# Security update for openconnect

Announcement ID: SUSE-SU-2024:0317-1  
Rating: moderate  
References:

  * bsc#1140772
  * bsc#1157446
  * bsc#1170452
  * bsc#1171862
  * bsc#1215669
  * jsc#PED-6742
  * jsc#PED-7015

  
Cross-References:

  * CVE-2018-20319
  * CVE-2020-12105
  * CVE-2020-12823

  
CVSS scores:

  * CVE-2018-20319 ( SUSE ):  2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
  * CVE-2020-12105 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2020-12105 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2020-12823 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
  * CVE-2020-12823 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * Basesystem Module 15-SP5
  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise Micro 5.5
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Linux Enterprise Workstation Extension 15 SP5
  * SUSE Package Hub 15 15-SP5

  
  
An update that solves three vulnerabilities, contains two features and has two
security fixes can now be installed.

## Description:

This update for openconnect fixes the following issues:

  * Update to release 9.12:

  * Explicitly reject overly long tun device names.

  * Increase maximum input size from stdin (#579).
  * Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
  * Fix stray (null) in URL path after Pulse authentication (4023bd95).
  * Fix config XML parsing mistake that left GlobalProtect ESP non-working in
    v9.10 (!475).
  * Fix case sensitivity in GPST header matching (!474).

  * Update to release 9.10:

  * Fix external browser authentication with KDE plasma-nm < 5.26.

  * Always redirect stdout to stderr when spawning external browser.
  * Increase default queue length to 32 packets.
  * Fix receiving multiple packets in one TLS frame, and single packets split
    across multiple TLS frames, for Array.
  * Handle idiosyncratic variation in search domain separators for all protocols
  * Support region selection field for Pulse authentication
  * Support modified configuration packet from Pulse 9.1R16 servers
  * Allow hidden form fields to be populated or converted to text fields on the
    command line
  * Support yet another strange way of encoding challenge-based 2FA for
    GlobalProtect
  * Add --sni option (and corresponding C and Java API functions) to allow
    domain-fronting connections in censored/filtered network environments
  * Parrot a GlobalProtect server's software version, if present, as the client
    version (!333)
  * Fix NULL pointer dereference that has left Android builds broken since v8.20
    (!389).
  * Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults
    (#514, !418).
  * Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
  * Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet .
  * Support "FTM-push" token mode for Fortinet VPNs .
  * Send IPv6-compatible version string in Pulse IF/T session establishment
  * Add --no-external-auth option to not advertise external-browser
    authentication
  * Many small improvements in server response parsing, and better logging
    messages and documentation.

  * Update to release 9.01:

  * Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP)

  * Add support for AnyConnect "external browser" SSO mode
  * Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20
  * Support Cisco's multiple-certificate authentication
  * Revert GlobalProtect default route handling change from v8.20
  * Suppo split-exclude routes for Fortinet
  * Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect

  * Update to release 8.20:

  * Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.

  * Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was
    4.0.2-19
  * Support Juniper login forms containing both password and 2FA token
  * Explicitly disable 3DES and RC4, unless enabled with \--allow-insecure-
    crypto
  * Allow protocols to delay tunnel setup and shutdown (!117)
  * Support for GlobalProtect IPv6
  * SIGUSR1now causes OpenConnect to log detailed connection information and
    statistics
  * Allow --servercert to be specified multiple times in order to accept server
    certificates matching more than one possible fingerprint
  * Demangle default routes sent as split routes by GlobalProtect
  * Support more Juniper login forms, including some SSO forms
  * Restore compatibility with newer Cisco servers, by no longer sending them
    the X-AnyConnect-Platform header
  * Add support for PPP-based protocols, currently over TLS only.
  * Add support for two PPP-based protocols, F5 with \--protocol=f5 and Fortinet
    with --protocol=fortinet.
  * Add support for Array Networks SSL VPN.
  * Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and
    hardware TPM.

