This is a retrospective release of a stable 4.08 version. It has been brought to my attention that one of the fixes in Kevin's pull request for XML post support is something that I should have paid a lot more attention to ? a potential buffer overflow in the HTTP request generation, that can be triggered by a server giving us a huge list of cookies, redirecting to a large hostname, etc. This has been assigned CVE-2012-6128. Since I'm not quite ready to push a 5.00 release yet, as we're still chasing down at least one known issue with the XML post support, I'm *definitely* not ready to push it out as a security update. So I've gone back and branched off from a "safe" point shortly after the 4.07 release where we'd applied a few minor fixes, and applied the important fixes that came in later. A changelog and translation update, and that's 4.08. If you were currently using 4.99, you're fine and can ignore this. If you're using anything less than 4.07, especially if you don't properly check server SSL certificates and you're thus especially vulnerable to a MITM attack, then you should definitely upgrade. ftp://ftp.infradead.org/pub/openconnect/openconnect-4.08.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-4.08.tar.gz.asc Changelog from v4.07 to v4.08: David Woodhouse (25): Import translations from GNOME Update translations from Transifex Be explicit when we're connecting to a proxy not directly to a VPN server Import translations from GNOME Import translations from GNOME Update translations from Transifex Import translations from GNOME Fix token serial number matching when trying to find hidden PKCS#11 key Fix potential NULL dereference in error path in gnutls_pkcs11_simple_parse() Fix error reporting when failed to write CSD script file Close XML file handle before error return if fstat() fails Free CSTP option structure before error return if malloc fails Close ssl_sock before returning error in connect_https_socket() Close config_fd before returning from write_new_config() Close dtls_fd on error returns from connect_dtls_socket() Fix fd/memory leak on error return from openconnect_open_https() Fix use-after-free of numeric IPv6 hostname on error path Fix leaks on failure paths in OpenSSL openconnect_open_https() Update changelog Import translations from GNOME Canonicalise hostname during authentication if necessary Impose minimum MTU of 1280 bytes. Update changelog Update translations Tag version 4.08 Kevin Cernekee (6): Delete references to long-removed SecurID code Fix a couple of minor typos Update Debian package status Link to OpenConnect SOCKS proxy (ocproxy) from documentation Fix missing newline in the "No form handler" error message http: Fix overflow on HTTP request buffers (CVE-2012-6128) -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130213/6e97a9df/attachment.bin>
