[Bug 1987569] Re: Versions in Bionic and Focal are vulnerable to CVE-2020-12823
Steve Beattie
1987569 at bugs.launchpad.net
Fri Aug 26 06:44:04 UTC 2022
[This is a patch for the security team to sponsor, so the Ubuntu
Sponsors subscription can be removed from this bug. I have subscribed
the ubuntu-security-sponsors team to make sure it is on our radar.]
Hey Luis, thanks for caring about the security of Ubuntu and preparing
these debdffs.
While reviewing, I have noticed a couple of issues:
- please when submitting debdiffs for sponsorship use version numbers
that are appropriate for the ubuntu archive; while I appreciate that
you (I presume) built these in a ppa, please remove the ~ppaN version
for the debdiff submission. I have fixed those up here.
- the focal debdiff contained only the changelog entry and nothing
else. I'm not sure where your package preparation went wrong, but it
may have been because there wasn't an existing debian/patches
directory. Please make sure to review your debdiffs when submitting
them to ensure they are as you expect them (you should also check the
build logs for your prep builds to ensure the patch is actually getting
applied). I went ahead and cherry-picked the upstream fix locally, and
am attaching the resulting debdiff here.
- I reflowed the changelog entries to ensure they fit the expected
width.
Comparison locally of build logs shows no new build warnings, and comparison of the resulting binaries with current versions shows
no api or other serious changes.
I have gone ahead and uploaded these to the ubuntu-security-proposed ppa
(https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages) for building and testing;
autopkgtests will get kicked off as well, but I see from the history
for openconnect that the adt tests always fail, so that's not so helpful
(fixing the tests in kinetic and debian would be be a great thing to
do!)
Once the packages have successfully built, please test and report
results here.
Thanks again!
** Patch added: "openconnect_8.05-1ubuntu0.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1987569/+attachment/5611758/+files/openconnect_8.05-1ubuntu0.1.debdiff
** Changed in: openconnect (Ubuntu)
Status: New => In Progress
** Changed in: openconnect (Ubuntu)
Assignee: (unassigned) => Steve Beattie (sbeattie)
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1987569
Title:
Versions in Bionic and Focal are vulnerable to CVE-2020-12823
Status in openconnect package in Ubuntu:
In Progress
Bug description:
The versions in Ubuntu 18.04 and 20.04 are vulnerable to
CVE-2020-12823.
I will prepare debdiffs for this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1987569/+subscriptions
More information about the Ubuntu-sponsors
mailing list