Candidate: CVE-2020-7041
PublicDate: 2020-02-27 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7041
 https://github.com/adrienverge/openfortivpn/issues/536
 https://github.com/adrienverge/openfortivpn/commit/60660e00b80bad0fadcf39aee86f6f8756c94f91
 https://github.com/adrienverge/openfortivpn/commit/cd9368c6a1b4ef91d77bb3fdbe2e5bc34aa6f4c4
Description:
 An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2
 or later. tunnel.c mishandles certificate validation because an
 X509_check_host negative error code is interpreted as a successful return
 value.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]


Patches_openfortivpn:
 upstream: https://github.com/adrienverge/openfortivpn/commit/60660e00b80bad0fadcf39aee86f6f8756c94f91
 upstream: https://github.com/adrienverge/openfortivpn/commit/cd9368c6a1b4ef91d77bb3fdbe2e5bc34aa6f4c4
upstream_openfortivpn: released (1.12.0-1)
precise/esm_openfortivpn: DNE
trusty_openfortivpn: ignored (out of standard support)
trusty/esm_openfortivpn: DNE
xenial_openfortivpn: DNE
bionic_openfortivpn: needs-triage
eoan_openfortivpn: ignored (reached end-of-life)
focal_openfortivpn: not-affected (1.12.0-1)
groovy_openfortivpn: not-affected (1.12.0-1)
hirsute_openfortivpn: not-affected (1.12.0-1)
impish_openfortivpn: not-affected (1.12.0-1)
jammy_openfortivpn: not-affected (1.12.0-1)
devel_openfortivpn: not-affected (1.12.0-1)