  * Import the latest version of the vpnc-script (bsc#1140772)

  * This brings a lot of improvements for non-trivial network setups, IPv6 etc

  * Build with --without-gnutls-version-check

  * Update to version 8.10:

  * Install bash completion script to ${datadir}/bash-
    completion/completions/openconnect.

  * Improve compatibility of csd-post.sh trojan.
  * Fix potential buffer overflow with GnuTLS describing local certs
    (CVE-2020-12823, bsc#1171862, gl#openconnect/openconnect!108).

  * Introduce subpackage for bash-completion

  * Update to 8.09:

  * Add bash completion support.

  * Give more helpful error in case of Pulse servers asking for TNCC.
  * Sanitize non-canonical Legacy IP network addresses.
  * Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105
    bsc#1170452).
  * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py
    as well. (!91)
  * Disable Nagle's algorithm for TLS sockets, to improve interactivity when
    tunnel runs over TCP rather than UDP.
  * GlobalProtect: more resilient handling of periodic HIP check and login
    arguments, and predictable naming of challenge forms.
  * Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED.

  * Update to 8.0.8:

  * Fix check of pin-sha256: public key hashes to be case sensitive

  * Don't give non-functioning stderr to CSD trojan scripts.
  * Fix crash with uninitialised OIDC token.

  * Update to 8.0.7:

  * Don't abort Pulse connection when server-provided certificate MD5 doesn't
    match.

  * Fix off-by-one in check for bad GnuTLS versions, and add build and run time
    checks.
  * Don't abort connection if CSD wrapper script returns non-zero (for now).
  * Make --passtos work for protocols that use ESP, in addition to DTLS.
  * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py
    as well.

  * Remove tncc-wrapper.py script as it is python2 only bsc#1157446

  * No need to ship hipreport-android.sh as it is intented for android systems
    only

  * Update to 8.0.5:

  * Minor fixes to build on specific platforms

  * Includes fix for a buffer overflow with chunked HTTP handling
    (CVE-2019-16239, bsc#1151178)

  * Use python3 to generate the web data as now it is supported by upstream

  * Update to 8.0.3:

  * Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.

  * Fix recognition of OTP password fields.

  * Update to 8.02:

  * Fix GNU/Hurd build.

  * Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
  * Support split-exclude routes for GlobalProtect.
  * Fix GnuTLS builds without libtasn1.
  * Fix DTLS support with OpenSSL 1.1.1+.
  * Add Cisco-compatible DTLSv1.2 support.
  * Invoke script with reason=attempt-reconnect before doing so.

  * Update to 8.01:

  * Clear form submissions (which may include passwords) before freeing
    (CVE-2018-20319, bsc#1215669).

  * Allow form responses to be provided on command line.
  * Add support for SSL keys stored in TPM2.
  * Fix ESP rekey when replay protection is disabled.
  * Drop support for GnuTLS older than 3.2.10.
  * Fix --passwd-on-stdin for Windows to not forcibly open console.
  * Fix portability of shell scripts in test suite.
  * Add Google Authenticator TOTP support for Juniper.
  * Add RFC7469 key PIN support for cert hashes.
  * Add protocol method to securely log out the Juniper session.
  * Relax requirements for Juniper hostname packet response to support old
    gateways.
  * Add API functions to query the supported protocols.
  * Verify ESP sequence numbers and warn even if replay protection is disabled.
  * Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
  * Reorganize listing of command-line options, and include information on
    supported protocols.
  * SIGTERM cleans up the session similarly to SIGINT.
  * Fix memset_s() arguments.
  * Fix OpenBSD build.

