*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Binary package hint: openconnect
Versions of OpenConnect before 2.25 do not verify that the server SSL
certificate matches the server hostname, which enables an attacker to
perform an MITM attack on the connection. This can be fixed by
upgrading to OpenConnect 2.25.
>From the upstream changelog:
OpenConnect v2.25 — 2010-05-15
• Always validate server certificate, even when no extra --cafile is
provided.
• Add --no-cert-check option to avoid certificate validation.
• Check server hostname against its certificate.
• Provide text-mode function for reviewing and accepting "invalid"
certificates.
• Fix libproxy detection on NetBSD.
** Affects: openconnect (Ubuntu)
Importance: Undecided
Status: New
** Affects: openconnect (Debian)
Importance: Unknown
Status: Confirmed
--
openconnect < 2.25 does not verify SSL server certificates
https://bugs.edge.launchpad.net/bugs/611449
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
