Ubuntu
openconnect package

OpenConnect does not properly logout from Juniper VPNs

Bug #1655279 reported by Dan Lenski
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openconnect (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The Juniper protocol lacks a .vpn_close_session function; without logout, the VPN cookie remains active and can be used to restart the session from an unrelated computer.

This is a security hazard, especially when passing around OpenConnect logs on the mailing list for development and troubleshooting.

Patch is straightforward: http://lists.infradead.org/pipermail/openconnect-devel/2017-January/004161.html

(Ubuntu 16.04.1 LTS, openconnect v7.06)

See original description
Tags: patch
Revision history for this message
Dan Lenski (lenski) wrote :
information type: Private Security → Public Security
description: updated
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "juniper_logout.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Emily Ratliff (emilyr) wrote :

Thank you for taking the time to report this bug and provide the patch. Since the package referred to in this bug is in universe, it is community maintained. Would you be able to prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures ?

Revision history for this message
Mike Miller (mtmiller) wrote :

It would also be ideal to wait until the proposed patch has been reviewed and applied upstream. The patch is from the upstream mailing list, not yet acknowledged or committed.

Revision history for this message
Dan Lenski (lenski) wrote : Re: [Bug 1655279] Re: OpenConnect does not properly logout from Juniper VPNs

Okay, although I think this one is a fairly straightforward fix, it's a
good idea to wait and see the discussion on the list.

On Tue, Jan 10, 2017 at 3:05 PM, Mike Miller <email address hidden> wrote:

> It would also be ideal to wait until the proposed patch has been
> reviewed and applied upstream. The patch is from the upstream mailing
> list, not yet acknowledged or committed.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1655279
>
> Title:
> OpenConnect does not properly logout from Juniper VPNs
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/openconnect/+
> bug/1655279/+subscriptions
>

Marc Deslauriers (mdeslaur)
Changed in openconnect (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openconnect - 7.08-3

---------------
openconnect (7.08-3) unstable; urgency=medium

  * d/p/add-logout-juniper.patch: New patch, add logout to Juniper VPN.
    Thanks to Daniel Lenski (LP: #1655279)

 -- Mike Miller <email address hidden> Sun, 25 Feb 2018 15:00:56 -0800

Changed in openconnect (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.