  * Explicitely enable all the features as needed to stop build if something is
    missing

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch SUSE-2024-317=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-317=1

  * Basesystem Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-317=1

  * SUSE Package Hub 15 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-317=1

  * SUSE Linux Enterprise Workstation Extension 15 SP5  
    zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-317=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    * openconnect-debuginfo-9.12-150400.15.3.1
    * stoken-debuginfo-0.81-150400.13.2.1
    * openconnect-9.12-150400.15.3.1
    * stoken-debugsource-0.81-150400.13.2.1
    * openconnect-debugsource-9.12-150400.15.3.1
    * libstoken1-0.81-150400.13.2.1
    * stoken-gui-0.81-150400.13.2.1
    * stoken-devel-0.81-150400.13.2.1
    * stoken-gui-debuginfo-0.81-150400.13.2.1
    * libstoken1-debuginfo-0.81-150400.13.2.1
    * stoken-0.81-150400.13.2.1
    * libopenconnect5-9.12-150400.15.3.1
    * openconnect-devel-9.12-150400.15.3.1
    * libopenconnect5-debuginfo-9.12-150400.15.3.1
  * openSUSE Leap 15.4 (noarch)
    * openconnect-bash-completion-9.12-150400.15.3.1
    * openconnect-lang-9.12-150400.15.3.1
    * openconnect-doc-9.12-150400.15.3.1
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * oath-toolkit-debugsource-2.6.2-150000.3.5.1
    * openconnect-9.12-150400.15.3.1
    * pam_oath-2.6.2-150000.3.5.1
    * stoken-debugsource-0.81-150400.13.2.1
    * pam_oath-debuginfo-2.6.2-150000.3.5.1
    * libopenconnect5-9.12-150400.15.3.1
    * oath-toolkit-debuginfo-2.6.2-150000.3.5.1
    * liboath0-2.6.2-150000.3.5.1
    * openconnect-debuginfo-9.12-150400.15.3.1
    * libpskc-devel-2.6.2-150000.3.5.1
    * liboath0-debuginfo-2.6.2-150000.3.5.1
    * libstoken1-0.81-150400.13.2.1
    * libstoken1-debuginfo-0.81-150400.13.2.1
    * liboath-devel-2.6.2-150000.3.5.1
    * openconnect-devel-9.12-150400.15.3.1
    * libpskc0-2.6.2-150000.3.5.1
    * openconnect-debugsource-9.12-150400.15.3.1
    * stoken-gui-0.81-150400.13.2.1
    * stoken-debuginfo-0.81-150400.13.2.1
    * stoken-0.81-150400.13.2.1
    * stoken-gui-debuginfo-0.81-150400.13.2.1
    * stoken-devel-0.81-150400.13.2.1
    * oath-toolkit-2.6.2-150000.3.5.1
    * libpskc0-debuginfo-2.6.2-150000.3.5.1
    * libopenconnect5-debuginfo-9.12-150400.15.3.1
  * openSUSE Leap 15.5 (noarch)
    * openconnect-lang-9.12-150400.15.3.1
    * oath-toolkit-xml-2.6.2-150000.3.5.1
    * openconnect-doc-9.12-150400.15.3.1
  * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * oath-toolkit-debugsource-2.6.2-150000.3.5.1
    * liboath0-debuginfo-2.6.2-150000.3.5.1
    * oath-toolkit-debuginfo-2.6.2-150000.3.5.1
    * liboath0-2.6.2-150000.3.5.1
    * liboath-devel-2.6.2-150000.3.5.1
  * Basesystem Module 15-SP5 (noarch)
    * oath-toolkit-xml-2.6.2-150000.3.5.1
  * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
    * oath-toolkit-debugsource-2.6.2-150000.3.5.1
    * openconnect-debuginfo-9.12-150400.15.3.1
    * stoken-debuginfo-0.81-150400.13.2.1
    * openconnect-9.12-150400.15.3.1
    * libpskc-devel-2.6.2-150000.3.5.1
    * libpskc0-2.6.2-150000.3.5.1
    * libstoken1-0.81-150400.13.2.1
    * openconnect-debugsource-9.12-150400.15.3.1
    * stoken-debugsource-0.81-150400.13.2.1
    * stoken-devel-0.81-150400.13.2.1
    * libpskc0-debuginfo-2.6.2-150000.3.5.1
    * stoken-gui-0.81-150400.13.2.1
    * stoken-gui-debuginfo-0.81-150400.13.2.1
    * oath-toolkit-2.6.2-150000.3.5.1
    * oath-toolkit-debuginfo-2.6.2-150000.3.5.1
    * libstoken1-debuginfo-0.81-150400.13.2.1
    * stoken-0.81-150400.13.2.1
    * libopenconnect5-9.12-150400.15.3.1
    * openconnect-devel-9.12-150400.15.3.1
    * libopenconnect5-debuginfo-9.12-150400.15.3.1
  * SUSE Package Hub 15 15-SP5 (noarch)
    * openconnect-lang-9.12-150400.15.3.1
    * openconnect-doc-9.12-150400.15.3.1
  * SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64)
    * oath-toolkit-debugsource-2.6.2-150000.3.5.1
    * openconnect-debuginfo-9.12-150400.15.3.1
    * stoken-debuginfo-0.81-150400.13.2.1
    * openconnect-9.12-150400.15.3.1
    * libpskc-devel-2.6.2-150000.3.5.1
    * libpskc0-2.6.2-150000.3.5.1
    * libstoken1-0.81-150400.13.2.1
    * openconnect-debugsource-9.12-150400.15.3.1
    * stoken-debugsource-0.81-150400.13.2.1
    * stoken-devel-0.81-150400.13.2.1
    * libpskc0-debuginfo-2.6.2-150000.3.5.1
    * oath-toolkit-debuginfo-2.6.2-150000.3.5.1
    * libstoken1-debuginfo-0.81-150400.13.2.1
    * libopenconnect5-9.12-150400.15.3.1
    * openconnect-devel-9.12-150400.15.3.1
    * libopenconnect5-debuginfo-9.12-150400.15.3.1
  * SUSE Linux Enterprise Workstation Extension 15 SP5 (noarch)
    * openconnect-lang-9.12-150400.15.3.1

