CVE Request -- OpenConnect < v2.25 did not verify SSL server certificates

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Steve, vendors,

  OpenConnect upstream has released OpenConnect v2.25:
  [1] http://www.infradead.org/openconnect.html

addressing following security related issues (from [1]):
  OpenConnect v2.25 — 2010-05-15

    * Always validate server certificate, even when no extra --cafile is provided.
    * Add --no-cert-check option to avoid certificate validation.
    * Check server hostname against its certificate.
    * Provide text-mode function for reviewing and accepting "invalid" certificates.
    * Fix libproxy detection on NetBSD.

References:
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590873
  [3] ftp://ftp.infradead.org/pub/openconnect/openconnect-2.25.tar.gz

Though not direct security issue(s) [rather security hardening], once the package has SSL support,
it should be enabled by default to avoid unintentional MITM attacks (implying from default package
configuration use).

Steve, could you allocate a CVE identifier for this? (but opened for discussion if such security
hardening fixes aren't considered enough this to be handled as a security issue).

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team