Candidate: CVE-2020-7042
PublicDate: 2020-02-27 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7042
 https://github.com/adrienverge/openfortivpn/issues/536
 https://github.com/adrienverge/openfortivpn/commit/9eee997d599a89492281fc7ffdd79d88cd61afc3
 https://github.com/adrienverge/openfortivpn/commit/cd9368c6a1b4ef91d77bb3fdbe2e5bc34aa6f4c4
Description:
 An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2
 or later. tunnel.c mishandles certificate validation because the hostname
 check operates on uninitialized memory. The outcome is that a valid
 certificate is never accepted (only a malformed certificate may be
 accepted).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]


Patches_openfortivpn:
upstream_openfortivpn: released (1.12.0-1)
precise/esm_openfortivpn: DNE
trusty_openfortivpn: ignored (out of standard support)
trusty/esm_openfortivpn: DNE
xenial_openfortivpn: DNE
bionic_openfortivpn: needs-triage
eoan_openfortivpn: ignored (reached end-of-life)
focal_openfortivpn: not-affected (1.12.0-1)
groovy_openfortivpn: not-affected (1.12.0-1)
hirsute_openfortivpn: not-affected (1.12.0-1)
impish_openfortivpn: not-affected (1.12.0-1)
jammy_openfortivpn: not-affected (1.12.0-1)
devel_openfortivpn: not-affected (1.12.0-1)