OpenConnect does not properly logout from Juniper VPNs

Bug #1655279 reported by Dan Lenski on 2017-01-10
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openconnect (Ubuntu)
Undecided
Unassigned

Bug Description

The Juniper protocol lacks a .vpn_close_session function; without logout, the VPN cookie remains active and can be used to restart the session from an unrelated computer.

This is a security hazard, especially when passing around OpenConnect logs on the mailing list for development and troubleshooting.

Patch is straightforward: http://lists.infradead.org/pipermail/openconnect-devel/2017-January/004161.html

(Ubuntu 16.04.1 LTS, openconnect v7.06)

Dan Lenski (lenski) wrote :
information type: Private Security → Public Security
description: updated

The attachment "juniper_logout.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Emily Ratliff (emilyr) wrote :

Thank you for taking the time to report this bug and provide the patch. Since the package referred to in this bug is in universe, it is community maintained. Would you be able to prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures ?

Mike Miller (mtmiller) wrote :

It would also be ideal to wait until the proposed patch has been reviewed and applied upstream. The patch is from the upstream mailing list, not yet acknowledged or committed.

Okay, although I think this one is a fairly straightforward fix, it's a
good idea to wait and see the discussion on the list.

On Tue, Jan 10, 2017 at 3:05 PM, Mike Miller <email address hidden> wrote:

> It would also be ideal to wait until the proposed patch has been
> reviewed and applied upstream. The patch is from the upstream mailing
> list, not yet acknowledged or committed.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1655279
>
> Title:
> OpenConnect does not properly logout from Juniper VPNs
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/openconnect/+
> bug/1655279/+subscriptions
>

Changed in openconnect (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openconnect - 7.08-3

---------------
openconnect (7.08-3) unstable; urgency=medium

  * d/p/add-logout-juniper.patch: New patch, add logout to Juniper VPN.
    Thanks to Daniel Lenski (LP: #1655279)

 -- Mike Miller <email address hidden> Sun, 25 Feb 2018 15:00:56 -0800

Changed in openconnect (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers