Versions in Bionic and Focal are vulnerable to CVE-2020-12823

The attachment "openconnect_bionic.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

[This is a patch for the security team to sponsor, so the Ubuntu Sponsors subscription can be removed from this bug. I have subscribed the ubuntu-security-sponsors team to make sure it is on our radar.]

Hey Luis, thanks for caring about the security of Ubuntu and preparing these debdffs.

While reviewing, I have noticed a couple of issues:

- please when submitting debdiffs for sponsorship use version numbers that are appropriate for the ubuntu archive; while I appreciate that you (I presume) built these in a ppa, please remove the ~ppaN version for the debdiff submission. I have fixed those up here.

- the focal debdiff contained only the changelog entry and nothing else. I'm not sure where your package preparation went wrong, but it may have been because there wasn't an existing debian/patches directory. Please make sure to review your debdiffs when submitting them to ensure they are as you expect them (you should also check the build logs for your prep builds to ensure the patch is actually getting applied). I went ahead and cherry-picked the upstream fix locally, and am attaching the resulting debdiff here.

- I reflowed the changelog entries to ensure they fit the expected width.

Comparison locally of build logs shows no new build warnings, and comparison of the resulting binaries with current versions shows
no api or other serious changes.

I have gone ahead and uploaded these to the ubuntu-security-proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages) for building and testing; autopkgtests will get kicked off as well, but I see from the history for openconnect that the adt tests always fail, so that's not so helpful (fixing the tests in kinetic and debian would be be a great thing to do!)

Once the packages have successfully built, please test and report results here.

Thanks again!

I will fix the tests in Kinetic and Debian as promised in bug #1987446.

Which VPN types supported by OpenConnect can trigger the vulnerability? If GlobalProtect is one of them, I believe @ernstp would be in a better position to test this update. Testing one VPN type suffices.

Hi,

Packages have been in the security team PPA for months now. Could the bug reporter or someone else please test the proposed packages so we can release them?

Thanks!

The packages have been uploaded and are awaiting testing. Unsubscribing Ubuntu Sponsors.

Unsubscribing ubuntu-security-sponsors. Once the packages are tested, please add a comment to this bug and re-subscribe the team. Thanks!