On Tue, 2015-08-11 at 09:15 -0500, ASHLEY GRAVES (RIT Student) wrote: > Is OpenConnect affected by the same OpenSSL vulnerabilities as > AnyConnect from the June advisory > (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl)? > > The included CVEs are CVE-2015-1789, CVE-2015-1792, CVE-2014-8176, > CVE-2015-1788, CVE-2015-1790, CVE-2015-1791. > > If not, does the way OpenConnect handles OpenSSL leave it unaffected > by the recent surge of other OpenSSL vulns? Thanks in advance. As Alex says, OpenConnect will build against GnuTLS by default. Certainly all the Linux distributions are building against GnuTLS, as far as I'm aware. I do not know of anyone shipping binary versions of OpenConnect linked against OpenSSL.... Fabian, are you? If anyone *is* linking against OpenSSL on a system which lacks GnuTLS, which is possibly the case for some *BSD ports, then they'll usually be linking against a dynamic *system* library of OpenSSL, not a version which is privately shipped with OpenConnect. Which means that when that system version is updated, OpenConnect is fixed too. For these reasons, we haven't even done a detailed analysis of which of the OpenSSL vulnerabilities would affect OpenConnect users ? just as we haven't done any analysis of how vulnerabilities in other system components like glibc or the Linux kernel might affect OpenConnect users. It simply isn't relevant. None of this applies to Cisco because they ship their *own* version of OpenSSL, and they are therefore responsible for any problems therein. And need to update their product to fix them. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150812/525c3f5b/attachment.bin>
