Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0208
openconnect security update
15 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openconnect
Publisher: Debian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Debian GNU/Linux 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-6128
Original Bulletin:
http://www.debian.org/security/2013/dsa-2623
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running openconnect check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2623-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
February 14, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : openconnect
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-6128
Kevin Cernekee discovered that a malicious VPN gateway can send
crafted responses which trigger stack-based buffer overflows.
For the stable distribution (squeeze), this problem has been fixed in
version 2.25-0.1+squeeze2.
We recommend that you upgrade your openconnect packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRHR74AAoJEL97/wQC1SS+bb0IAJJsKIsF5yBv9kDifVeGbvpR
no4jMiqZpNbMvOD7lEqXkXCcdtKHhDiNrp1qUkj1qj0HAvHvYDW4MybIpcTTrzTr
Jh1qYmtdkF0zr7/4JYEc1zLdPy4ZdfkHppAMI1Tk4jR5qBhavhtNs8cZ4aJmhVTO
hel8O2mkTMSgUdsA7ig4TL7LuuvRSeA/Hd5AwinXjT5vCpBzPH0GlIWPoCiQoL5T
sK4C1Y5dVUEMyVn3MQVoKYzs3FS8Gys1iPVmUVAw9sh94oXAXEsj6KkShsuqG2ri
SS67oYeBo1xYkzW25uVTnQndZQqLQtAaSZ7ai9csEeGNHAhkv9VizxhvhGZX1q8=
=/dNn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUR2C9u4yVqjM2NGpAQInOw/+IpnHSsMZgpzIJQrkBj4pehACC0TmJ1Mb
LjjYaQh2tzsuyD4+TCyzar5CCA5H4PBtB6EmAXtn72CQGbwawrwMA5cDqjyNzEBz
EQrB6D8cq63c0sKzCjA4k+2ejfLpDezWMolPIPfofOCCr44IutII0vTkhjoPyxn4
OBuN9xYiVpuI+k51kLGujEgCZEbDK6DM+QbCKNmhNg1Zrj98lklo7qTzc70HfCUv
5SVM/LJ4tonVIr838JlE3JcZyC1h8uuRkyZvP5pDzMYe2sCIt7xMeW5t0hH0w5YH
5GxhYsPyWfBxC2l4EqW6FHDG45l6PYAYYCo+mr7NTvf2/Eq8M2WdNZPcglnIZQLx
Ri3NuCIHviUyoEHE1Qkqnh7Raen5sXxIVMFDkqPatJWSGwzpcXpKB0T6sUBS4rvW
IWYwyjpspXMNn5Bkr/s3+AMvAzb3Wv8uniE+qRdj7v1r97LkLpM/zyVsuU4KlQUj
Ym6zux1Q/cQP1DQaV5oruF3amCnEScb2g0oXpRewVIgN0rkh8uzeaFQiHNnrIwJS
amxK8bHsKDDj3zsVT6/9CY8CP2+zyr7cZge/wlo+Sw0Q4yvbKQ5tjE3QpRsJACZe
SQurJMXtoNsFPwMZPvSIMhceZM49tEhcCZU8+hq+vjkLWT3YNzpgMZYYFBiqJgcw
IpeJ+vNSGrs=
=pAa3
-----END PGP SIGNATURE-----