## References:

  * https://www.suse.com/security/cve/CVE-2018-20319.html
  * https://www.suse.com/security/cve/CVE-2020-12105.html
  * https://www.suse.com/security/cve/CVE-2020-12823.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1140772
  * https://bugzilla.suse.com/show_bug.cgi?id=1157446
  * https://bugzilla.suse.com/show_bug.cgi?id=1170452
  * https://bugzilla.suse.com/show_bug.cgi?id=1171862
  * https://bugzilla.suse.com/show_bug.cgi?id=1215669
  * https://jira.suse.com/login.jsp
  * https://jira.suse.com/login.jsp

SUSE: 2024:0317-1 moderate: openconnect

February 2, 2024
* bsc#1140772 * bsc#1157446 * bsc#1170452 * bsc#1171862 * bsc#1215669

Summary

## This update for openconnect fixes the following issues: * Update to release 9.12: * Explicitly reject overly long tun device names. * Increase maximum input size from stdin (#579). * Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58). * Fix stray (null) in URL path after Pulse authentication (4023bd95). * Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475). * Fix case sensitivity in GPST header matching (!474). * Update to release 9.10: * Fix external browser authentication with KDE plasma-nm < 5.26. * Always redirect stdout to stderr when spawning external browser. * Increase default queue length to 32 packets. * Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array. * Handle idiosyncratic variation in search domain separators for all protocols * Support region selection field for Pulse authentication * Support modified configuration packet from Pulse 9.1R16 servers * Allow hidden form fields to be populated or converted to text fields on the command line * Support yet another strange way of encoding challenge-based 2FA for GlobalProtect * Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments * Parrot a GlobalProtect server's software version, if present, as the client version (!333) * Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389). * Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418). * Support F5 VPNs which encode authentication forms only in JSON, not in HTML. * Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet . * Support "FTM-push" token mode for Fortinet VPNs . * Send IPv6-compatible version string in Pulse IF/T session establishment * Add --no-external-auth option to not advertise external-browser authentication * Many small improvements in server response parsing, and better logging messages and documentation. * Update to release 9.01: * Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP) * Add support for AnyConnect "external browser" SSO mode * Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20 * Support Cisco's multiple-certificate authentication * Revert GlobalProtect default route handling change from v8.20 * Suppo split-exclude routes for Fortinet * Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect * Update to release 8.20: * Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. * Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19 * Support Juniper login forms containing both password and 2FA token * Explicitly disable 3DES and RC4, unless enabled with \--allow-insecure- crypto * Allow protocols to delay tunnel setup and shutdown (!117) * Support for GlobalProtect IPv6 * SIGUSR1now causes OpenConnect to log detailed connection information and statistics * Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint * Demangle default routes sent as split routes by GlobalProtect * Support more Juniper login forms, including some SSO forms * Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header * Add support for PPP-based protocols, currently over TLS only. * Add support for two PPP-based protocols, F5 with \--protocol=f5 and Fortinet with --protocol=fortinet. * Add support for Array Networks SSL VPN. * Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM. * Import the latest