OpenConnect 4.08 release

David Woodhouse dwmw2 at
Wed Feb 13 16:44:11 EST 2013

This is a retrospective release of a stable 4.08 version.

It has been brought to my attention that one of the fixes in Kevin's
pull request for XML post support is something that I should have paid a
lot more attention to — a potential buffer overflow in the HTTP request
generation, that can be triggered by a server giving us a huge list of
cookies, redirecting to a large hostname, etc.

This has been assigned CVE-2012-6128.

Since I'm not quite ready to push a 5.00 release yet, as we're still
chasing down at least one known issue with the XML post support, I'm
*definitely* not ready to push it out as a security update. So I've gone
back and branched off from a "safe" point shortly after the 4.07 release
where we'd applied a few minor fixes, and applied the important fixes
that came in later. A changelog and translation update, and that's 4.08.

If you were currently using 4.99, you're fine and can ignore this. If
you're using anything less than 4.07, especially if you don't properly
check server SSL certificates and you're thus especially vulnerable to a
MITM attack, then you should definitely upgrade.

Changelog from v4.07 to v4.08:

David Woodhouse (25):
      Import translations from GNOME
      Update translations from Transifex
      Be explicit when we're connecting to a proxy not directly to a VPN server
      Import translations from GNOME
      Import translations from GNOME
      Update translations from Transifex
      Import translations from GNOME
      Fix token serial number matching when trying to find hidden PKCS#11 key
      Fix potential NULL dereference in error path in gnutls_pkcs11_simple_parse()
      Fix error reporting when failed to write CSD script file
      Close XML file handle before error return if fstat() fails
      Free CSTP option structure before error return if malloc fails
      Close ssl_sock before returning error in connect_https_socket()
      Close config_fd before returning from write_new_config()
      Close dtls_fd on error returns from connect_dtls_socket()
      Fix fd/memory leak on error return from openconnect_open_https()
      Fix use-after-free of numeric IPv6 hostname on error path
      Fix leaks on failure paths in OpenSSL openconnect_open_https()
      Update changelog
      Import translations from GNOME
      Canonicalise hostname during authentication if necessary
      Impose minimum MTU of 1280 bytes.
      Update changelog
      Update translations
      Tag version 4.08

Kevin Cernekee (6):
      Delete references to long-removed SecurID code
      Fix a couple of minor typos
      Update Debian package status
      Link to OpenConnect SOCKS proxy (ocproxy) from documentation
      Fix missing newline in the "No form handler" error message
      http: Fix overflow on HTTP request buffers (CVE-2012-6128)

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list