Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 421273 (CVE-2012-3291)

Summary: <net-misc/openconnect-4.07-r1: buffer overflow (CVE-2012-3291)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: maintainer-needed, mattsch, proxy-maint, s-luppescu
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3291
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:54:19 UTC 
CVE-2012-3291 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3291):
  Heap-based buffer overflow in OpenConnect 3.18 allows remote servers to
  cause a denial of service via a crafted greeting banner.
Comment 1 Stuart Luppescu 2012-06-20 19:29:15 UTC 
So, the author of the package, David Woodhouse, just released version 4.00, which includes support for GnuTLS, as well as lots of other neat stuff. Good time to update the ebuild.

"This release has full functionality even with GnuTLS 2.12, although it
uses OpenSSL for DTLS in that case. The GnuTLS support code is cleaned
up a little... and then made messier by adding support for the old
OpenSSL encrypted PEM files."


ftp://ftp.infradead.org/pub/openconnect/openconnect-4.00.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-4.00.tar.gz.asc
Comment 2 Pacho Ramos gentoo-dev 2012-12-15 17:55:33 UTC 
4.07-r1 was added
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-16 16:30:09 UTC 
(In reply to comment #2)
> 4.07-r1 was added

Thanks, Pacho.

Please don't forget to cleanup vulnerable versions.

Closing noglsa for ~arch only.