June OpenSSL Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2015-08-11 at 09:15 -0500, ASHLEY GRAVES (RIT Student) wrote:
> Is OpenConnect affected by the same OpenSSL vulnerabilities as
> AnyConnect from the June advisory
> (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl)?
> 
> The included CVEs are CVE-2015-1789, CVE-2015-1792, CVE-2014-8176,
> CVE-2015-1788, CVE-2015-1790, CVE-2015-1791.
> 
> If not, does the way OpenConnect handles OpenSSL leave it unaffected
> by the recent surge of other OpenSSL vulns? Thanks in advance.

As Alex says, OpenConnect will build against GnuTLS by default.
Certainly all the Linux distributions are building against GnuTLS, as
far as I'm aware.

I do not know of anyone shipping binary versions of OpenConnect linked
against OpenSSL.... Fabian, are you?

If anyone *is* linking against OpenSSL on a system which lacks GnuTLS,
which is possibly the case for some *BSD ports, then they'll usually be
linking against a dynamic *system* library of OpenSSL, not a version
which is privately shipped with OpenConnect. Which means that when that
system version is updated, OpenConnect is fixed too.

For these reasons, we haven't even done a detailed analysis of which of
the OpenSSL vulnerabilities would affect OpenConnect users ? just as we
haven't done any analysis of how vulnerabilities in other system
components like glibc or the Linux kernel might affect OpenConnect
users. It simply isn't relevant.

None of this applies to Cisco because they ship their *own* version of
OpenSSL, and they are therefore responsible for any problems therein.
And need to update their product to fix them.
 
-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150812/525c3f5b/attachment.bin>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux