luis220413 | Is anyone from the Ubuntu Security Team here? | 18:20 |
---|---|---|
luis220413 | The status of CVE-2019-16239 for focal and later releases should be Not vulnerable (8.05-1) and for xenial should be "Ignored (reached end-of-life)", because you always do this for packages that are in the universe component in xenial. | 18:22 |
ubottu | process_http_response in OpenConnect before 8.05 has a Buffer Overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16239> | 18:22 |
luis220413 | *"Ignored (out of standard support)" | 18:23 |
luis220413 | The CVE is not fixed in Xenial, contrary to what the Ubuntu CVE Tracker states. | 18:23 |
luis220413 | I must leave now but will remain online. | 18:26 |
mdeslaur | luis220413: fixed, thanks | 18:27 |
mdeslaur | luis220413: but we did release it for xenial before it went eol, so ignored isn't appropriate | 18:27 |
mdeslaur | oh wait, it's a typo? | 18:27 |
* mdeslaur looks again | 18:27 | |
luis220413 | https://launchpad.net/ubuntu/+source/openconnect/+publishinghistory | 18:27 |
luis220413 | https://launchpad.net/ubuntu/+source/openconnect | 18:28 |
mdeslaur | you're right, fixed now, thanks | 18:28 |
luis220413 | I also believe Ubuntu 22.04 is not vulnerable to CVE-2020-12105, because the description mentions "OpenConnect through 8.08" and 22.04 has 8.20-1. | 18:30 |
ubottu | OpenConnect through 8.08 mishandles negative return values from X509_check_ function calls, which might assist attackers in performing man-in-the-middle attacks. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12105> | 18:30 |
luis220413 | Can you also triage this CVE for bionic and focal? I will prepare a security update for this package today. | 18:31 |
sbeattie | one needs to be cautious with versions in cve descriptions provided by mitre/nvd (which is often the source of UCT ddescriptions). | 18:31 |
mdeslaur | the description is wrong, it doesn't look like it's fixed upstream | 18:31 |
luis220413 | I must leave now but will remain online. | 18:32 |
mdeslaur | it only affects when built with openssl, ubuntu builds with gnutls, no it's not vulnerable | 18:34 |
luis220413 | I have just submitted debdiffs for openconnect in bug 1987569. | 22:11 |
ubottu | Bug 1987569 in openconnect (Ubuntu) "Versions in Bionic and Focal are vulnerable to CVE-2020-12823" [Undecided, New] https://launchpad.net/bugs/1987569 | 22:11 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!