version of the vpnc-script (bsc#1140772) * This brings a lot of improvements for non-trivial network setups, IPv6 etc * Build with --without-gnutls-version-check * Update to version 8.10: * Install bash completion script to ${datadir}/bash- completion/completions/openconnect. * Improve compatibility of csd-post.sh trojan. * Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823, bsc#1171862, gl#openconnect/openconnect!108). * Introduce subpackage for bash-completion * Update to 8.09: * Add bash completion support. * Give more helpful error in case of Pulse servers asking for TNCC. * Sanitize non-canonical Legacy IP network addresses. * Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105 bsc#1170452). * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91) * Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP. * GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms. * Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED. * Update to 8.0.8: * Fix check of pin-sha256: public key hashes to be case sensitive * Don't give non-functioning stderr to CSD trojan scripts. * Fix crash with uninitialised OIDC token. * Update to 8.0.7: * Don't abort Pulse connection when server-provided certificate MD5 doesn't match. * Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks. * Don't abort connection if CSD wrapper script returns non-zero (for now). * Make --passtos work for protocols that use ESP, in addition to DTLS. * Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. * Remove tncc-wrapper.py script as it is python2 only bsc#1157446 * No need to ship hipreport-android.sh as it is intented for android systems only * Update to 8.0.5: * Minor fixes to build on specific platforms * Includes fix for a buffer overflow with chunked HTTP handling (CVE-2019-16239, bsc#1151178) * Use python3 to generate the web data as now it is supported by upstream * Update to 8.0.3: * Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384. * Fix recognition of OTP password fields. * Update to 8.02: * Fix GNU/Hurd build. * Discover vpnc-script in default packaged location on FreeBSD/OpenBSD. * Support split-exclude routes for GlobalProtect. * Fix GnuTLS builds without libtasn1. * Fix DTLS support with OpenSSL 1.1.1+. * Add Cisco-compatible DTLSv1.2 support. * Invoke script with reason=attempt-reconnect before doing so. * Update to 8.01: * Clear form submissions (which may include passwords) before freeing (CVE-2018-20319, bsc#1215669). * Allow form responses to be provided on command line. * Add support for SSL keys stored in TPM2. * Fix ESP rekey when replay protection is disabled. * Drop support for GnuTLS older than 3.2.10. * Fix --passwd-on-stdin for Windows to not forcibly open console. * Fix portability of shell scripts in test suite. * Add Google Authenticator TOTP support for Juniper. * Add RFC7469 key PIN support for cert hashes. * Add protocol method to securely log out the Juniper session. * Relax requirements for Juniper hostname packet response to support old gateways. * Add API functions to query the supported protocols. * Verify ESP sequence numbers and warn even if replay protection is disabled. * Add support for PAN GlobalProtect VPN protocol (--protocol=gp). * Reorganize listing of command-line options, and include information on supported protocols. * SIGTERM cleans up the session similarly to SIGINT. * Fix memset_s() arguments. * Fix OpenBSD build. * Explicitely enable all the features as needed to stop build if something is missing ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2024-317=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-317=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-317=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-317=1 * SUSE Linux Enterprise Workstation Extension 15 SP5 zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2024-317=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * openconnect-debuginfo-9.12-150400.15.3.1 * stoken-debuginfo-0.81-150400.13.2.1 * openconnect-9.12-150400.15.3.1 * stoken-debugsource-0.81-150400.13.2.1 * openconnect-debugsource-9.12-150400.15.3.1 * libstoken1-0.81-150400.13.2.1 * stoken-gui-0.81-150400.13.2.1 * stoken-devel-0.81-150400.13.2.1 * stoken-gui-debuginfo-0.81-150400.13.2.1 * libstoken1-debuginfo-0.81-150400.13.2.1 * stoken-0.81-150400.13.2.1 * libopenconnect5-9.12-150400.15.3.1 * openconnect-devel-9.12-150400.15.3.1 * libopenconnect5-debuginfo-9.12-150400.15.3.1 * openSUSE Leap 15.4 (noarch) * openconnect-bash-completion-9.12-150400.15.3.1 * openconnect-lang-9.12-150400.15.3.1 * openconnect-doc-9.12-150400.15.3.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * oath-toolkit-debugsource-2.6.2-150000.3.5.1 * openconnect-9.12-150400.15.3.1 * pam_oath-2.6.2-150000.3.5.1 * stoken-debugsource-0.81-150400.13.2.1 * pam_oath-debuginfo-2.6.2-150000.3.5.1 * libopenconnect5-9.12-150400.15.3.1 * oath-toolkit-debuginfo-2.6.2-150000.3.5.1 * liboath0-2.6.2-150000.3.5.1 * openconnect-debuginfo-9.12-150400.15.3.1 * libpskc-devel-2.6.2-150000.3.5.1 * liboath0-debuginfo-2.6.2-150000.3.5.1 * libstoken1-0.81-150400.13.2.1 * libstoken1-debuginfo-0.81-150400.13.2.1 * liboath-devel-2.6.2-150000.3.5.1 * openconnect-devel-9.12-150400.15.3.1 * libpskc0-2.6.2-150000.3.5.1 * openconnect-debugsource-9.12-150400.15.3.1 * stoken-gui-0.81-150400.13.2.1 * stoken-debuginfo-0.81-150400.13.2.1 * stoken-0.81-150400.13.2.1 * stoken-gui-debuginfo-0.81-150400.13.2.1 * stoken-devel-0.81-150400.13.2.1 * oath-toolkit-2.6.2-150000.3.5.1 * libpskc0-debuginfo-2.6.2-150000.3.5.1 * libopenconnect5-debuginfo-9.12-150400.15.3.1 * openSUSE Leap 15.5 (noarch) * openconnect-lang-9.12-150400.15.3.1 * oath-toolkit-xml-2.6.2-150000.3.5.1 * openconnect-doc-9.12-150400.15.3.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * oath-toolkit-debugsource-2.6.2-150000.3.5.1 * liboath0-debuginfo-2.6.2-150000.3.5.1 * oath-toolkit-debuginfo-2.6.2-150000.3.5.1 * liboath0-2.6.2-150000.3.5.1 * liboath-devel-2.6.2-150000.3.5.1 * Basesystem Module 15-SP5 (noarch) * oath-toolkit-xml-2.6.2-150000.3.5.1 * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64) * oath-toolkit-debugsource-2.6.2-150000.3.5.1 * openconnect-debuginfo-9.12-150400.15.3.1 * stoken-debuginfo-0.81-150400.13.2.1 * openconnect-9.12-150400.15.3.1 * libpskc-devel-2.6.2-150000.3.5.1 * libpskc0-2.6.2-150000.3.5.1 * libstoken1-0.81-150400.13.2.1 * openconnect-debugsource-9.12-150400.15.3.1 * stoken-debugsource-0.81-150400.13.2.1 * stoken-devel-0.81-150400.13.2.1 * libpskc0-debuginfo-2.6.2-150000.3.5.1 * stoken-gui-0.81-150400.13.2.1 * stoken-gui-debuginfo-0.81-150400.13.2.1 * oath-toolkit-2.6.2-150000.3.5.1 * oath-toolkit-debuginfo-2.6.2-150000.3.5.1 * libstoken1-debuginfo-0.81-150400.13.2.1 * stoken-0.81-150400.13.2.1 * libopenconnect5-9.12-150400.15.3.1 * openconnect-devel-9.12-150400.15.3.1 * libopenconnect5-debuginfo-9.12-150400.15.3.1 * SUSE Package Hub 15 15-SP5 (noarch) * openconnect-lang-9.12-150400.15.3.1 * openconnect-doc-9.12-150400.15.3.1 * SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64) * oath-toolkit-debugsource-2.6.2-150000.3.5.1 * openconnect-debuginfo-9.12-150400.15.3.1 * stoken-debuginfo-0.81-150400.13.2.1 * openconnect-9.12-150400.15.3.1 * libpskc-devel-2.6.2-150000.3.5.1 * libpskc0-2.6.2-150000.3.5.1 * libstoken1-0.81-150400.13.2.1 * openconnect-debugsource-9.12-150400.15.3.1 * stoken-debugsource-0.81-150400.13.2.1 * stoken-devel-0.81-150400.13.2.1 * libpskc0-debuginfo-2.6.2-150000.3.5.1 * oath-toolkit-debuginfo-2.6.2-150000.3.5.1 * libstoken1-debuginfo-0.81-150400.13.2.1 * libopenconnect5-9.12-150400.15.3.1 * openconnect-devel-9.12-150400.15.3.1 * libopenconnect5-debuginfo-9.12-150400.15.3.1 * SUSE Linux Enterprise Workstation Extension 15 SP5 (noarch) * openconnect-lang-9.12-150400.15.3.1

