June OpenSSL Vulnerabilities

David Woodhouse dwmw2 at infradead.org
Wed Aug 12 01:18:05 PDT 2015 

On Tue, 2015-08-11 at 09:15 -0500, ASHLEY GRAVES (RIT Student) wrote:
> Is OpenConnect affected by the same OpenSSL vulnerabilities as
> AnyConnect from the June advisory
> (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl)?
> 
> The included CVEs are CVE-2015-1789, CVE-2015-1792, CVE-2014-8176,
> CVE-2015-1788, CVE-2015-1790, CVE-2015-1791.
> 
> If not, does the way OpenConnect handles OpenSSL leave it unaffected
> by the recent surge of other OpenSSL vulns? Thanks in advance.

As Alex says, OpenConnect will build against GnuTLS by default.
Certainly all the Linux distributions are building against GnuTLS, as
far as I'm aware.

I do not know of anyone shipping binary versions of OpenConnect linked
against OpenSSL.... Fabian, are you?

If anyone *is* linking against OpenSSL on a system which lacks GnuTLS,
which is possibly the case for some *BSD ports, then they'll usually be
linking against a dynamic *system* library of OpenSSL, not a version
which is privately shipped with OpenConnect. Which means that when that
system version is updated, OpenConnect is fixed too.

For these reasons, we haven't even done a detailed analysis of which of
the OpenSSL vulnerabilities would affect OpenConnect users — just as we
haven't done any analysis of how vulnerabilities in other system
components like glibc or the Linux kernel might affect OpenConnect
users. It simply isn't relevant.

None of this applies to Cisco because they ship their *own* version of
OpenSSL, and they are therefore responsible for any problems therein.
And need to update their product to fix them.
 
-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150812/525c3f5b/attachment.bin>

More information about the openconnect-devel mailing list