager: Portage-2.3.75_p7, Repoman-2.3.17_p49
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 net-vpn/openconnect/Manifest                |   1 +
 net-vpn/openconnect/openconnect-8.05.ebuild | 160 ++++++++++++++++++++++++++++
 2 files changed, 161 insertions(+)

Comment 3 Stabilization helper bot 2019-10-02 11:04:02 UTC

An automated check of this bug failed - repoman reported dependency errors (11 lines truncated): 

> dependency.bad net-vpn/openconnect/openconnect-8.05.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['app-crypt/trousers']
> dependency.bad net-vpn/openconnect/openconnect-8.05.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['app-crypt/trousers']
> dependency.bad net-vpn/openconnect/openconnect-8.05.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['app-crypt/trousers']

Comment 4 Agostino Sarubbo 2019-10-03 07:57:48 UTC

amd64 stable

Comment 5 Agostino Sarubbo 2019-10-03 08:00:01 UTC

x86 stable

Comment 6 Agostino Sarubbo 2019-10-03 08:14:57 UTC

ppc64 stable

Comment 7 Aaron Bauman (RETIRED) 2019-10-06 20:55:45 UTC

arm64 stable

Comment 8 Mikle Kolyada (RETIRED) 2019-11-01 10:45:24 UTC

arm stable

Comment 9 Larry the Git Cow 2019-12-09 19:54:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ae1571cbe26190be76b917bf5f450c68c3481d8

commit 7ae1571cbe26190be76b917bf5f450c68c3481d8
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-12-09 19:54:14 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-12-09 19:54:14 +0000

    net-vpn/openconnect: remove old
    
    Bug: https://bugs.gentoo.org/695528
    Package-Manager: Portage-2.3.80_p5, Repoman-2.3.19_p4
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 net-vpn/openconnect/Manifest                   |   6 -
 net-vpn/openconnect/metadata.xml               |   1 -
 net-vpn/openconnect/openconnect-7.08-r1.ebuild | 162 -------------------------
 net-vpn/openconnect/openconnect-8.02.ebuild    | 160 ------------------------
 net-vpn/openconnect/openconnect-8.03.ebuild    | 160 ------------------------
 5 files changed, 489 deletions(-)

Comment 10 Sam James 2020-03-26 19:40:48 UTC

Tree is clean.

Comment 11 NATTkA bot 2020-04-06 15:06:21 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 12 Yury German 2020-04-16 07:50:45 UTC

GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].