This release fixes a problem with the OpenSSL build validating hostnames against server certificates, which is CVE-2020-12015. A server with an invalid (yet genuinely issued by a trusted CA) certificate could bypass the hostname check and use that certificate for *any* server. The GnuTLS build is not affected. Also some fixes for the Juniper Host Checker (TNCC), cleaning up non- canonical include/exclude subnet masks for exporting to vpnc-script, and added bash autocompletion support. ftp://ftp.infradead.org/pub/openconnect/openconnect-8.09.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-8.09.tar.gz.asc Daniel Lenski (23): convert tncc-wrapper.py to Python 3.6 we can be a *little* more user-friendly Try blithely ignoring lack of IcedTea plugin.jar and/or tncc_preload.so recent tncc.jar looks for files in ~/.pulse_secure rather than ~/.juniper_networks pass TNCC_SHA256 and TNCC_HOSTNAME environment variables to wrapper script (just like for CSD) Include tncc-emulate.py Add copyright and license notice, and update TNCC docs tncc-emulate.py: update to modernized Python 3.x version Add a comment explaining required Python3 modules and potentially customizable environment variables tested that Ubuntu 18.04's python3-asn1crypto version works (v0.24.0) remove vestigial bit periodic TNCC GP auth: give challenge/2FA forms a constant auth_id/name of "_challenge" better heuristic for determining where to fill in a token in GP forms Fix print_supported_protocols and print_supported_protocols_usage periodic HIP fix: ping /ssl-vpn/hipreportcheck.esp at specified interval no matter what GP: run HIP report 60 seconds in advance of the server's interval (just as we rekey 60 seconds in advance) trigger periodic TNCC even if we have no packets to receive from oNCP, and don't use server's interval if zero URL-decode GlobalProtect login response fields Changelog entry for GP changes (covers !90, !93, !95) set TCP_NODELAY unconditionally on TCP/TLS sockets changelog fix IPv4 split-{in,ex}clude routes with misspecified host bits David Woodhouse (25): Add bash completion Fix autocompletion a bit more, add tests More helpful error when Pulse server asks for TNCC No autocompletion test for mingw build Fix uninitialised 'matcher' in autocompletion Clean up autocompletion a little Check for localtime_s() only on Windows. Add AC_DEFINE description for LIBPROXY_HDR in non-pkgconfig case Merge branch 'potential_HIP_fix' of gitlab.com:openconnect/openconnect Merge branch 'fix_print_supported_protocols' of gitlab.com:openconnect/openconnect Merge branch 'modify_GP_challenge_2FA_form_handling' of gitlab.com:openconnect/openconnect Merge branch 'GP_urldecode_login_arguments' of gitlab.com:dlenski/openconnect Merge branch 'tncc_wrapper_Py3k' of gitlab.com:dlenski/openconnect Merge branch 'use_TCP_NODELAY_when_tunnel_running_over_TCP' of gitlab.com:openconnect/openconnect Update SoftHSM token import scripting and reimport Reimport with SoftHSM v2.2 Log in slots with CKF_USER_PIN_INITIALIZED and not CKF_LOGIN_REQUIRED Add CentOS8 CI Add commands for creating server-cert Fix dependencies and tests/configs/server-cert.prm to dist Add mingw build in copr Drop wine-common for now, openconnect.exe in bindir Build mingw with lz4 and stoken Update translations from GNOME Tag version 8.09 Jordy Zomer (1): Use OpenSSL X509_check_host() and X509_check_ip() correctly.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
