Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

On Tue, Jan 18, 2022, 01:44 Antoine G. wrote: > On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote: > > We do not plan to release patches for lower versions. Essentially, 1.4.0 > > is the patch. > > Thank you for your answer. > > Just to be sure I understand the CVE and the stack, do you

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote: We do not plan to release patches for lower versions. Essentially, 1.4.0 is the patch. Thank you for your answer. Just to be sure I understand the CVE and the stack, do you confirm that technically, upgrading only guacamole-client t

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Private tunnel > identifier may be included in the non-private details of active connections > > On Wed, Jan 12, 2022 at 4:52 PM wrote: > > > > Hello, > > > > Can this vulnerability be protected by a WAF such as Modseurity? > > > > I would not recommend relying

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

On Wed, Jan 12, 2022 at 4:52 PM wrote: > > Hello, > > Can this vulnerability be protected by a WAF such as Modseurity? > I would not recommend relying solely on a WAF to defend against a known issue in any application. With the issue in question being patched in the latest release (1.4.0), your b

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Hello, Can this vulnerability be protected by a WAF such as Modseurity? From: Nick Couchman Sent: Thursday, January 13, 2022 6:33 AM To: user@guacamole.apache.org Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

On Wed, Jan 12, 2022 at 4:28 PM guacatoine wrote: > > Hello, > > Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit : > > Severity: moderate > > When running Apache Guacamole 1.3.0, is the only way of addressing > CVE-2021-41767 to update to v1.4.0 or is there a security patch incomi

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Hello, Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit : Severity: moderate When running Apache Guacamole 1.3.0, is the only way of addressing CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming for one (or more lower) version(s) of Guacamole? Thank y

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

On Wed, Jan 12, 2022, 01:41 Jürgen Kuri wrote: > El 11.01.22 a las 22:21, Mike Jumper escribió: > > Severity: moderate > > > > Description: > > > > Apache Guacamole 1.3.0 and older may incorrectly include a private > > tunnel identifier in the non-private details of some REST responses. > > This

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

El 11.01.22 a las 22:21, Mike Jumper escribió: > Severity: moderate > > Description: > > Apache Guacamole 1.3.0 and older may incorrectly include a private > tunnel identifier in the non-private details of some REST responses. > This may allow an authenticated user who already has permission to >