June OpenSSL Vulnerabilities
Alex Elsayed
eternaleye at gmail.com
Tue Aug 11 21:25:29 PDT 2015
By default, OpenConnect uses GnuTLS rather than OpenSSL. It only uses
OpenSSL if the following conditions are met at build-time:
1.) GnuTLS does not support DTLS (only the case for old versions, AIUI)
2.) --without-openssl was not passed
OR
--without-gnutls was passed
Further information can be found in configure.ac (version 7.06, the most
recent at time of posting):
http://git.infradead.org/users/dwmw2/openconnect.git/blob/v7.06:/configure.ac#l255
ASHLEY GRAVES (RIT Student) wrote:
> Is OpenConnect affected by the same OpenSSL vulnerabilities as
> AnyConnect from the June advisory
>
(http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl)?
>
> The included CVEs are CVE-2015-1789, CVE-2015-1792, CVE-2014-8176,
> CVE-2015-1788, CVE-2015-1790, CVE-2015-1791.
>
> If not, does the way OpenConnect handles OpenSSL leave it unaffected
> by the recent surge of other OpenSSL vulns? Thanks in advance.
More information about the openconnect-devel
mailing list