[18:20] Is anyone from the Ubuntu Security Team here? [18:22] The status of CVE-2019-16239 for focal and later releases should be Not vulnerable (8.05-1) and for xenial should be "Ignored (reached end-of-life)", because you always do this for packages that are in the universe component in xenial. [18:22] process_http_response in OpenConnect before 8.05 has a Buffer Overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes. [18:23] *"Ignored (out of standard support)" [18:23] The CVE is not fixed in Xenial, contrary to what the Ubuntu CVE Tracker states. [18:26] I must leave now but will remain online. [18:27] luis220413: fixed, thanks [18:27] luis220413: but we did release it for xenial before it went eol, so ignored isn't appropriate [18:27] oh wait, it's a typo? [18:27] * mdeslaur looks again [18:27] https://launchpad.net/ubuntu/+source/openconnect/+publishinghistory [18:28] https://launchpad.net/ubuntu/+source/openconnect [18:28] you're right, fixed now, thanks [18:30] I also believe Ubuntu 22.04 is not vulnerable to CVE-2020-12105, because the description mentions "OpenConnect through 8.08" and 22.04 has 8.20-1. [18:30] OpenConnect through 8.08 mishandles negative return values from X509_check_ function calls, which might assist attackers in performing man-in-the-middle attacks. [18:31] Can you also triage this CVE for bionic and focal? I will prepare a security update for this package today. [18:31] one needs to be cautious with versions in cve descriptions provided by mitre/nvd (which is often the source of UCT ddescriptions). [18:31] the description is wrong, it doesn't look like it's fixed upstream [18:32] I must leave now but will remain online. [18:34] it only affects when built with openssl, ubuntu builds with gnutls, no it's not vulnerable [22:11] I have just submitted debdiffs for openconnect in bug 1987569. [22:11] Bug 1987569 in openconnect (Ubuntu) "Versions in Bionic and Focal are vulnerable to CVE-2020-12823" [Undecided, New] https://launchpad.net/bugs/1987569