References

* bsc#1140772

* bsc#1157446

* bsc#1170452

* bsc#1171862

* bsc#1215669

* jsc#PED-6742

* jsc#PED-7015

Cross-

* CVE-2018-20319

* CVE-2020-12105

* CVE-2020-12823

CVSS scores:

* CVE-2018-20319 ( SUSE ): 2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

* CVE-2020-12105 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

* CVE-2020-12105 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

* CVE-2020-12823 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

* CVE-2020-12823 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* Basesystem Module 15-SP5

* openSUSE Leap 15.4

* openSUSE Leap 15.5

* SUSE Linux Enterprise Desktop 15 SP5

* SUSE Linux Enterprise High Performance Computing 15 SP5

* SUSE Linux Enterprise Micro 5.5

* SUSE Linux Enterprise Real Time 15 SP5

* SUSE Linux Enterprise Server 15 SP5

* SUSE Linux Enterprise Server for SAP Applications 15 SP5

* SUSE Linux Enterprise Workstation Extension 15 SP5

* SUSE Package Hub 15 15-SP5

An update that solves three vulnerabilities, contains two features and has two

security fixes can now be installed.

##

* https://www.suse.com/security/cve/CVE-2018-20319.html

* https://www.suse.com/security/cve/CVE-2020-12105.html

* https://www.suse.com/security/cve/CVE-2020-12823.html

* https://bugzilla.suse.com/show_bug.cgi?id=1140772

* https://bugzilla.suse.com/show_bug.cgi?id=1157446

* https://bugzilla.suse.com/show_bug.cgi?id=1170452

* https://bugzilla.suse.com/show_bug.cgi?id=1171862

* https://bugzilla.suse.com/show_bug.cgi?id=1215669

* https://jira.suse.com/login.jsp

* https://jira.suse.com/login.jsp

Severity
Announcement ID: SUSE-SU-2024:0317-1
Rating: moderate

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo