Hi Luca, On Sat, May 02, 2020 at 01:41:53PM +0100, Luca Boccassi wrote: > Control: notfound -1 6.00-2 > Control: close -1 > > On Sat, 02 May 2020 11:29:34 +0100 Luca Boccassi <[email protected]> > wrote: > > Package: openconnect > > Version: 6.00-2 > > > > Tracking https://security-tracker.debian.org/tracker/CVE-2020-12105 > > Not sure what's the oldest version affected, asked on > > https://security-tracker.debian.org/tracker/CVE-2020-12105 > > I checked and upstream confirmed, Debian is not vulnerable in any > version as the defect only affects builds with OpenSSL, but we use > GNUTLS all the way back to old-old-stable. > > https://gitlab.com/openconnect/openconnect/-/merge_requests/96 > > Dear Security Team, > > At your earliest convenience, please mark > https://security-tracker.debian.org/tracker/CVE-2020-12105 as not- > affected for all Debian releases.
Thanks! I have marked it now as unimportant (the source affected, but does not affect the binary packages as we use GnuTLS). Will take up to an hour until the CVE entry is updated on security-tracker. Regards, Salvatore

