SUSE-SU-2024:0317-1

Описание

This update for openconnect fixes the following issues:

• Update to release 9.12:

  • Explicitly reject overly long tun device names.
  • Increase maximum input size from stdin (#579).
  • Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
  • Fix stray (null) in URL path after Pulse authentication (4023bd95).
  • Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475).
  • Fix case sensitivity in GPST header matching (!474).

• Update to release 9.10:

  • Fix external browser authentication with KDE plasma-nm < 5.26.
  • Always redirect stdout to stderr when spawning external browser.
  • Increase default queue length to 32 packets.
  • Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array.
  • Handle idiosyncratic variation in search domain separators for all protocols
  • Support region selection field for Pulse authentication
  • Support modified configuration packet from Pulse 9.1R16 servers
  • Allow hidden form fields to be populated or converted to text fields on the command line
  • Support yet another strange way of encoding challenge-based 2FA for GlobalProtect
  • Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments
  • Parrot a GlobalProtect server's software version, if present, as the client version (!333)
  • Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).
  • Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).
  • Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
  • Support simultaneous IPv6 and Legacy IP ('dual-stack') for Fortinet .
  • Support 'FTM-push' token mode for Fortinet VPNs .
  • Send IPv6-compatible version string in Pulse IF/T session establishment
  • Add --no-external-auth option to not advertise external-browser authentication
  • Many small improvements in server response parsing, and better logging messages and documentation.

• Update to release 9.01:

  • Add support for AnyConnect 'Session Token Re-use Anchor Protocol' (STRAP)
  • Add support for AnyConnect 'external browser' SSO mode
  • Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20
  • Support Cisco's multiple-certificate authentication
  • Revert GlobalProtect default route handling change from v8.20
  • Suppo split-exclude routes for Fortinet
  • Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect

• Update to release 8.20:

  • Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect.
  • Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19
  • Support Juniper login forms containing both password and 2FA token
  • Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto
  • Allow protocols to delay tunnel setup and shutdown (!117)
  • Support for GlobalProtect IPv6
  • SIGUSR1now causes OpenConnect to log detailed connection information and statistics
  • Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint
  • Demangle default routes sent as split routes by GlobalProtect
  • Support more Juniper login forms, including some SSO forms
  • Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header
  • Add support for PPP-based protocols, currently over TLS only.
  • Add support for two PPP-based protocols, F5 with --protocol=f5 and Fortinet with --protocol=fortinet.
  • Add support for Array Networks SSL VPN.
  • Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM.

• Import the latest version of the vpnc-script (bsc#1140772)

  • This brings a lot of improvements for non-trivial network setups, IPv6 etc

• Build with --without-gnutls-version-check

• Update to version 8.10:

  • Install bash completion script to ${datadir}/bash-completion/completions/openconnect.
  • Improve compatibility of csd-post.sh trojan.
  • Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823, bsc#1171862, gl#openconnect/openconnect!108).

• Introduce subpackage for bash-completion

• Update to 8.09:

  • Add bash completion support.
  • Give more helpful error in case of Pulse servers asking for TNCC.
  • Sanitize non-canonical Legacy IP network addresses.
  • Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105 bsc#1170452).
  • Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91)
  • Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.
  • GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms.
  • Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED.

• Update to 8.0.8:

  • Fix check of pin-sha256: public key hashes to be case sensitive
  • Don't give non-functioning stderr to CSD trojan scripts.
  • Fix crash with uninitialised OIDC token.

• Update to 8.0.7:

  • Don't abort Pulse connection when server-provided certificate MD5 doesn't match.
  • Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks.
  • Don't abort connection if CSD wrapper script returns non-zero (for now).
  • Make --passtos work for protocols that use ESP, in addition to DTLS.
  • Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well.

• Remove tncc-wrapper.py script as it is python2 only bsc#1157446

• No need to ship hipreport-android.sh as it is intented for android systems only

• Update to 8.0.5:

  • Minor fixes to build on specific platforms
  • Includes fix for a buffer overflow with chunked HTTP handling (CVE-2019-16239, bsc#1151178)

• Use python3 to generate the web data as now it is supported by upstream

• Update to 8.0.3:

  • Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.
  • Fix recognition of OTP password fields.

• Update to 8.02:

  • Fix GNU/Hurd build.
  • Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
  • Support split-exclude routes for GlobalProtect.
  • Fix GnuTLS builds without libtasn1.
  • Fix DTLS support with OpenSSL 1.1.1+.
  • Add Cisco-compatible DTLSv1.2 support.
  • Invoke script with reason=attempt-reconnect before doing so.

• Update to 8.01:

  • Clear form submissions (which may include passwords) before freeing (CVE-2018-20319, bsc#1215669).
  • Allow form responses to be provided on command line.
  • Add support for SSL keys stored in TPM2.
  • Fix ESP rekey when replay protection is disabled.
  • Drop support for GnuTLS older than 3.2.10.
  • Fix --passwd-on-stdin for Windows to not forcibly open console.
  • Fix portability of shell scripts in test suite.
  • Add Google Authenticator TOTP support for Juniper.
  • Add RFC7469 key PIN support for cert hashes.
  • Add protocol method to securely log out the Juniper session.
  • Relax requirements for Juniper hostname packet response to support old gateways.
  • Add API functions to query the supported protocols.
  • Verify ESP sequence numbers and warn even if replay protection is disabled.
  • Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
  • Reorganize listing of command-line options, and include information on supported protocols.
  • SIGTERM cleans up the session similarly to SIGINT.
  • Fix memset_s() arguments.
  • Fix OpenBSD build.

• Explicitely enable all the features as needed to stop build if something is missing