Package: openconnect Version: 2.22-1.1 Severity: grave Tags: security fixed-upstream
Versions of OpenConnect before 2.25 do not verify that the server SSL certificate matches the server hostname, which enables an attacker to perform an MITM attack on the connection. This can be fixed by upgrading to OpenConnect 2.25. From the upstream changelog: OpenConnect v2.25 — 2010-05-15 • Always validate server certificate, even when no extra --cafile is provided. • Add --no-cert-check option to avoid certificate validation. • Check server hostname against its certificate. • Provide text-mode function for reviewing and accepting "invalid" certificates. • Fix libproxy detection on NetBSD. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
