Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
On Tue, Jan 18, 2022, 01:44 Antoine G. wrote: > On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote: > > We do not plan to release patches for lower versions. Essentially, 1.4.0 > > is the patch. > > Thank you for your answer. > > Just to be sure I understand the CVE and the stack, do you confirm that > technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd > in 1.3.0) is enough to patch the CVE? > Yes. - Mike
Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote: We do not plan to release patches for lower versions. Essentially, 1.4.0 is the patch. Thank you for your answer. Just to be sure I understand the CVE and the stack, do you confirm that technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd in 1.3.0) is enough to patch the CVE? - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
Thank you for your reply. We will consider upgrading the version. Thank you, Tadashi > -Original Message- > From: Mike Jumper > Sent: Thursday, January 13, 2022 10:19 AM > To: user@guacamole.apache.org > Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel > identifier may be included in the non-private details of active connections > > On Wed, Jan 12, 2022 at 4:52 PM wrote: > > > > Hello, > > > > Can this vulnerability be protected by a WAF such as Modseurity? > > > > I would not recommend relying solely on a WAF to defend against a known issue > in > any application. With the issue in question being patched in the latest > release (1.4.0), > your best option is to upgrade to 1.4.0 and thus deploy the relevant patch. > > - Mike > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
On Wed, Jan 12, 2022 at 4:52 PM wrote: > > Hello, > > Can this vulnerability be protected by a WAF such as Modseurity? > I would not recommend relying solely on a WAF to defend against a known issue in any application. With the issue in question being patched in the latest release (1.4.0), your best option is to upgrade to 1.4.0 and thus deploy the relevant patch. - Mike - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
Hello, Can this vulnerability be protected by a WAF such as Modseurity? From: Nick Couchman Sent: Thursday, January 13, 2022 6:33 AM To: user@guacamole.apache.org Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections On Wed, Jan 12, 2022 at 4:28 PM guacatoine mailto:guacamole.to...@placi.de> > wrote: Hello, Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org <mailto:mjum...@apache.org> a écrit : > Severity: moderate When running Apache Guacamole 1.3.0, is the only way of addressing CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming for one (or more lower) version(s) of Guacamole? We do not plan to release patches for lower versions. Essentially, 1.4.0 is the patch. If you really need to maintain a lower version, you could try to back-port the patch(es) that specifically address the issue to that version, but that's a lot of manual work versus just upgrading to the latest version. -Nick
Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
On Wed, Jan 12, 2022 at 4:28 PM guacatoine wrote: > > Hello, > > Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit : > > Severity: moderate > > When running Apache Guacamole 1.3.0, is the only way of addressing > CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming > for one (or more lower) version(s) of Guacamole? > > We do not plan to release patches for lower versions. Essentially, 1.4.0 is the patch. If you really need to maintain a lower version, you could try to back-port the patch(es) that specifically address the issue to that version, but that's a lot of manual work versus just upgrading to the latest version. -Nick
Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
Hello, Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit : Severity: moderate When running Apache Guacamole 1.3.0, is the only way of addressing CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming for one (or more lower) version(s) of Guacamole? Thank you, Toine - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
On Wed, Jan 12, 2022, 01:41 Jürgen Kuri wrote: > El 11.01.22 a las 22:21, Mike Jumper escribió: > > Severity: moderate > > > > Description: > > > > Apache Guacamole 1.3.0 and older may incorrectly include a private > > tunnel identifier in the non-private details of some REST responses. > > This may allow an authenticated user who already has permission to > > access a particular connection to read from or interact with another > > user's active use of that same connection. > > > > Credit: > > > > We would like to thank Damian Velardo (Australia and New Zealand > > Banking Group) for reporting this issue. > > > > - > > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > > For additional commands, e-mail: user-h...@guacamole.apache.org > > > Hello, > > which component is affected here, backend (guacd) or frontend (.war) or > both? > The web application (.war). - Mike
Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
El 11.01.22 a las 22:21, Mike Jumper escribió: > Severity: moderate > > Description: > > Apache Guacamole 1.3.0 and older may incorrectly include a private > tunnel identifier in the non-private details of some REST responses. > This may allow an authenticated user who already has permission to > access a particular connection to read from or interact with another > user's active use of that same connection. > > Credit: > > We would like to thank Damian Velardo (Australia and New Zealand > Banking Group) for reporting this issue. > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > Hello, which component is affected here, backend (guacd) or frontend (.war) or both? -- Thanks Jürgen - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org